Typically, when you invest money to protect yourself against some possible threat, you should take into account two factors:
- the probability (
p
) of the problem actually happening - how much money (
m
) that problem would cost you if it happened
Multiply these two numbers (p*m
) and you get a rough idea of how much money it is reasonable to invest to protect yourself. Of course things are more complicated, but this gives you a rough estimate.
The difficulty is to get a reasonable estimate of these numbers. A great number of factors must be taken into account for this evaluation, and most factors change from company to company. For example, a very visible company will have a greater probability of being targeted than others; a company that works in a sain competitive environment will be less likely to be targeted than a company competing against nasty competitors; etc. In short, your mileage may vary.
But there are a few factors that are pretty much the same for everyone:
- how easy/complex is it to launch a 1 Gbps DDoS attack? A 10 Gbps attack? A 100 Gbps attack?
- how cheap/expensive is it to do so?
- how safe/risky is it?
- what companies are primarily targeted?
- are you usually targeted once, or many times
- how long are typical attacks?
- how strong are typical attacks?
- ...
One could argue that only hackers should know the answer to these questions. But I believe that we (sysadmins) should all know the answers: how else can you evaluate the amount of effort and money that you should invest in DDoS-protection?
Thanks for your help.
Note
My original post included this story, just in case you're interested...
Our company has been victim to a massive DDoS attack (over 50 Gbps of UDP traffic, full-time during 2 weeks). We are pretty sure that it's one of our competitors, and we actually know which one, because we were the only two remaining competitors on a very big request for proposal, and the DDoS attack magically stopped the day we won (double hurray, by the way)!
These people have proved in the past that they are very dishonest, but we know that they are not technical at all, so we believe that they simply paid for some botnet DDoS service. I would like to know how much these services typically cost, for such a large scale attack. Please do not give any link to such services, I would really hate to give these people any publicity.
I understand that a hacker could very well do this for free, but what's a typical price for such an attack if our competitors paid for it through some kind of botnet service? It is really starting to scare me (if we're talking thousands of dollars here, then I am really going to freak off: who knows, they might just hire a hit-man one day?).
Of course we filed a complaint, but the police says that they cannot do much about it (DDoS attacks are virtually untraceable, so they say), and our suspicions are not enough to justify them raiding our competitor's offices to search for proofs.
For your information, we now changed our infrastructure to be able to sustain such attacks: we now use a major CDN service so that our servers are not directly affected by DDoS attacks. Requests for dynamic pages do get proxied to our servers, but during low level attacks (UDP flood, or Syn floods, for example) we only receive legitimate trafic, so we're fine. If they decide to launch higher level attacks (HTTP flood or slowloris attacks for example), most of the load should be handled by the CDN... at least I hope so!