The average DDoS attack cost for businesses rises to over $2.5 million

Neustar says that the enterprise is finding it more difficult than ever to stem the financial cost of DDoS campaigns.
Written by Charlie Osborne, Contributing Writer

DDoS campaigns are on the rise and the enterprise can now expect a bill of at least $2.5 million every time they become a victim.

The mere threat of a distributed denial-of-service (DDoS) attack can cause businesses to sweat, and in some cases, cybercriminals earn big money just by threatening a company with a future attack unless they pay protection fees.

However, while some threat actors may just pretend, others use DDoS attacks to disrupt businesses by flooding a domain with illegitimate traffic. This kind of attack may also be used make a political statement or as a means of censorship.

Whatever the reason, DDoS attack rates are increasing and businesses are being forced to pay out for damage control and repair, as they are losing more revenue through online service disruption than ever before.

According to web analytics firm Neustar's latest DDoS attack trends report, in addition to a survey conducted by Neustar and Harris Interactive of over 1,000 executives from enterprise firms, while the first quarter of the year is generally considered "pre-season" for these attacks, the company is already seeing "significant increases in average attack size and variety of attack vectors."

To date this year, 849 out of 1,010 enterprise companies -- 84 percent -- included in the research have experienced at least one DDoS attack in the last 12 months, up from 73 percent in 2016.

In total, 86 percent of these businesses were struck with multiple DDoS attacks over the past 12 months, of which 63 percent said the loss of revenue at peak times caused by DDoS disruption can sometimes reach beyond $100,000 an hour.


This is a significant increase from 50 percent of companies which said so much revenue was at stake in 2016, but to make matters worse, 43 percent of respondents admitted the financial loss per hour is closer to $250,000.

Neustar says that the respondents to the survey have collectively lost over $2.2 billion dollars during the past 12 months, which is a minimum of $2.5 million each on average across 849 organizations.


According to Neustar's internal security data, 45 percent of DDoS attacks were of an attack strength of over 10 Gbps per second, and 15 percent of attacks reached at least 50 Gbps which is almost double the rate reported in 2016.

Threat actors are utilizing a number of new techniques to disrupt businesses, including Generic Routing Encapsulation (GRE) based flood attacks and Connectionless Lightweight Directory Access Protocol (CLDAP) reflection techniques.

The matter is made worse by the increased use of Internet of Things (IoT) connected devices in the enterprise, which when left unsecured, can act as pathways to penetrate business network defenses as well as become slave nodes themselves which are included in the DDoS traffic stream.

See also: Ransomware attacks grew 600 percent in 2016, costing businesses $1 billion (TechRepublic)

Mitigating DDoS attacks is not just a challenge for businesses, but public figures and speakers, too. Back in 2016, prominent security researcher Brian Krebs found himself to be the target of a massive DDoS attack -- powered by the Mirai botnet -- which was close to disrupting service to his website.

Web provider Akamai was able to fend off the attack, but due to the size and cost, was unable to protect him again. As a result, Google's Project Shield, a free DDoS protection service, offered to shelter the website against future attacks.

Alongside the report's release, Neustar has revealed plans to increase the firm's global DDoS mitigation service capacity to 3 Tbps and hopes to extend this capacity to 10 Tbps by early 2018.

How to lock up your digital life and privacy in an hour (in pictures)

Locky ransomware is back -- and sneakier than ever:

Editorial standards