DDoS Attacks: A Survival Guide for Small Businesses
Table of Contents
Preventing a business from carrying out its daily tasks is top of the agenda for certain cybercriminals. Distributed Denial-of-Service (DDoS) attacks are designed to shut down the operations of a business or service, causing chaos, damage to a company, loss of customers, and damage to reputation. Unfortunately, DDoS attacks have increased by a staggering 550% in recent years. AI-powered DDoS and DDoS-for-hire are believed to be behind the surge in attacks. As a result of this disruptive cyberattack, any SMB affected by a DDoS will likely experience a significant revenue hit.
What is a DDoS Attack?
Distributed Denial-of-Service (DDoS) attacks begin by infecting, often, hundreds of thousands of machines, like laptops, desktop computers, routers, wearables, IoT devices, etc. These devices become "bots" and are used as part of a distributed "botnet". The cybercriminals behind a DDoS attack use a command and control (C&C) server to direct and control the "botnet" – this person(s) is known as a "bot herder".
The infected devices are then used to send out massive volumes of data packets above the maximum allowed limit by TCP/IP. The result is that affected servers and websites are overwhelmed, and significant disruption or system failure of websites, servers, or networks occurs.
Three types of DDoS attacks use differing methodologies and techniques.
- Application layer attacks: Exploits vulnerabilities in applications within a network.
- Protocol attacks: Exploits vulnerabilities in network protocols.
- Volumetric attacks: Uses brute force to flood the target with traffic, bringing resources to a standstill.
Each of the three types of DDoS includes sub-types. Notably, DDoS attackers' tactics evolve to evade any new countermeasures.
Signs Your Business is Under a DDoS Attack
There are several signs that your company may be a victim of a DDoS attack – look out for the following:
- Your website slows down considerably; page loading is slow or times out.
- Your web metrics will show unusually high volumes of traffic coming from a single source.
- A successful DDoS often results in a website "503 error, service unavailable".
How Do DDoS Attacks Affect Small Companies?
Small companies are victims of DDoS attacks, even if they are not directly targeted. For example, DDoS attackers may target a core internet component, like a DNS (Domain Name Server) used by thousands of organizations. One tactic used by attackers is a DNS amplification attack: The DDoS attacker identifies a DNS server containing a vulnerability. They then send small DNS queries to the DNS server using a spoofed IP address (the target's IP). This results in the server sending a large amount of data back to the target, overwhelming its bandwidth.
The result of a DDoS attack is catastrophic. The following are examples of what can happen if your company experiences a DDoS attack:
- Ransom DDoS: Increasingly, DDoS attacks do not just cause mayhem; the attackers use the chaos to demand a ransom to stop the attack. A recent example was a Ransom DDoS attack on VOIP companies. A massive DDoS hit Voip Unlimited and Voipfone in the UK over three days; the attackers demanded payment of 1 bitcoin to stop the attack.
- Website or other online process shutdown: DDoS attacks that target online resources can seriously impact a company's revenue. Retail supply chains, third-party vendors, and payment processors are at particular risk of adverse effects when their online stores or services fail because of a DDoS attack. A recent example was a massive DDoS attack on gaming sites, DayZ and Arma Reforger. As well as causing loss of service, with customers requesting refunds, the attackers demanded a ransom of 0.8 bitcoin, roughly $81,000.
- Slow-running of machines: Devices part of a botnet will run extremely slowly as the resources-hungry malware executes the DDoS attack. This results in significant productivity issues and employee frustration.
The Impact and Cost of a DDoS Attack on an SMB
The cost of a DDoS attack to an SMB shows the serious nature of these insidious threats. Some staggering statistics highlight the extent of the financial harm of a DDoS attack: A DDoS attack costs an SMB, on average, $6,000 per minute. The attacks usually last 39 minutes on average. This means that the average cost per DDoS incident is $234,000. (Source)
The almost one-quarter of a million dollars spent on a DDoS attack includes the following:
Ransom Costs
Cybercriminals are increasingly adding a ransom to DDoS attacks. Cloudflare, a company that provides internet services, saw 12% of its customers targeted by Ransom DDoS. A study by NetDiligence, looking at US SMBs, found the average ransom demand was $12,000, with a median demand of $81,000.
Downtime Costs
Downtime from a DDoS can escalate into permanent lost custom and reputation damage. A survey into the cost of downtime to SMBs found that the average cost per server per hour was $1000 - $5000.
Reputation Costs
A damaged reputation could potentially close down a company. Ransom DDoS attacks are targeting online and eCommerce companies because they know how vital it is to maintain an online presence and working service. The company will be placed in the unenviable position of paying the ransom quickly or losing its reputation.
Lost Business
Firms lose customers and fail to gain new ones when they experience a cyberattack. Research shows that almost half (47%) of companies find attracting new customers after a cyberattack difficult.
Why are SMBs Targeted by DDoS Attacks?
Like many cyber threats, DDoS attackers are turning their attention to SMBs. According to research, two-thirds of SMBs have experienced a cyberattack. DDoS is one of the top attack types for SMBs. The reasons why an SMB is a likely target for a DDoS attack come down to the following:
Lack of Dedicated Security Staff
Security skills are typically outside the core skills required by an SMB. Around 75% of SMBs report having a lack of dedicated security staff. Taking on high-cost skilled staff in this area is not usually an option for a smaller organization.
Understaffed and Tired it Teams
In an SMB survey, 96% of respondents said they found investigating suspicious alerts challenging. Burnout rates amongst IT staff are also a concern with 85% of companies saying that their staff had suffered fatigue and burnout.
Lack of Access to Best-Of-Breed Technologies
An SMB that wishes to focus its budget on core business can see cybersecurity solutions as an unnecessary expense. This leads to shortcuts in measures and opens security gaps.
Budget Limitations
A smaller organization must justify every cent spent. Unfortunately, it may take the impact of a major cyberattack to find this justification.
A managed service provider (MSP) can deliver security solutions that address the above limitations. MSPs offer a cost-effective way for an SMB to use enterprise-grade security solutions. The MSP also manages and maintains the SMB's security infrastructure, providing detection and response capabilities.
Who Carries Out DDoS Attacks?
The underlying driver for DDoS attacks is to cause chaos. The types of cybercriminals behind these attacks may be activists or politically motivated. However, DDoS attackers are modifying their motives and may now use these debilitating attacks to extort money or as a smoke screen to steal data. DDoS attackers may be part of an online cybercriminal community where they share intelligence and techniques. Whatever the motive or reason for a DDoS attack, the results are the same – chaos and disruption. Certain trends are propagating DDoS attacks, making it one of the top types of cyber threats targeting businesses of all sizes:
DDoS for Hire
Cybercriminals use the SaaS model extensively. Having ready-to-use kits to carry out attacks is good business, and cyber criminals receive rental payments for using their hacking packages. Distributed Denial-of-Service (DDoS)-for-hire is fast becoming a cheap and accessible way for someone without technical skills to carry out a DDoS attack.
DDoS-for-hire services are responsible for massive numbers of global attacks. Recently, the UK's National Crime Agency dismantled the DDoS-for-hire platform, DigitalStress. The platform was available to rent for as little as $20.
Telegram and DDoS
Telegram has rapidly become the communication channel of choice for hackers looking to rent a DDoS-for-hire. One piece of research found 140 channels on Telegram offering DDoS services. The researchers found basic attack packages starting from $10 per month.
Hacktivism
Hacktivism and political motivations remain reasons for some DDoS attacks. Conflict and war are one reason certain DDoS attacks happen. For example, the war in Ukraine has resulted in regular DDoS attacks targeting Ukrainian government websites. Hacktivism also extends to groups that take offense at certain companies and organizations. The infamous hacking group Anonymous uses DDoS attacks to disrupt the operations of organizations they see as involved in unjust affairs. Cloudflare noted a 61,839% increase in DDoS attack traffic targeting Environmental Services websites during the 28th United Nations Climate Change Conference (COP 28) conference.
Which Companies Are Under Threat from DDoS?
DDoS attacks do not differentiate a company based on size. Attacks affecting internet services will filter down to affect even the smallest organizations. However, research has identified the most at-risk industries from DDoS attacks. The top three are:
- Government (20.1%)
- Business services (9.01%)
- Finance (8.86%)
Most Targeted Industries (2024)
Source: Radware
Examples of Major DDoS Attacks
There are countless DDoS attacks globally; however, the two examples below give a flavor of how a DDoS targeting a service provider can impact smaller organizations relying on these services:
Mirai Dyn Botnet Attack
The Mirai Botnet Attack of 2016 was, at the time, the latest attack in history. The attackers carried out the DDoS using a botnet of over 600,000 Mirai bot-infected IoT devices (cameras and routers). Hackers easily brute-forced the default credentials to control access to the IoT devices. Mirai targeted several internet hosting providers, including major European hosting provider OVH, which supplied over one million clients. Mirai also targeted DYN, essentially bringing down large parts of the internet. Websites, including Airbnb, Amazon, PayPal, Twitter, and GitHub, were shut down.
Google DDoS attack
Cyberattackers are continuously changing tactics and upping their DDoS game. In 2023, Google managed to thwart a massive DDoS attack. The attack targeted several Google services and Cloud customers using a new attack method known as HTTP/2. These attacks were significantly larger, using multiple concurrent packets via a single TCP connection – normally, HTTP/1 is processed serially. Google used global load balancing to prevent any outages.
Microsoft Azure DDoS Attack
In 2024, Microsoft Azure was a victim of a massive distributed denial-of-service attack. The attackers used a global botnet to target Microsoft's cloud infrastructure and disrupt services for its clients. The attacks affected Microsoft Entra, Microsoft 365, and Microsoft Purview. Microsoft managed to mitigate the impact.
Cloudflare
During 2024, Cloudflare experienced the largest ever DDoS attack - a 5.6Tbps UDP (User Datagram Protocol). Previously the largest DDoS attack ever was 3.8Tbps. Cloudflare's defense mechanisms managed to block both of these massive attacks.
How To Protect Your Company from a DDoS Attack
Whether your business is a direct or indirect target of a DDoS attack, there are several measures that you can use to prevent or mitigate the impact of a Distributed Denial of Service attack:
Web Application Firewall (WAF)
A WAF blocks attacks by inspecting and filtering potentially malicious HTTP traffic. Some advanced WAFs use AI to identify emerging vulnerabilities and zero-days that are increasingly exploited in DDoS attacks.
IoT Device Security
DoS attacks need malware bots to initiate. Installing these bots onto a device requires access. Eleven11bot is an example of a bot that infected over 30,000 internet-connected devices to send out DDoS attacks targeting telecom providers and gaming platforms. The Eleven11bot exploited or brute-forced weak and default passwords on IoT devices. Always change an internet-connected device's default password to a strong one and use MFA (multi-factor authentication) if supported.
Cyber Awareness Training and Response Plans
Educate teams about how DDoS attacks occur and what signs to look for as evidence of an attack. Have a response plan outlining the steps to mitigate the impact of a DDoS attack.
Monitor Network Logs
Use continuous monitoring to check for unusual activity across a network. Any anomalous activity, including illegitimate login attempts, could indicate a cyberattack. Look for unusual traffic patterns and block the sources. DDoS mitigation providers are specialist MSPs that offer cloud-based DDoS mitigation services.
Timely Patching of Vulnerabilities
DDoS attacks often exploit vulnerabilities in software or firmware. Update and patch software, hardware, and firmware as soon as a patch is available.
Anti-DDoS Tools
Used to control the volume of network traffic to prevent web servers from becoming overwhelmed by requests. The policies controlling volumes are applied to specific IP addresses. Rate limiting is a technique that helps to prevent DDoS attacks by limiting the number of requests made to a server or service in a given amount of time.
Table of Contents
- DDoS Attacks: A Survival Guide for Small Businesses
- What is a DDoS Attack?
- How Do DDoS Attacks Affect Small Companies?
- The Impact and Cost of a DDoS Attack on an SMB
- Why are SMBs Targeted by DDoS Attacks?
- Who Carries Out DDoS Attacks?
- Which Companies Are Under Threat from DDoS?
- Examples of Major DDoS Attacks
- How To Protect Your Company from a DDoS Attack