One in five UK businesses experienced a DDoS attack at some point during 2012, a survey by analytics firm Neustar has discovered, a percentage still significantly lower than that experienced by their US equivalents.
Overall, 22 percent of the 381 organisations participating in the annual trends study reported DDoS attacks, compared to 35 percent experiencing the same in a separate study carried out among US firms in 2012.
However, the underlying UK and US rates were probably very similar once the effect of suspected Iranian-backed DDoS attacks on the US banking sector are stripped out, the firm said without referring to the country by name.
Within the overall figure a core of sectors experienced much higher incidence of DDoS, specifically telecoms (53 percent), e-commerce (50 percent), and retail (43 percent); government and public sector (25 percent), technology (16 percent) reported lower levels with finance a notable trailer at a surprising 17 percent.
The high levels in e-commerce makes sense; DDoS is an obvious weapon to use against organisations that depend on traffic to and from application servers but it might also partly reflect the higher preponderance of such organisations (121) participating in the survey.
Neustar set out to measure revenue 'risk per hour' – a measure of what it might cost a business in a particular sector to experience DdoS downtime – finding that the majority of organisations reckoned this at less than £1,000 ($1,500) per hour. Most of the rest put it somewhere between £1,000 and £10,000 although one in four financial services firms put the number at £100,000 per hour.
These costs included indirect effects such as brand damage and unexpected customer service calls.
“DDoS attacks will continue to be part of the modern threat landscape because they are easy and relatively low-cost to perpetrate,” said Neustar's senior vice president, Alex Berry.
“Some of the recent large attacks have opened doors for even more malicious attackers to adopt similar tactics and Neustar fully expects to see the impacts of these attacks grow in line with their increasing complexity,” he said.
Despite the growth in DDoS protection services, a lot of firms continued to reply on traditional methods, an issue Neustar reported on in a separate 2012 study.
“As in North America, our survey has found that UK companies are hoping traditional defences will suffice, but given the frequency of attacks and the impact when sites go dark, such hopes are often badly misplaced.”
Twenty percent of UK firms reported no DDoS defences at all, with some of the rest relying on firewalls, routers and switches to dampen the effects. Routers worked to some extent against packet-based bombardments but could not stem Layer 7 application attacks, Neustar suggested.
Despite widespread concern over the growing size of some attacks, volume itself doesn't appear to be the issue for most firms with 30 percent of attacks being under 1Gbps. Most sites could be brought to their knees by layered ('multi-vector') attacks as small as 2Gbps.
Duration was also an issue with one in five attacks lasting a week or longer.
In May, mitigation firm Prolexic reported that possibly the largest ever DDoS attack had been detected against a US financial sector firm, which peaked at 167Gbps. Even as defences improve, attackers up their game.