VeriSign (NASDAQ:VRSN) has a unique role and position in the administration of the Internet. VeriSign runs some of the root DNS servers as well as operating the .com Top Level Domain providing visibility that others don't have.

Looking beyond their own infrastructure, VeriSign did a study of 225 IT decision makers to get their insight into Distributed Denial of Service (DDoS) attacks. Though VeriSign has its own insight into attacks, Ben Preto, SVP of the Networking Intelligence and Availability group at VeriSign told InternetNews.com that he was shocked by some of the results.

DDoS attacks have gone mainstream with 63 percent of survey respondents getting hit at least once and 11 percent getting attacked more than six times. Going a step further,VeriSign asked about downtime incidents. Just over half of VeriSign's survey respondents had some kind of downtime, though only 33 percent was attributable to DDoS attacks.


Downtime incidents had a direct result on the bottom line too with 51 percent noting they lost money as a result of the downtime.

Preto noted that the the DDoS attacks were widespread across multiple market verticals. The average cost to defend against attacks across VeriSign's respondents came in at $2.5 million.

"That's a huge hit to an IT budget on something that is arguably just getting worse and just getting more expensive," Preto said.

There are a number of DDoS mitigation techniques and technologies in the market today. VeriSign offers a managed service which also includes DDoS and DNS services. Less than half (40 percent) of VeriSign's survey however indicated that they would outsource DDoS protection, which isn't particularly good news for VeriSign's business.

Petro noted that the scale of DDoS attacks has grown to the point where few organizations can defend themselves on their own. Petro said that back in 2001 the top end of DDoS attacks was a sustained 5 Mb attack. He added that VeriSign saw an 84 Gbps attack last quarter.

"Who can withstand that," Preto said. "Companies used to be able to protect against DDoS on their own but with the size of attacks now, there are few companies that have enough bandwidth."

In terms of DNS specifically, which can often be the target of DDoS, Preto said that there are a lot of older unpatched DNS servers in use today. According to Preto, the number of unpatched open source BIND DNS servers is in the 70th percentile.

VeriSign manages the root zone DNS servers for the Internet with their own technology called Atlas. For managed services, Preto noted that VeriSign's service leverages Atlas, but it's not the same system that powers the Internet's DNS. He explained that the needs and structure for managing the global Internet are different than the needs of hosted DNS customers.

"We're in the same cage, but on different ip's and network infrastructure, Preto said.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.