Incident Type: DDoS · Updated April 2026
DDoS Attack Cost: What Denial of Service Incidents Cost in 2026
$120K
Low-end SMB impact
$2M+
Enterprise impact
$50K/mo
Enterprise mitigation
A Distributed Denial of Service (DDoS) attack floods a target with traffic to make it unavailable to legitimate users. Unlike ransomware or breaches, DDoS attacks do not exfiltrate data, but they cause direct revenue loss through downtime and can be used as a pressure tactic alongside ransomware (triple extortion). DDoS attack cost varies enormously based on duration, organisation revenue, and whether the target has mitigation in place.
Cost Components
| Cost Category | Range | Notes |
|---|---|---|
| Revenue loss during attack | $0-$1M+ | Scales with hourly revenue and attack duration |
| Bandwidth overage charges | $0.05-$0.50/GB overage | Without DDoS scrubbing, ISP charges apply |
| Emergency mitigation service | $10K-$100K | One-time emergency on-ramp without existing contract |
| On-call engineering time | $5K-$50K | Senior engineers during multi-hour attack |
| Ransom DDoS demand (if present) | $5K-$500K in crypto | Attackers demand payment to cease attack |
| Reputation and customer trust | $20K-$200K | PR, customer communication, SLA credits |
| Post-incident hardening | $10K-$150K | Infrastructure changes, scrubbing service setup |
Types of DDoS Attack and Cost Profiles
| Attack Type | Method | Cost Profile |
|---|---|---|
| Volumetric flood | Saturate bandwidth with high-volume traffic (UDP floods, DNS amplification) | Low cost without mitigation; completely blocked with scrubbing |
| Protocol attack (SYN flood) | Exhaust state tables on firewalls and load balancers | Moderate cost; server infrastructure damage possible |
| Application layer (Layer 7) | HTTP floods targeting specific endpoints; hard to distinguish from legitimate traffic | Highest cost per Gbps; bypasses simple mitigation |
| Ransom DDoS (RDDoS) | Volumetric attack with ransom demand to cease | Add $5K-$500K extortion demand to base attack cost |
Mitigation Cost vs Incident Cost
Cloud-based DDoS scrubbing services prevent most of the revenue and downtime cost at a fraction of the expected incident cost:
| Provider | Entry Tier | Enterprise Tier | Coverage |
|---|---|---|---|
| Cloudflare | $20/mo (Magic Transit from $0.05/MB) | $50K-$200K/yr | Layer 3-7, unlimited mitigation on enterprise |
| AWS Shield | Standard: Free | Advanced: $3K/mo + data transfer | Layer 3-7 for AWS resources |
| Akamai (Prolexic) | Custom enterprise pricing | $50K-$300K/yr | Network-level and app-layer scrubbing |
| Cloudflare (Magic Transit) | Starts at $1K/mo | $20K-$100K/yr | Network-level full BGP diversion |
Notable DDoS Events
| Event | Year | Scale | Impact |
|---|---|---|---|
| Dyn DNS DDoS (Mirai botnet) | 2016 | 1.2 Tbps | Amazon, Netflix, Twitter, GitHub, NY Times disrupted; millions lost in e-commerce revenue |
| GitHub DDoS (Memcached amplification) | 2018 | 1.35 Tbps | Record at the time; GitHub mitigated in 10 minutes via Akamai Prolexic |
| AWS DDoS | Feb 2020 | 2.3 Tbps | Largest ever at time; mitigated by AWS Shield Advanced |
| Cloudflare mitigated attack | 2024 | 5.6 Tbps | Largest on record; 13,000 source IPs; mitigated automatically |
Frequently Asked Questions
How much does a DDoS attack cost?
$120K at the low end for an SMB without mitigation, up to $2M or more for a large enterprise experiencing multi-hour L7 attacks. This range covers revenue loss, bandwidth costs, emergency mitigation, and post-incident hardening.
What is Ransom DDoS (RDDoS)?
RDDoS is when an attacker threatens a DDoS attack (or launches one) and demands cryptocurrency payment to stop. Common demands range from $5,000 to $500,000 in Bitcoin. Unlike ransomware, paying does not guarantee the attack stops, and many RDDoS operators simply take payment and continue.
Is DDoS cheaper to mitigate than to absorb?
Almost always yes. A Cloudflare or AWS Shield subscription at $300-$3,000/month will prevent a large percentage of DDoS revenue loss. The break-even is very fast for any organisation with meaningful web-based revenue.
How is DDoS different from a service outage?
A DDoS is an externally caused, deliberate availability attack. A service outage may be internal or external, intentional or accidental. DDoS impacts availability only; it does not inherently compromise data. An outage caused by DDoS is both a security incident and an availability incident.