Saturday, 8 December 2012

How do you measure the success of a DDoS attack?

Exactly two years ago, I wrote about mastercard.com being taken down by a distributed denial of service (DDoS) attack. One of the interesting things about this attack at the time was that the attacking botnet did not consist of compromised machines; instead, it was made up of computers whose owners had willingly volunteered to take part in the attack.

The attack against MasterCard was carried out by Anonymous as part of Operation Payback, after MasterCard decided to prevent WikiLeaks from accepting payments using MasterCard-branded products. Supporters of the campaign were able to take part in the voluntary botnet by installing an attack tool called LOIC (Low Orbit Ion Cannon). Other companies targeted during this campaign included Visa, Amazon, Moneybookers and PayPal.

But, why am I bringing this up two years later?

Yesterday, I read that a student had been convicted over the Anonymous cyber-attacks against PayPal. Before this conviction, BBC News reported that:
A student attacked the PayPal website as part of a concerted effort by the Anonymous "hacktivists" that cost the company £3.5m
And:
More than 100 workers from PayPal's parent company, eBay, spent three weeks working on issues related to the attacks
However, that didn't quite correspond with what I remembered at the time. I wrote several news articles about the ongoing attacks two years ago, and was subsequently interviewed a few times by the BBC, so I ended up doing a fair amount of research to make sure that everything I wrote/said was correct. One thing I remember in particular was that PayPal claimed the attacks hadn't been successful.

After a bit of "creative googling", I rediscovered this entry on the PayPal blog, where the company stated that the attacks were not successful:
[...] all PayPal sites are fully operational.  Any reports to the contrary are simply untrue.  We can confirm that there have been multiple attempted distributed denial of service (DDoS) attacks on www.paypal.com this week.  In addition, our API site api.paypal.com was targeted today.  The attacks were not successful.
(bold/underlining is their emphasis; not mine)

This raises an interesting question: How do you measure the success of a DDoS attack? Is it merely related to performance and downtime, or would you argue that an attack which costs a company £3.5m was successful?