How much does it cost to orchestrate a cyber attack in 2022?

How much does it cost to orchestrate a cyber attack in 2022?

Sceaf Berry is a product management consultant with a background in technology and financial markets.

How much does it cost to orchestrate a cyber attack in 2022? To tell the truth, not much. For less than $100, you can probably sign up for a lifetime supply of cyberattacks against the targets of your choosing. In fact.

Better yet, the registration process couldn’t be simpler these days. All you will need is an email address and a payment card (or cryptocurrency). No dark web, balaclava or voice changer required, no direct human interaction with criminals.

Specifically, we’re talking about DDoS here: Distributed Denial of Service attacks. These aim to shut down a website or online resource by overwhelming it with bandwidth-exceeding requests so that legitimate users cannot access it. Although a relatively primitive weapon, DDoS attacks have brought down a number of different high-profile targets in recent years, including the New Zealand stock exchange NZX being taken offline in 2020.

Clearly, I must point out that DDoS attacks are illegal in various ways in various different countries, and they are a bad way to make friends in today’s digital economy. Nevertheless, offering stress tests of DDoS protection services it is completely legal.

As a result, there has been a proliferation of companies offering DDoS “stress tests” to anyone who wants it, without everyone necessarily thoroughly verifying that the person performing the “stress test” is in fact the owner of the website or online service being tested.

All you’ll need to operate an out-of-the-box DDoS service is to have the target’s IP address, which can be easily obtained by having an employee of the target visit a website, for example. As a sign of how unaware the mainstream (regulators, banks, etc) is of these “stress testing services”, some of the sites I visited offer fairly conventional payment solutions, such as PayPal and Skrill.

The number one problem with running black market sites online has always been receiving payments from customers. Historically, banks and payment networks like Visa and Mastercard have made the decisions on whether or not you can trade. This is why cryptocurrency has been such a massive enabler of suspicious online activity. But frankly, I’ve seen game trading sites that are better regulated than some of these DDoS providers.

The next question could be why. Why have the price and availability of DDoS attacks become so cheap? Has DDoS gone through an extended bear market due to an outbreak of global peace in cyberspace?

Well, not quite. The predominant reason seems to be supply. Unlike legitimate cloud services like website hosting or application stack services that are best operated at scale through a smaller number of expendable servers, DDoS benefits from being (by the name) distributed. .

A few million smaller devices, each sending ten requests per minute, will be much harder to stop than billions of requests coming from the same place, since the former is more like legitimate human traffic. And, fortunately, it turns out that there has been a Cambrian explosion in devices that are small, connected to the Internet, and easy to hack with minimal security and software patches.

I’m talking about Internet of Things devices. The reality is that for all their advantages, smart devices are also a botnetter’s dream.

You can find the full report here: billion worldwide/ © IOT Analytics Research 2022

And while I’m not directly suggesting that your IoT doorbell/home sound system/baby monitor is spying on you and your family, it may be due to other unpleasant online activity (more generally, don’t buy a monitors for children connected to the internet either Jacuzzisand note that some IoT doorbell vendors sell or pass on the images they collect.)

Our original intent was to plot the price over time of DDoS alongside the recent explosion in the global number of IoT connected devices. This turned out to be tricky.

Not only are there different methods and degrees (bandwidth/second or requests/second) of DDoS, but prices over the last five years have become so low that “stress testing” companies have simply started offering everything. what you can. hack subscription packages instead.

While the services I found (by my own judgment of what a moderately low bandwidth/speed 10-minute multi-vector DDoS attack would be capable of) wouldn’t bother a larger target with enterprise-grade protection too much, It would not be an exaggeration to assume that the price of the most powerful and sophisticated attacks has also become much cheaper in the last decade.

Ultimately though, I didn’t ask about the enterprise price and refused to try the free tier (which would probably be enough to take down any unprotected sites for a short period of time).

Of course, there are also various websites that offer DDoS protection. And while the commoditization, SaaSification, and yasification of DDoS protection providers continue, the range of different attack methods and statistics involved drive the price of protection higher compared to the price of orchestrating an attack.

Allowing legitimate human traffic while blocking malicious attacks, particularly when those attacks come from legitimate-appearing locations from legitimate-appearing devices, carries the same problem as creating preventative medicine. If 0.5 percent of all the traffic you block is legitimate, that could represent a sizable proportion or even the majority of legitimate site users.

DDoS protection services use multiple methods to prevent this, with some even acknowledging that the proliferation of Internet of Things devices is a contributing factor to the rise in global DDoS attacks.

There are good news. The recent global shortage of semiconductor chips has meant that IoT devices have become more expensive to manufacture in recent years, and DDoS protection has also gotten cheaper in recent years.

However, in less good news, a greater variety of devices are being connected to the Internet, ranging from the innocuous (IoT salt shakers) to the unusual (IoT toilets) to the possibly risky ones (IoT cars, anyone?). Enjoy the trip!

Leave a Comment