Attackers on the darknet are turning a handsome profit by offering DDoS-for-hire services according to Kaspersky Lab.
Kaspersky says that these cybercriminals enjoy profit margins of up to 95% solely by offering DDoS services on the darknet.
This massive return on investment stems from the fact that it costs as little as $7 an hour to carry out a DDoS attack that can cost an organization thousands to millions of dollars.
How much it would cost to Access DDoS Services on the Darknet
Although a number of factors come into play when determining the actual cost of a specific DDoS attack, the average price of a DDoS attack is $25 per hour, meaning the developers earn an $18-an-hour profit on a $7-an-hour investment.
For customers looking to bombard their targets with just a few seconds of sustained traffic, some developers offer a per-second customer tariff plan where the customer is charged a rate for every second of using their botnets rather than using a rounded-off hourly fee.
A 300-second DDoS attack with a cumulative bandwidth of not more than 125GBps, for instance, could go for about $5 or $6.
Looking at these figures, it is easy to get sidetracked from the fact that the organizations that are being targeted by these attacks can lose anywhere between $20,000 and $100,000 during just one hour of internet downtime depending on their operations.
Glancing at the 2010 DDoS attacks on the servers of the Virgin Blue airline that lasted 11 days and cost the company $20 million, it is easy to see the catastrophic consequences of offering DDoS services for such low amounts.
Factors that Affect the Rates of DDoS Services
A number of variables come into play for every DDoS attack requested by a customer.One such factor is the target.
Government targets typically cost a lot more to attack in comparison to smaller organizations such as cellphone companies.
The cost rises up even further if the said target is an English-language website or has servers based in a particular country.
In comparison, launching a DDoS attack on a Russian-language website will cost less, according to Kaspersky Lab.
The rates are also dependent on two crucial factors: the specialization of a particular DDoS attack and the anti-DDoS measures that have been put in place by the targeted organizations.
For the former variable, a customer will have to fork out more if they want the botnet owners to deploy different DDoS attacks simultaneously for more effect.
As for the latter, targets with traffic filtering security systems are much harder to hit and often require more specialized resources.
Kaspersky says that for the botnet owners to agree to carry out a DDoS attack where they would have to bypass such security measures, the customer will have to part with about $400 a day.
Other factors that come into play include the cost of the entire operation.
This includes the average cost of infecting a device to turn it into a botnet.
Servers are by far the most expensive to compromise since they’re often heavily secured.
Other Internet of Things devices such as routers and cell phones, however, may cost a lot less to infect.
Everyone is Clamoring for a Bite of the DDoS Cake
Since ventures like this are what keep the lights on in the criminal underworld of the internet, there are plenty of options for anyone looking to carry out a DDoS attack on a specific website.
The developers of these DDoS services stay ahead of the competition the same way any legitimate business would; with reward and loyalty points, drastically reduced rates, and customer service programs.
Kaspersky also noted that nearly all of these web-based DDoS services feature interfaces similar to those of online stores.
Customers are able to view their balances, browse their options, and manage their budgets while on the site.
As for the much less savory characters of the darknet realm, the fraudsters, this has presented a prime opportunity for them to use unverifiable threats of imminent DDoS attacks to squeeze out as much ransom money as possible from helpless organizations.
Since few organizations are able to decide whether a threat is real enough to warrant a ransom, they end up paying anyway.