More than half of US businesses still rely on conventional firewalls or intrusion prevention systems to shield themselves from the scourge of DDoS attacks, a survey by services firm Neustar has found.
The survey of 1,000 US-based IT professionals across a range of industries found that only 3 percent were using DDoS mitigation systems or services, with a quarter claiming they had no protection whatsoever against the threat.
Eleven percent used intrusion detection/prevention systems even though such technology is (in common with firewalls, routers and switches) widely seen as an inadequate defence against contemporary DDoS bombardment, Neustar said.
"Experts point out that during DDoS attacks these 'defences' become part of the problem. They quickly become bottlenecks, helping achieve an attacker's goal of slowing or shutting you down. Moreover, firewalls won't repel attacks on the application layer, an increasingly popular DDoS vector," the authors note.
A third of those questioned said DDoS attacks lasted for a day or more with 11 percent mentioning over a week.
There didn't appear to be any clear pattern that related attack length to industry segment, except that the travel industry appeared slightly more vulnerable to attacks lasting longer than 24 hours.
Two thirds said the direct cost of all this DDoS was about $10,000 (£6,200) per hour or $240,000 per day, with 13 percent reckoning it as being $100,000 per hour.
The most vulnerable to high costs was retail, a sector that depends on online sales to generate cashflow, followed by finance.
The main anxiety in advance of DDoS attacks was the negative impact on customers, ahead of brand reputation damage and even direct costs.
Companies such as Neustar have a vested interest in talking up the difficulty of dealing with DDoS the better to market protection services.
However, the company said it accepted that there was no simple answer to countering DDoS attacks; even the best protection systems available still required trained, skilled staff to deploy and manage them.
"With attacks becoming more sophisticated - mixing brute-force bandwidth assaults and surgical strikes on applications - in-depth knowledge and experience make a huge difference. There is no 'magic box' that can out-think attackers on its own."
The company markets its own cloud-based mitigation service, SiteProtect. Three years ago its UltraDNS service was itself the victim of a DDoS attack.