How much would Amazon lose in a DDoS attack?

Based on Q3 sales, the company would lose more than $3M in one hour of downtime

How much could a DDoS attack cost a company?  A lot.  Which is probably why some Web security solutions providers are looking to cash in on the mayhem with ads like this one:

(I like how commonplace the term “Hacktivist” has become.)

This snippet is of particular interest: “over 73,000 servers in 7,000 networks to outclass and absorb attacks of any size.” This would explain why the “hacktivist” group Anonymous was unable to penetrate Amazon’s defenses last week.  The e-commerce giant has created an impressive “elastic” infrastructure to be able to handle an onslaught of requests—like the kind from Christmas shoppers scrambling to get the latest version of the Kindle—which would effectively absorb a DDoS attack, which works by overwhelming a website with so much information from so many computers that it ends up crippling the site.  It’s hard to do that to a website that has been specifically designed to handle rogue tidal waves of information. 

But what if, somehow, such an attack was successful?  How much would it have cost Amazon during the peak shopping period of the year? 

Some might remember that in the summer of 2008, Amazon experienced a glitch that left the site down for two hours.  The two hours of downtime cost the company an estimated $3.6 million (some $1.8 million an hour), a figure that was reached by calculating Amazon’s net sales for the year’s second quarter applied evenly over the course of the quarter.  Amazon’s net sales for Q2 2008 were $4.06 billion.  Today, by contrast, the company’s net sales for Q3 2010 were $7.56 billion, nearly double those of Q2 2008.

Using the same back-of-the-envelope math, if Amazon’s third quarter net sales for 2010 were $7.56 billion, then one hour of downtime today would cost the company some $3.4 million in lost sales.  That isn’t even taking into account the holiday shopping season, which would obviously magnify those losses significantly.

Of course, these figures should be taken with a grain of salt, as I was an English major in college.

A somewhat comparable example is a DDoS attack that Google suffered several years ago.  The New York Times on Tuesday dug up FBI memos through the Freedom of Information Act on the attack that Google endured in 2005.  According to the memos, Google was battling a Santy worm, a type of software that caused infected computers around the world to suddenly bombard Google with search queries.  

The attack overwhelmed Google, and in December 2005, the company complained to the FBI.  The memos reveal that Google attempted to filter queries with search terms related to the worm, but within moments, the worm would modify the search terms to bypass Google’s filters.

The attack ended up costing Google $500,000 in time spent tackling the worm and lost revenue.  Admittedly, $500,000 isn’t much when you consider the fact that in the same year, Google reported $6.1 billion in revenue.