3

Typically, when you invest money to protect yourself against some possible threat, you should take into account two factors:

  • the probability (p) of the problem actually happening
  • how much money (m) that problem would cost you if it happened

Multiply these two numbers (p*m) and you get a rough idea of how much money it is reasonable to invest to protect yourself. Of course things are more complicated, but this gives you a rough estimate.

The difficulty is to get a reasonable estimate of these numbers. A great number of factors must be taken into account for this evaluation, and most factors change from company to company. For example, a very visible company will have a greater probability of being targeted than others; a company that works in a sain competitive environment will be less likely to be targeted than a company competing against nasty competitors; etc. In short, your mileage may vary.

But there are a few factors that are pretty much the same for everyone:

  • how easy/complex is it to launch a 1 Gbps DDoS attack? A 10 Gbps attack? A 100 Gbps attack?
  • how cheap/expensive is it to do so?
  • how safe/risky is it?
  • what companies are primarily targeted?
  • are you usually targeted once, or many times
  • how long are typical attacks?
  • how strong are typical attacks?
  • ...

One could argue that only hackers should know the answer to these questions. But I believe that we (sysadmins) should all know the answers: how else can you evaluate the amount of effort and money that you should invest in DDoS-protection?

Thanks for your help.

Note

My original post included this story, just in case you're interested...

Our company has been victim to a massive DDoS attack (over 50 Gbps of UDP traffic, full-time during 2 weeks). We are pretty sure that it's one of our competitors, and we actually know which one, because we were the only two remaining competitors on a very big request for proposal, and the DDoS attack magically stopped the day we won (double hurray, by the way)!

These people have proved in the past that they are very dishonest, but we know that they are not technical at all, so we believe that they simply paid for some botnet DDoS service. I would like to know how much these services typically cost, for such a large scale attack. Please do not give any link to such services, I would really hate to give these people any publicity.

I understand that a hacker could very well do this for free, but what's a typical price for such an attack if our competitors paid for it through some kind of botnet service? It is really starting to scare me (if we're talking thousands of dollars here, then I am really going to freak off: who knows, they might just hire a hit-man one day?).

Of course we filed a complaint, but the police says that they cannot do much about it (DDoS attacks are virtually untraceable, so they say), and our suspicions are not enough to justify them raiding our competitor's offices to search for proofs.

For your information, we now changed our infrastructure to be able to sustain such attacks: we now use a major CDN service so that our servers are not directly affected by DDoS attacks. Requests for dynamic pages do get proxied to our servers, but during low level attacks (UDP flood, or Syn floods, for example) we only receive legitimate trafic, so we're fine. If they decide to launch higher level attacks (HTTP flood or slowloris attacks for example), most of the load should be handled by the CDN... at least I hope so!

MiniQuark
  • 3,695
  • 2
  • 20
  • 23
  • ah some jail time more then likely, there is a federal unit for prosecuting things like this. – tony roth Jul 03 '13 at 16:12
  • 4
    Quite frankly, I would be worried about any SF member that can tell you what this stuff might cost... – Sven Jul 03 '13 at 16:13
  • 6
    Physically fire-bomb them, seriously - it's the only professional course of action. – Chopper3 Jul 03 '13 at 16:42
  • 1
    @SvW That's a bit puritanical. Casually reading mainstream outlets like Brian Krebs or Bruce Schneier can give even a hobbyist this kind of information. – Wesley Jul 03 '13 at 17:48
  • I'll echo Chopper... take off and nuke the site from orbit, it's the only way to be sure. – SpacemanSpiff Jul 03 '13 at 17:48
  • p*m is *not* a good way to plan how to deal with one off catastrophic events, that method is only appropriate for dealing with many events which will tend towards an average. – JamesRyan Jul 05 '13 at 14:27
  • @JamesRyan: ok I was simplifying things, as I said the goal is to get a rough idea of reasonable amounts to spend for protection. At the very least, it should guide you into investing more money into problem A rather than problem B, if `pA*mA > pB*mB` don't you think? If you're not going to weigh probability and damage somehow, what other strategy would you recommend? You would probably want to replace dollars by some kind of utility function because 100$ today may be a lot more useful to you for some reason than 200$ one year from now, if you need to invest the money on some project. – MiniQuark Jul 05 '13 at 14:44
  • Amount of money spent != change in likelyhood of the event happening or of the damage caused to your business. So the simplification relies on a false assumption and is fundamentally unsound. The method you have suggested simply doesn't work which is why insurance exists to change the problem from unpredicatable one offs to one that can be determined. – JamesRyan Jul 06 '13 at 16:34

2 Answers2

4

After a quick check with some resources, it appears that you can rent a botnet capable of that much throughput at somewhere about 25-50$ USD per hour. For two weeks that means that they paid anywhere from 8400$ USD to 16,800$ for the attack.

It sounds like you only have circumstantial evidence pointing to your competitors, and that seems to be why the police can't/won't investigate this. As far as protection depending on your business type and how often it is targeted is really what should help you determine your budget. For example BlackLotus which is a fairly popular service appears to charge atleast 5,000$ USD for a 40gb DDoS filter...

Jacob
  • 9,114
  • 4
  • 44
  • 56
  • 3
    Answering questions like this only encourages them :( – user9517 Jul 03 '13 at 17:50
  • @Iain - Anybody who wants to do this is going to be able to find out how w/o consulting Server Fault. In fact, Server Fault is probably the last place they'd go for this kind of thing. – Evan Anderson Jul 03 '13 at 18:45
  • 2
    @EvanAnderson: it's a quality issue - just another crappy question in the sewer that is SF and now we can't easily delete it. [Broken Windows](http://en.wikipedia.org/wiki/Broken_windows_theory) and all that – user9517 Jul 03 '13 at 18:48
  • @lain: I am a long time fan and user of SO and SF, I'm sorry you find this question is crappy, I can see why, but I honestly disagree. As I explained in my question, I believe that every good sysadmin should know the answer to this question, so it *is* a legitimate question to ask oneself. Please check my history, I really try not to ask crappy questions. And I *did* ask people not to give hackers any help by giving any link that could encourage people to DDoS. – MiniQuark Jul 04 '13 at 13:04
3

The price, based on my researching less legitimate sites, would be around 200 USD for 24 hours. Now considering you have about two weeks would make me think discounts would be approved so leaving you at about maybe 180 USD / day. So that would make 14*180 USD = 2520 USD. Prices are quite volatile, but in recent years everyone has started offering these type of services so prices have dropped accordingly.

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
  • Thanks a lot for your answer. It's 3 or 4 times less than @Jacob's answer, but it gives me the order of magnitude: we *are* talking about thousands of dollars. OMG... I'm losing faith in mankind. :-( – MiniQuark Jul 04 '13 at 13:41