​Half of companies hit by hacker takedown tactics

It's a danger that any company faces -- and for some it could cost $1 million an hour and result in the loss of customer data and irreparable damage to brand reputation.

A DDoS (distributed denial of service) attack is a fairly common practice of using a network of computers to drive loads of traffic to a site, overwhelming it until it shuts down. Many Xbox and PlayStation gamers were introduced to the effects of a DDoS attack when hackers took down both gaming networks for several days during the 2014 holiday season.

Company heads and chief technology and security officers are also familiar with DDoSes. Too familiar, according to new research.

A report released Wednesday by information services firm Neustar found that half of companies in North America, Europe, the Middle East and Africa experienced a DDoS attack in 2014 or the first part of 2015. Of those, 83 percent were attacked more than once; more than half were hit six times or more.

"DDoS attacks are typically not an isolated incident. Companies hoping they'll just go away meet a sobering reality: Most targets are hit again and again," the report said. It's not a matter of if, not even a matter of when, but a matter of how often.

Of 760 managers, executives and security specialists from the financial services, retail, technology and other industries that Neustar surveyed, 6 percent said they get attacked so frequently they've lost count.

And while 35 percent of American companies said that an hour of network outages at peak time could cause revenue losses over $100,000, Neustar analysts cautioned that crippling the system is often not the attacker's true intent -- nor the worst that can happen.

"If the attacker's goal isn't to cause an outage but to disrupt, he doesn't need to craft an attack of extra-large proportions" Mark Tonnesen, CIO and CSO for Neustar, explained. A "low and slow" attack that stalls traffic and consumes server resources can give a motivated hacker the time and space to perpetrate a breach.

"In launching such an attack, the attacker accomplishes several things: He disrupts operations, distracts the website and security teams, and makes sure the target network is still operational -- that is to say, accessible. Now the attacker can go in and plant malware or a virus, setting the stage for data theft, siphoning funds, or whatever else."

Attack size is measured in gigabits-per-second. A 1 Gbps DDoS can take down a website. Hackers have recently been able to achieve attack campaigns that reach over 150 Gbps, a massive magnitude. In the Neustar survey, many of the attacks respondents cited were not large enough to take down a whole website and four in 10 were under 5 Gbps.

Meanwhile, in nearly 40 percent of cases, targets had money, customer data or intellectual property stolen. More than a third had viruses or malware implanted in their systems. The DDoS in those cases were a means to an end.

"Think about it: why saturate the pipes so that you can't access the network? Doing the reverse lets attackers harass a target and set the stage for exfiltration. In this sense, a so-called smaller attack can be more dangerous than a huge one that knocks you offline but may not result in a data breach," Tonnesen added.

Neustar reports that companies -- especially those that have been hit repeatedly -- are investing more in DDoS-specific security products, but overall 60 percent are still relying on traditional router and firewall protections that aren't tailored to mitigate DDoS attacks.

  • Amanda Schupak

    Amanda Schupak is the science and technology editor at CBSNews.com