Distributed denial-of-service (DDoS) attacks pose a significant challenge to digital security, aiming to overload systems with traffic and disrupt service. But why do they occur? In this article, we’ll explore the underlying psychology and motivations behind DDoS attacks. We’ll also look at what attacker profiles mean for your defense mechanisms.
Who Carries Out DDoS Attacks?
DDoS attackers are diverse and are not an organized group but share common traits, skills, and mindsets. They often have a deep understanding of network systems and a desire to challenge these structures. Their knowledge and expertise enable them to identify and exploit vulnerabilities, launching attacks that disrupt services for users and businesses. This knowledge, complemented by patience and persistence, is essential for carrying out prolonged attacks.
Many DDoS attackers find excitement in causing disruption, taking advantage of the anonymity the internet provides. This anonymity allows them to operate without immediate repercussions, emboldening them to target large and important systems. The thrill they experience may be amplified by the challenge and the sense of power it gives them over their targets.
Successfully executing an attack can also significantly boost an attacker’s status within their circles. Recognition from their peers encourages them to launch more ambitious attacks. Their actions, while destructive, are not random. Instead, they reflect a calculated attempt to assert dominance, explore their capabilities, and become valued by the DDoSer community.
What Motivates Attackers?
Understanding the motivations behind DDoS attacks offers insights into the attacker’s mindset and aids in developing robust defenses. To better grasp these motivations, we’ll examine each one through the lens of a practical example.
Financial Extortion
Financial gain is a significant driver of DDoS attacks, with cybercriminals seeking to exploit online platforms for personal profit. One common tactic involves extortion, where attackers cripple a service with a DDoS attack and then demand a ransom—often in cryptocurrency—to stop the disruption. This strategy appeals to attackers because digital currencies provide a certain level of anonymity, reducing the risk of getting caught.
In February 2024, Change Healthcare, a major US healthcare processing company, was attacked by DDoS and ransomware attacks that caused significant financial strain in the sector. Many associated clinics and laboratories warned of cash shortages and the potential need for bank loans to meet their financial obligations. It’s alleged that the company paid a ransom to regain control, although this has not been confirmed.
Political or Social Motivations
DDoS attacks can also be motivated by political or social causes. In these scenarios, attackers use DDoS attacks as a form of digital protest to bring attention to an issue they care about. They may be driven by a sense of idealism or a desire to fight for what they believe is right. DDoS attacks and their disruptive nature serve as a tool to bring attention to important issues that would otherwise be ignored.
In 2022, the small nation of Andorra experienced an internet blackout. This outage was caused by a hacktivist-launched DDoS attack and targeted the country’s only internet service provider (ISP). Intriguingly, the attack coincided with a Minecraft tournament themed around the popular series “Squid Game” on Twitch, which had several participants from Andorra. The hacktivists didn’t want Andorrans to play—and they succeeded in their malicious goal. The attack’s outcome was that many players located in Andorra had to withdraw from the tournament due to internet disruptions.
Revenge
Revenge is another common motivator for DDoS attacks, targeting individuals, businesses, and even government organizations. In these scenarios, attackers use DDoS attacks to inflict harm on a perceived enemy in retaliation for a real or imagined wrong. The desire for revenge can be a powerful motivator, and attackers may view DDoS attacks as a way to strike back anonymously and cause significant disruption.
The impersonal nature of DDoS attacks can be particularly appealing to those seeking revenge. Unlike physical vandalism, they allow attackers to cause disruption without directly confronting their target face-to-face. This can be seen in cases where disgruntled employees have launched DDoS attacks against their former employers.
In an interesting turn of events, the LockBit ransomware group, notorious for its cyber exploits, found itself on the receiving end of a DDoS attack in August 2021. Previously, LockBit had attacked Entrust, a US data security firm, stealing valuable data and demanding a ransom to prevent its public release. In retaliation, Entrust launched a large-scale DDoS attack targeted at LockBit’s Tor leak sites, the platforms where stolen data is typically exposed. This effectively disabled the sites, preventing the stolen data’s potential exposure.
Hypercompetition
The business world is ferocious. While many companies compete solely within the realm of legitimate marketing tactics, some individuals and organizations resort to DDoS attacks to gain an unfair edge over their rivals. Their motivation stems from an inherent desire to outperform competitors in the marketplace. By disrupting a competitor’s online presence and hindering their operations, attackers hope to steal potential customers and ultimately secure a larger market share for themselves. As such, DDoS attacks launched for competitive reasons are often timed strategically, targeting periods of peak user activity like sales periods or daily peak gaming sessions to inflict maximum damage and cause significant inconvenience.
The e-commerce industry, with its vast online communities and fierce rivalries, is a key arena for competition-driven DDoS attacks. Competitors may orchestrate DDoS attacks against an online retailer’s servers to disrupt their operations and cause downtime. This disruption frustrates existing customers and deters potential new shoppers from joining the targeted server. By tarnishing the reputation of the competitor and hindering their ability to deliver a smooth buying experience, attackers hope to poach customers and attract them to their own servers.
Attention Seeking Gone Wild
The desire for attention can also be a driving force behind DDoS attacks. This motivation is often linked to youthful boundary-stretching or a desire to prove oneself. The latter occurred in the case of the Dark Frost Botnet; the attacker was seen bragging about his escapades online. These attacks are sometimes fueled by a sense of mischief or a desire to disrupt for entertainment purposes. Many attackers are talented, bored, and have time and untapped potential on their hands. As such, aspiring hackers might target an organization’s servers as a way to demonstrate their technical skills or gain notoriety within the hacking community.
Here, the distinction between wild or playful and ethical hacking comes into play. Black hat attackers exploit DDoS attacks simply for attention or entertainment. But others—white hat hackers—use their skills ethically and legally to strengthen system security by identifying vulnerabilities with permission. Meanwhile, gray hat hackers, who occupy a middle ground, may also seek to improve security by uncovering flaws without explicit permission and subsequently informing the system owners, aiming for a more positive outcome despite their methods being technically illegal. Neither group has malicious intent but focuses instead on enhancing cyber safety in their unique ways.
Cyberterrorism
Nation states or highly organized groups may orchestrate large-scale DDoS attacks against critical infrastructure, aiming to cripple an enemy nation’s digital backbone and cause widespread disruption, such as in the case of the DDoS attacks against Luxembourg municipal websites in 2024. These efforts are often meticulously planned and highly sophisticated, often using a combination of tactics that make the DDoS attacks difficult to detect and even harder to defend against.
DDoS attacks that are motivated by cyberterrorism can be rooted in retaliation for a perceived slight or act of aggression. They can be used as a smokescreen to distract security personnel while attackers infiltrate a target network and steal sensitive data. They can also be launched to create a sense of chaos and instability within a targeted nation by taking down essential services like power grids, financial institutions, or communication networks.
These attacks can have real-world ramifications far beyond those of a DDoS attack against a company or game. Hospitals can lose access to patient records during a DDoS attack, and financial markets can grind to a halt. Recently, DDoS attacks have supplemented ground invasions in war zones. In the most extreme scenarios, cyberterror attacks can contribute to, or could even spark, real-world conflicts.
How DDoS Attackers Operate
While exact routines may differ based on the perpetrator’s available resources and goals, all attacks follow a similar three-stage pattern.
- Preparation phase
1.1. Building a botnet: At the core of many DDoS attacks lies a botnet, a network of compromised devices secretly controlled by the attacker. These devices, often personal computers or IoT devices infected with malware, can be recruited through phishing campaigns or by exploiting software vulnerabilities.
1.2. Target identification: Attackers determine the target, which could be a specific server, website, or network. They assess the target’s vulnerability and the potential impact of the attack.
1.3. Resource mobilization: Attackers amass resources, such as a network of compromised devices (botnet), to launch the attack. This involves infecting multiple devices with malware to control them remotely.
1.4. Attack planning: This involves choosing the type of DDoS attack, timing, and duration. Attackers plan their approach based on the target’s weaknesses and desired impact. - Execution phase
2.1. Initial exploitation: The attacker or botnet initiates the attack by sending excessive requests to the target’s IP address, overwhelming the server or network.
2.2. Amplification and reflection: Some attacks exploit the amplification factor of certain protocols, sending small requests to third-party servers that then send large amounts of data to the target. - Monitoring and adaptation
3.1. Attack monitoring: The attacker closely monitors the attack’s effectiveness, adjusting tactics if necessary to bypass any implemented defenses.
3.2. Maintaining anonymity: Attackers often leverage anonymization techniques like Tor to mask their location and identity.
3.3. Sustaining the attack: The attack is maintained to cause prolonged disruption. This might involve adapting to the target’s defensive measures and varying the attack vectors.
What Can Businesses Learn from These Attacks?
Understanding the motivations and methods behind DDoS attacks empowers and motivates businesses to take proactive measures and safeguard their online presence. However, the root causes of DDoS attacks—like market competition and geopolitical unrest—are beyond a company’s influence.
The high cost of DDoS attacks extends far beyond the immediate financial losses. Unprotected companies can incur significant expenses due to:
- Lost income during downtime
- Detection and recovery efforts
- Legal fees
- Reputational damage
- Customer churn
Unprotected businesses hemorrhage an average of $6,000 per minute during a DDoS attack. When you factor in the broader impact, a single 20-minute attack can easily escalate into losses exceeding $120,000. Reputational damage and customer loss can have long-lasting consequences that are difficult to quantify.
The only way to mitigate the disastrous consequences of DDoS attacks is proactively to adopt a comprehensive protection strategy, such as Gcore DDoS Protection.
Thwart Attackers with Gcore DDoS Protection
Gcore’s global network of scrubbing centers is designed to ensure that your business continues to operate smoothly during a DDoS attack, without delays or performance degradation. Your customers won’t notice any difference in functionality even during an active attack. These centers are well-equipped with backup copies of essential systems and network equipment, demonstrating the company’s commitment to providing uninterrupted service and security.
Gcore DDoS Protection offers businesses the following benefits:
- Robust infrastructure: Vast distributed network of scrubbing centers with over 1 Tbps filtering capacity.
- Proprietary DDoS protection solution: Tailored specifically to ward off a broad spectrum of DDoS threats.
- Detection of low-frequency attacks from the first query: Even the most subtle attacks are detected.
- Exceptionally low false-positive rate (less than 0.01%): Maintains normal operations by accurately distinguishing between legitimate traffic and attack vectors.
- Real-time statistics in the control panel: Offers immediate insights into traffic patterns and potential threats, allowing for swift action.
- Server protection in your data center: Extends Gcore’s protective measures directly to your infrastructure through a Generic Routing Encapsulation (GRE) tunneling protocol, regardless of location.
- 24/7, highly qualified technical support: Ensures that expert help is always on hand, day or night, to address any concerns or attacks.
- Exceptional uptime rate with 99.99% SLA: A seamless and uninterrupted user experience backed up by Tier III and IV data centers.
Conclusion
While understanding attackers’ mindsets can uncover some of the mysteriousness behind cybercrime, it also shows that DDoS attackers can only be stopped through an effective DDoS mitigation strategy. Partnering with a specialized DDoS protection service ensures that your network is fortified with the latest security measures, providing a strong defense that keeps your operations secure and uninterrupted.
Experience the peace of mind that comes with advanced protection with Gcore DDoS Protection for comprehensive security against DDoS attacks. With over 1 Tbps of total filtering capacity and a 99.99% SLA, your digital assets remain protected from even the most complex, sophisticated, and sustained attacks. Gcore helps to maintain the continuity of your online services, regardless of potential attackers’ motivations.