How much does it cost to orchestrate a cyberattack in 2022?

Sceaf Berry is a product management consultant with a background in technology and financial markets.

How much does it cost to orchestrate a cyberattack in 2022? Truth be told, not a lot. For less than $100, you can probably subscribe to a lifetime offer of cyberattacks on targets of your choice. Really.

Best of all, the signup process couldn’t be easier these days. All you will need is an email address and a payment card (or cryptocurrency). No need for dark web, balaclavas and voice changers, or direct human interaction with criminals.

Specifically, we are talking here about DDoS – distributed denial of service attacks. These aim to shut down a website or online resource by overwhelming it with requests for bandwidth, so that legitimate users cannot access it. Although a relatively primitive weapon, DDoS attacks have taken down a number of high-profile targets in recent years, including forcing the New Zealand exchange NZX to go offline in 2020.

Clearly, I must point out that DDoS attacks are illegal in a number of ways in a number of different countries, and are a poor way to make friends in today’s digital economy. However, offering stress testing of DDoS protection services is completely legal.

As a result, there has been a proliferation of companies offering DDoS “stress tests” to anyone who wants them, without everyone necessarily thoroughly verifying that the person performing the “stress test” is indeed the owner. of the tested website or online service.

All you’ll need to run an out-of-the-box DDoS service is to have the target’s IP address – which can easily be obtained by asking an employee of the target to visit a website, for example. A sign of the ignorance of the general public (regulators, banks, etc.) of these “stress testing services”, some of the sites I visited offer fairly common payment solutions, such as PayPal and Skrill.

The number one problem with running online black market sites has always been taking payment from customers. Historically, banks and payment networks like Visa and Mastercard decided whether or not you could operate. This is why cryptocurrency has been such a massive enabler of shady online activity. But frankly, I’ve seen better regulated video game trading sites than some of these DDoS providers.

The next question could be Why. Why have the price and availability of DDoS attacks become so cheap? Has DDoS gone through a prolonged bear market due to an outbreak of global peace in cyberspace?

Well, not quite. The dominant reason seems to be supply. Unlike legitimate cloud services – such as website hosting or application stack services that are best operated at scale through a smaller number of fungible servers – DDoS benefits from being (by name) distributed.

A few million smaller devices each sending ten requests per minute will be much harder to stop than billions of requests all coming from the same location, because the former looks more like legitimate human traffic. And, luckily, it turns out there’s been a Cambrian explosion of small, internet-connected devices that are easy to hack with minimal security and software patches.

I’m talking about Internet of Things devices. The reality is that for all their benefits, smart devices are also a botnetter’s dream.

You can find the full report here: 4 billion worldwide / © IOT Analytics Research 2022

And while I’m not directly suggesting that your IoT doorbell/home audio system/baby monitor is spying on you and your family, it could well be due to other unsavory online activity (more generally, please don’t buy a monitors for children connected to the Internet Where hot tubsand please note that some IoT doorbell providers sell or pass on the images they collect).

Our original intention was to plot the price over time of DDoS alongside the recent explosion in the global amount of IoT-connected devices. It turned out to be tricky.

Not only are there different methods and grades (bandwidth/second or requests/second) of DDoS, prices have gotten so cheap over the past five years that “stress testing” companies have simply started to offer whatever you can. hack subscription packages instead.

While the services I’ve found (in my own judgment of what a 10 minute multi-vector DDoS attack with moderately low bandwidth/throughput would be able to do) wouldn’t bother a larger target too much with a enterprise-level protection, it wouldn’t be a stretch to assume that the price of the most powerful and sophisticated attacks has also become much cheaper over the past decade.

In the end, however, I didn’t inquire about the company’s pricing and declined to try the free tier (which would probably be enough to wipe out any unprotected site for a short time).

There are of course several websites offering DDoS protection. And while the commoditization, SaaSification, and Yassification of DDoS protection vendors continues, the range of different attack methods and statistics involved are tilting the price of protection upwards over the price of orchestrating dDoS protection. ‘an attack.

Allowing legitimate human traffic while blocking malicious attacks — especially when those attacks come from legitimate-looking locations from legitimate-looking devices — poses the same problem as creating preventative medicine. If 0.5% of all the traffic you block is legitimate, that could represent a significant proportion, if not the majority, of the site’s legitimate users.

DDoS protection services use several methods to prevent this, and some even recognize the proliferation of Internet of Things devices as a contributing factor to the increase in global DDoS attacks.

There is good news. The recent global shortage of semiconductor chips has led to more expensive manufacturing of IoT devices over the past two years, and DDoS protection has also become cheaper in recent years.

In less good news, however, a wider variety of devices are connected to the internet, ranging from the harmless (IoT salt shakers) to the unusual (IoT bathroom) to potential risks (IoT cars, anyone?). Enjoy the ride!

Comments are closed.