Did you know: Crimelords behind DDoS attacks offer customer loyalty points?

Tweaking business models for greater 404 kerching


The DDoS attack business has advanced to the point that running an attack can cost as little as $7 an hour, while the targeted company can end up losing thousands, if not millions of dollars.

Kaspersky Lab’s experts were also able to calculate that an attack using a cloud-based botnet of 1,000 desktops is likely to cost the providers about $7 per hour. These services typically retail for $25 an hour, allowing cybercrooks to pocket an estimated profit of around $18 per hour.

Crooks operating DDoS services through black market websites often offer a sophisticated service featuring convenient payment and reports about attacks, according to a new study from Kaspersky Lab. In some cases, there is even a customer loyalty programme, with clients receiving rewards or bonus points for each attack.

Attacks are priced based on their generation as well as the source of attack traffic, among other factors. For example, a botnet made up of popular IoT devices is cheaper than a botnet of servers.

Attacks on government websites and resources protected by dedicated anti-DDoS solutions are much more expensive, since the former are high risk, while the latter are more difficult to attack. On one DDoS-as-a-service website, the cost of an attack on an unprotected website ranges from $50 to $100, while an attack on a protected site costs $400 or more.

The location of targets can also be a factor. DDoS attacks on English-language websites, for example, are usually more expensive than similar attacks on Russian-language sites.

A DDoS attack can cost anything from $5 for a 300-second attack to $400 for 24 hours. The average price for an attack is around $25 per hour.

The longest DDoS attack in 2016 lasted 292 hours – or about 12 days – according to Kaspersky Lab’s research.

Kaspersky Lab also identified evidence that DDoS slingers are, in some cases, playing both sides for extra profit. Attackers sometimes demand a ransom from a target in return for not launching a DDoS attack, or to call off an ongoing attack. The ransom can sometimes be the Bitcoin equivalent of thousands of dollars. Those carrying out the blackmail don’t even need to have the resources to launch an attack – sometimes the mere threat is enough.

Some cybercriminals have no scruples about selling DDoS attacks alongside protection from them.

"We expect the profitability of DDoS attacks to continue to grow," said Russ Madley, head of B2B at Kaspersky Lab UK. "As a result, will see them increasingly used to extort, disrupt and mask other more intrusive attacks on businesses."

A separate study by DDoS mitigation outfit Imperva Incapsula reported that more advanced application layer DDoS attacks are becoming more commonplace. The number of attacks in Q4 reached an all-time high, with an average of 889 application layer assaults per week. One such attack lasted for more than 47 days. At the same time packet flood network flood attacks are increasing in volume. For example, Imperva Incapsula mitigated a massive 650Gbps network layer assault last December, the largest it has faced down to date.

Attack frequency, meanwhile, has scaled up. On average, 58.3 per cent of websites were targeted more than once, with 13.1 percent being targeted more than 10 times. China continued to be a dominating hub of botnet activity, with some 78.5 per cent of DDoS attacks worldwide originating from IPs in China. US sites featured as targets in more than half (56.7 per cent) of attacks. ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Cops' Killer Bee stings credential-stealing scammer
    Fraudster and two alleged accomplices nabbed in joint op

    An Interpol-led operation code-named Killer Bee has led to the arrest and conviction of a Nigerian man who was said to have used a remote access trojan (RAT) to reroute financial transactions and steal corporate credentials. Two suspected accomplices were also nabbed.

    The trio, aged between 31 and 38, were detained as part of a sting operation involving law enforcement agencies across 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand, and Vietnam. 

    The suspects were arrested in the Lagos suburb of Ajegunle and in Benin City, Nigeria. At the time of their arrests, all three men were in possession of fake documents, including fraudulent invoices and forged official letters, it is claimed.

    Continue reading

Biting the hand that feeds IT © 1998–2022