24

I have read so many stories that a major DDoS attack is causing companies thousands of dollars to mitigate. I have two questions:

  1. Is this because they try to keep the servers accessible to real site visitors while an attack is going on?

  2. Does shutting the server down instead of trying to keep it up still cause loss of money? In other words, instead of spending thousands of dollars to try to keep the server up why not just shut it down (concede from the attackers) and spend nothing.

Community
  • 1
IMB
  • 2,888
  • 6
  • 28
  • 42
  • 9
    if you shut a server down you would lose revue, and/or customer confidence. –  Apr 04 '12 at 14:19
  • 3
    Important to note - it doesn't cost a fortune to stop DDoS attacks - many ISP's now offer a service which is very effective and reasonably cheap. (your value of cheap may vary from a corporate's value :-) – Rory Alsop Apr 05 '12 at 09:06
  • How much damage in MONEY $$$$ is actually done, an example would be for the attack on PSN (Play Station Network) or the CIA's web sight.???????? –  Jul 17 '12 at 06:17
  • If you accept that the site is offline and leave things the way they are, then the attackers have won. – user253751 Oct 23 '16 at 00:00

6 Answers6

19

It's because if you shut a server down, you can't use it for revenue. Imagine having a real shop: if you close it during the day, you can't sell anything and offer your services. It's as simple as that.

To improve my answer, it costs a lot to fight because it's pretty much impossible to defend yourself against such attacks, since the attacker can use a very large number of machines to attack you. If you can defend yourself from an attack by 1000 computers, the attacker only needs to add one more to win. And since there is no limit to the number of machines the attacker can use, you basically will never be invulnerable :)

So, in conclusion, shutting the server down means no revenue because you can't offer your services anymore, but at the same time, keeping it up is extremely expensive (but it's better than shutting it down).

user1301428
  • 1,927
  • 1
  • 23
  • 28
  • 1
    OK so if the cost of fighting it is significantly higher than your sales, then it's probably practical to shut the server down. –  Apr 04 '12 at 14:32
  • 5
    @IMB Mathematically and economically speaking yes, but you also have to think about many other things, mainly public image damage. It's probably better to say, launch new products to increase your sales, than shutting everything down. You get the idea. –  Apr 04 '12 at 14:36
  • 1
    Yeah btw by shutdown I mean just "temporarily" for a day or two, not the entire business so to speak... but yeah I get it now. Thanks. –  Apr 04 '12 at 14:58
  • 3
    For certain businesses, a day or two is something they cannot afford. – adamo Apr 04 '12 at 15:00
  • 1
    @IMB oh ok, that's different, but the main problem is that, in order to defend yourself from a DDoS attack, you have to **always** invest money, not only when you are under attack. It doesn't cost money to companies only when the attack is actually performed. –  Apr 04 '12 at 15:02
  • @IMB oh, and if you could mark my answer as accepted I would really appreciate it :D –  Apr 04 '12 at 15:04
  • 3
    Shutting your website is like waving the white flag. The attackers know that it won't take much effort to make you do it again; hence not a viable solution compared to fighting the attack, even if it costs more money than keeping it offline. – emtunc Apr 04 '12 at 17:44
  • Can you imagine how much money amazon or ebay would lose if they shut their services off for a couple days? Along with losing your good image, customer will simply be annoyed and move on to something else. Customer confidence would be damaged. – Safado Apr 05 '12 at 14:22
15

It's this simple: If the DDoS attack causes you to shut down, whether by the damage it does directly or by your response to it, then the attacker succeeds. If an attack succeeds, it will be performed every time the attacker wants to succeed.

The way to reduce DDoS attacks is to make sure they fail. If a DDoS attack doesn't take the site down, there's no point in attacking.

So to prevent DDoS attacks, you need to be able to survive them.

In other words, instead of spending thousands of dollars to try to keep the server up why not just shut it down (concede from the attackers) and spend nothing.

Because then you will have to cave in to the attackers every time they want something.

Here's a real-world scenario from the time of unrest in Bosnia:

You operate a chat service that is open to all comers. You also host events for several major companies such as chats with celebrities.

Some racists from a particular country close to the unrest in Bosnia don't like certain channels that speak a language associated with a race they dislike. They demand you prohibit users from that country and close those chat channels that speak in that language. If you don't do what they ask, they will DDoS you during every event you host on your service and cause you to lose those major customers to competitors.

What do you do? And if you cave in to the threats, how do you explain that to your users?

You want to know what they actually did? They multiplied their server capacity by 10 and their Internet bandwidth by 20. They added a full-time DDoS person just to monitor and react to attacks. They spent a lot of money, but they were able to issue some choice words of resistance to the racists. It was money well spent.

David Schwartz
  • 4,203
  • 24
  • 21
  • 1
    Could add citation link to your example? – Dan Is Fiddling By Firelight Apr 05 '12 at 13:12
  • I don't think they've made any public disclosure actually. (Primarily because if you let it be known that DDoS attacks hurt you, that encourages them.) I was there consultant. – David Schwartz Apr 05 '12 at 20:24
  • I'll try to avoid certain details but how many connections/users/hits could one server support per second? I ran a test on my nginx/asp.net website and i'm fairly happy i can support >150 hits on a small slice of a VPS –  Jul 09 '12 at 00:49
11

Another aspect to the cost for a company, besides lost revenue, is the cost of investigating, verifying, and responding to such attacks. There are conversations with ISPs, combing through log files, re-writing firewall rules, communicating with customers, then postmortems.

But note that a company cannot 'stop' the attack, they can only weather it. 'Stopping' and attack would require ISP cooperation and coordinated action.

** correction as a result of comments **

I had said that there were large costs to an ISP to stop a DDoS attack, but I was working from old experience with ISPs. Given the premise that an ISP can stop an attack with great effectiveness and little cost, it seems the only cost to a company is the lost revenue and market opportunity of having an unavailable asset, as well as the costs of Incident Response.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    +1 because of investigation and verification. Google, Lifehacker, and Slashdot have all accidentally "DDoS"ed unprepared sites by linking to them. The sites were just unprepared for the massive amount of legitimate users. Shutting down is definitely not the right answer in these cases ;) – Izkata Apr 04 '12 at 16:59
  • The ol' "Slashdot Effect" - I remember it well! – schroeder Apr 04 '12 at 17:05
  • You say that the ISPs carry the costs and they don't get any financial benefits for doing this, but I assume that ultimately all these costs will have to be covered by the attacked company, am I wrong? – user1301428 Apr 04 '12 at 19:02
  • I was specifying 2 costs based on expectation. The victim company pays the costs of lost revenue and Incident Response in order to weather the attacks. But, to try to stop an attack, which rarely happens, requires the network of ISPs to perform the Incident Response. 2 different costs borne by 2 different parties for 2 different scenarios. – schroeder Apr 04 '12 at 19:14
  • This is not true - I work with a number of banks who have DDoS mitigation services set up with ISP's - it is relatively cheap and very effective. See this question: http://security.stackexchange.com/q/114/485 – Rory Alsop Apr 05 '12 at 09:11
  • I'd suggest adding a bit of detail about why a victims admin shouldn't just go "eh, it's a DDoS" and stop investigating there. I know a DDoS that doesn't quite completely crush its target could be used to cover traffic from another type of attack; but are there other concerns that need to be addressed. – Dan Is Fiddling By Firelight Apr 05 '12 at 13:11
  • @RoryAlsop But that wasn't what I was getting at. I have worked in a company that sold anti-DDoS appliances to ISPs and universities. Yes, you can set up BGP black holes to route identified malicious traffic to once an attack and the attackers have been identified, but that does not _stop_ the attack. That only reduces superfluous traffic to your site for a time so that the server is not overwhelmed. It does not stop DDoS, it mitigates the effects. – schroeder Apr 05 '12 at 14:37
  • @schroeder - those are appliances though, which as we all agree can help, but are too late in the chain. Working with the ISP you can stop it within seconds of it being identified. The test results we got were amazing. – Rory Alsop Apr 06 '12 at 11:58
  • @RoryAlsop by 'appliances' I mean boundary traffic filters at the ISP at both ingress and egress points of their network. They were the means by which an ISP could identify the DDoS traffic, categorize it, and mitigate it by dynamically redirecting the offending traffic to BGP black holes. From your testing, could you stop all incoming sources of DDoS traffic, or reduce the biggest offenders to reduce the load? – schroeder Apr 06 '12 at 21:48
  • Pretty much stop all - mitigation when enabled reduced impact to such a level we couldn't measure the additional latency! – Rory Alsop Apr 07 '12 at 09:26
  • @RoryAlsop then the state of the art has changed significantly since I was doing that type of work. I will edit my response accordingly. – schroeder Apr 07 '12 at 16:34
4

Shutting the server down to stop DDoS is like killing a patient to cure a disease. This is not "stopping" the attack, this is actually making it succeed by doing the damage yourself.

Remember, the end goal of DDoS is server shutdown...

Stopping DDoS means; handling the attack without interrupting regular website activities.

If you close your website for every DDoS attack (or even for every major one) you`ll be out of business in a week, as the attackers will keep coming back, again and again and again , until you either pay-up of setup a defensive perimeter.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Igal Zeifman
  • 563
  • 3
  • 8
2

You can also combat DDoS attacks by blocking the traffic before it gets to your server. This can be a very cost effective solution. This is the idea that cloudflare is based on, but there are other similar solutions, both commercial and do-it-yourself.

tylerl
  • 82,225
  • 25
  • 148
  • 226
-1

The cost of a DDoS has mostly to do with lost of revenues, not fixing the problem per se.

I truly don't mean to dumb down the answer, you probably understood all this by now but as an analogy, consider you have a brick and mortar store. One morning, your store gets filled with non-buying customers, with a crowd in front of the door making it seem as if the store is not accessible. Furthermore, not only is the store not available for 'real business', the crowd has planted a huge sign on the front door that says 'CLOSED'.

This would look really awful for customers passing by, and they would go elsewhere.

stefgosselin
  • 99
  • 2
  • 1
    Actually, at least in my experience, the vast majority of the cost has to do with avoiding the loss of revenues and discouraging DDoS attacks by ensuring you have sufficient capacity and staffing to resist them. (For example, you might pay for 25x the bandwidth and server capacity you need to handle your legitimate load just to prevent a DDoS attack from succeeding.) – David Schwartz Apr 04 '12 at 20:40