IDC research manager John Grady said that the increasing primacy of online services means that extortion-based DDoS attacks are becoming a more serious threat.
"When there are direct ties from resource availability to revenue, targeting availability is a quick way to get someone's attention," he said.
Grady echoed both Sauter's point about the general cheapness of botnets and Holland's argument that paying the ransom doesn't make a company proof against further attacks. What's more, he said, the growing power of some types of attack swings the balance of power further in favor of the attackers.
"Increasingly, the ease of amplifying attacks through DNS or NTP, which can ramp traffic up in the hundreds of gigabit range that we've seen become common, gives attacks real economies of scale," Grady said.
Research from Forrester shows that, in addition to volumetric attacks like DNS and NTP (which essentially flood targets with unwanted data), targeted application-level attacks have been on the rise. Application-level incidents had been seen by 42% of DDoS victims surveyed in a 2013 report just shy of the 44% that suffered volumetric attacks. Moreover, 37% used some combination of techniques.
According to a report from Infonetics, that trend has prompted increasing attention for application-level mitigation technology.
"An increasing number of application-layer attacks, which older DDoS detection and mitigation infrastructure can't identify and block, are forcing companies to make new investments in DDoS solutions," wrote principal security analyst Jeff Wilson in December.
What this means is that a DDoS attack, whether it's motivated by politics or money, is an increasingly unequal struggle. Attack techniques have become easier, cheaper and more powerful at the same time as their effects have become more damaging and defensive measures have failed to keep pace.
"The cost of entry is very low for the attackers and the cost to defend is very high for the targets," said Holland.
He said that the best defense may be to simply be as forewarned as possible, and to make plans in advance for potential DDoS incidents. Many businesses haven't even considered the potential ramifications of a DDoS.
"I'm surprised that many of my clients that have some kind of online service be it a business-to-consumer service, business-to-business service they don't know how much 10 minutes of outage would cost them. So when I talk to customers, that's always one of the first questions I ask them," he said. "You need to have a playbook set up, basically."
Sign up for CIO Asia eNewsletters.