Who launches DDoS attacks and why?

One of the biggest problems with distributed denial of service attacks is their unpredictability. Unlike ransomware or malware stealers, organizations far from business or open social activities can become victims of such attacks. Often, a company whose website or server has been hit by a wave of false DDoS traffic has no idea why they became the targets of an attack, who might need it, and how to protect themselves from this in the future.

To figure out how big the DDoS threat is for a particular industry, enterprise, or resource, you need to understand the background of this phenomenon in the digital landscape of the 21st century. Knowing who and for what purposes usually starts such cyber attacks, you can determine whether your company is at the “forefront” of the attention of cybercriminals and which elements of the web infrastructure are potentially the most vulnerable and need preventive protection.

In this article, we will figure out who starts DDoS attacks, what motives and goals are behind them, what methods are used, and who is primarily at risk.

DDoS attack as a cybercriminal tool

Before drawing up a “portrait” of a typical cybercriminal, you must understand what features make DDoS steel attractive for mass use. Indeed, at first glance, this technology does not provide such obvious advantages as penetrating networks or hacking the victim’s servers. A denial-of-service attack cannot steal valuable corporate or personal data or leave a “useful” bookmark in a competitor’s infrastructure.

Who launches DDoS attacks and why?

After a temporary shutdown due to a DDoS attack, an organization can restore its services and continue operations. Although, in some cases, it may take weeks or even months to eliminate the consequences of an attack, the infrastructure will not suffer critical damage. So why are DDoS technologies showing such a steady increase in popularity among cyber attackers?

Reasons for the popularity of DDoS

  • Anonymity. Unlike launching Trojans and other malware, the direct perpetrator of a DDoS attack has little to no worry about being caught. Using third-party hijacked devices (bots), spoofing, and reflection, a criminal can reliably hide the source of a wave of malicious traffic and remain potentially unpunished.
  • Low entry threshold. Due to the high degree of technology automation, a DDoS attack requires much less technical knowledge than infiltrating and extracting information from private/corporate networks. A potential cyber villain only needs access to the dark web or closed hacker channels in instant messengers and freedom from internal ethical restrictions.
  • Financial availability. Unfortunately, since the emergence of such a phenomenon as “DDoS as a Service” (DDoS-as-a-Service, DaaS) – services for paid attacks on specified targets, which are organized by the owners of networks of botnets (“zombie devices”), prices on them have decreased several times. According to research by information security specialists from Positive Technologies, a powerful DDoS attack of several hundred Gbps can be ordered today for only $50 per day.
  • Fast result. A massive multi-vector DDoS attack can take down even the largest and most externally protected web resource in seconds. This tool is often used by attackers who want to disrupt the organization’s work at a certain moment – during the days of planned commercial actions, during important media or political events, including government and presidential elections. For the same reason, denial-of-service attacks often act as a smokescreen for more dangerous cyberattacks, such as masking a data breach or injecting ransomware.
  • The emergence of new opportunities for attacks. Unfortunately, the constant development of technical means and the complication of the cyber landscape not only open up new facets of convenience and improved quality of life for ordinary users but also provides additional opportunities for attackers. Today, DDoS attacks increasingly use IoT devices and intelligent access control systems installed in places such as corporate headquarters, factories, or industrial parks.
  • The difficulty of reflection. Blocking illegitimate traffic attacking a network or server using different protocols requires a high level of special competencies from a team of IT specialists, using complex technical means of protection and adopting several preventive measures. Far from every service that positions itself as professional, DDoS protection is able to cope with especially sophisticated and large-scale attacks.

How DDoS is used

Less experienced customers usually resort to paid DDoS-as-a-Service (DaaS) portals. Unfortunately, they are widely available on the web and can easily be found with a simple Google search. These DaaS platforms, also known as “booters” (booters) or “amplifiers” (stressors, stressers), have enough attack power to disrupt the web resources of most organizations.

Organized crime groups or hired hackers usually use larger, more flexible, and more profitable solutions tailored to individual tasks. They create their tools for DDoS attacks: a botnet (zombie networks) and an attacking infrastructure.

Botnets are commonly used to create distributed attacks with a high number of packets or requests per second, which drain the resources of network devices or servers. DDoS servers perform attacks with reflection and amplification (amplification). They scan Internet services that can potentially be used in amplification attacks, such as DNS, NTP, SSDP, and Memcached, which allow recursion by default. Later, these server capacities can create devastating amplification DDoS attacks with a gain of 50,000 to 100,000,000 to 1.

Who launches DDoS attacks?

As mentioned earlier, DDoS attacks are available to the widest range of users “with reduced social responsibility.” However, certain groups use this remedy most frequently and with the maximum devastating effect on select victims.

Organized crime

  • Threat level: high.
  • Motivation: financial gain.
  • Target of attacks: websites, channels for accessing the cloud, DNS services, web API, gaming zones, voice services, email, and remote access systems.
  • Who is at risk: telecom operators, gaming services, cloud service providers, financial web services, e-commerce enterprises, transport and logistics companies, and media brands.

Although DDoS attacks are not directly used in cybercrime schemes aimed at extortion or data theft, they are often used as an additional means of pressure on the victim. It is in this capacity that distributed denial-of-service attacks entered the arsenal of criminal RaaS services (Ransomware-as-a-service, “extortion as a service”) under the acronym RDoS (Ransom denial-of-service, “denial of service for ransom”).

Who launches DDoS attacks and why?

For example, “professional” malware operators use the “triple blackmail” tactic. At the same time, such traditional cyber-extortion tools as system encryption and the threat of disclosure of stolen confidential data are supported by the third “argument” in the form of massive DDoS attacks that block the normal operation of the IT infrastructure.

According to open data, the tactics of triple blackmail using DDoS attacks were actively used by such well-known hacker groups as Lazarus Group, LockBit, REvil, and APT. Since 2014, they have caused huge direct and indirect financial damage to the largest companies in the world, including Sony Pictures, Acer, and Canadian VoIP operators Voip Unlimited and, English telephony provider Voipfone, Brazilian meat holding JBS, software developer Kaseya, and information security giant Entrust.


  • Threat level: high.
  • Motivation: obtaining unfair competitive advantages.
  • The purpose of the attacks: websites, network, and server infrastructure of any organization that occupies a significant position in a particular market segment for goods and services.
  • Who is at risk: any small, medium, and large businesses critically dependent on Internet representations and web infrastructure.

A direct threat to the web structure of commercial companies can be posed by members of gangs of hackers and cyber-ransomware and by “colleagues” from competing organizations without moral restrictions. They will try to win in the eternal competition by constantly reducing the availability of Internet resources, which will lead to reduced productivity, loss of reputation, and a host of other delayed consequences.

Unfortunately, the relative impunity, the severity of the consequences, and the difficulty of building effective protection against DDoS attacks make them an extremely popular tool for illegally suppressing competitors. According to a survey conducted by Kaspersky Lab experts, almost half (43%) of respondents who were victims of DDoS believe that they were caused by the intrigues of competitors or attempted industrial sabotage.

Usually, automated “commercial” botnets are used for this, launching attacks according to the schedule specified by the attackers. Very often, the diversion of company resources to clean up false traffic is used as a distraction for more destructive actions – hacking into corporate systems to steal trade secrets and the personal data of customers and employees.

An excellent illustration of DDoS as a weapon of unfair competition is the story of Daniel Craig and his private network of “zombie machines.” After the attacks of the infamous Mirai botnet on Krebs, OVH, and Dyn DNS, a hacker nicknamed Bestbuy (“best buy”), who was trying to “enslave” 900,000 Deutsche Telecom consumer Internet modems, came to the attention of law enforcement officers. Bestbuy, or Daniel Kay, as he was called in real life, already owned a Mirai-based botnet of 400,000 bots at that time. But this criminal began precisely as a means of illegal struggle against competitors.

In 2016, Daniel was hired by the CEO of Cellcom Liberia to destroy Lonestar MTN’s reputation as Cellcom’s biggest competitor in Liberia. Daniel launched DDoS attacks through vDoS – the most famous stressor service at that time (as DdaaS or paid DDoS services are called differently). But he did not suit the beginner “dose” in terms of power. Then a hired hacker used the newly released Mirai sources to create his destructive botnet, quickly disrupting the Internet connection throughout Liberia. Daniel Kay was detained in January 2019 at Luton Airport in London, UK, while returning home to Cyprus after meeting with his Cellcom contact.


  • Degree of threat: medium, although it has constantly increased in recent years as the global political and economic crisis develops.
  • Motivation: a manifestation of political ideas and attitude to resonant social or economic events.
  • The target of attacks: websites, media portals, and mobile applications.
  • Who is at risk: government and state control bodies, large state-owned enterprises or companies with state participation, and leading media.

The term “hacktivism” (hacktivism) comes from the merger of such concepts as “hacking” (hacking) and political “activism” (activism). Unlike organized crime representatives, hacktivists are guided not by financial gain but mainly political or ideological messages. To draw public attention to their position on a particular socially significant issue, they are ready to take the most radical steps – to damage or destroy server equipment and disrupt the sites and web resources of their “opponents.”

Due to the network nature and extremely simple organizational structure of hacktivist communities, each organization that falls under the scope of their attention risks quickly losing control of the situation. Usually, these anonymous communities quickly gather “like-minded people” by closing the group in instant messengers and social networks and then provide everyone with instructions on the object and mechanism of the attack and easy-to-use tools for conducting DDoS attacks.

Although hacktivists mostly use well-known and publicly available DDoS tools, they become a very effective distributed weapon in the hands of a sufficiently large group of people. Moreover, in recent years, the number of such attacks has grown rapidly due to the involvement of an increasing number of previously politically neutral citizens in an active ideological agenda.

Who launches DDoS attacks and why?

An example of relatively recent DDoS actions by hacktivists is the attacks on major Israeli sites organized by the hacktivist group Dragon Force Malaysia in June-July 2021. The reason for the mass attacks was a political protest against the strengthening of diplomatic relations between the government of Israel and several countries in Southeast Asia with a Muslim majority. In 2022, massive DDoS attacks by hacktivists protesting general election violations affected all major information and communication networks in the Philippines, including CNN, ABS-CBN, Rappler, and VERA Files.

Disgruntled employees or customers

  • Threat level: medium.
  • Motivation: an attempt to damage the reputation and financial position of the company due to personal dissatisfaction.
  • Target of attacks: websites, DNS services, web API, game zones, email.
  • Who is at risk: e-commerce, gaming industry, gambling, and betting.

Although this group of cyber intruders is less organized and operates mainly with the most primitive methods, it occupies one of the leading places regarding the frequency of attacks on corporate resources. According to the same Kaspersky Lab survey, disgruntled employees and angry customers are the sources of DDoS attacks in more than 20% of cases.

One of the most frequent targets for “DDoS revenge” is resources related to the gambling and betting industry. The organizers of such attacks act on flashing emotions. In a fit of anger after losing large sums of money, they can easily become accomplices in cybercrime. Less often, critical dissatisfaction, turning into direct aggression, can be caused by the quality of the services of a website – false advertising placed on it, inadequate prices, or poorly organized delivery of goods.

Given that such actions are usually one-off, this group main resorts to public DDoS-as-a-Service (“DDoS as a Service”) portals, which provide subscription-based access to botnets and attack servers. With just a few clicks, “DDoS avengers” can easily disrupt online resources and damage the reputation of a business.

State structures

  • Threat level: high.
  • Motivation: an attempt to influence the foreign policy of a rival state.
  • The target of attacks: large websites, network, and server infrastructure.
  • Who is at risk: industry, transport, energy facilities, government agencies, financial companies, media, and other critical information infrastructure (CII).

Suppose DDoS attacks can be an extremely effective cyber weapon in the hands of individuals or relatively small hacker groups. In that case, it is easy to imagine how much more destructive this tool can be in the hands of special government agencies. The main areas for large-scale attacks here are the critical infrastructure of the opposing countries. For example, electrical networks, fuel pipelines, water supply, transport, and financial institutions. At the same time, the features of DDoS technology allow true customers to maintain absolute anonymity and conduct operations to misinform the enemy.

Although this area of ​​application of distributed denial of service attacks, for known reasons, is under a veil of secrecy, individual cases do reach the public. One of the most striking examples of interstate cyber warfare is the official indictment that the US Department of Justice filed in 2016 against a group of Iranian hackers, Izz ad-Din al-Qassam Cyber ​​Fighters, who allegedly worked for structures associated with the Islamic Revolutionary Guard Corps.

According to him, between 2011 and 2013, the group carried out DDoS attacks on 46 large financial institutions and corporations, including Bank of America, Capital One, JPMorgan Chase and PNC Banks, the New York Stock Exchange, and Nasdaq, and also tried to seize control of Bowman Dam outside New York. The official cause of the attacks was an “anti-Islamic” video posted on YouTube. However, most experts agree it was a “response” to the Stuxnet cyberattack launched by the US and Israel, which disabled Iranian nuclear centrifuges in 2010.


As you can see from the given practical examples, DDoS attacks have become a global threat hanging over the IT infrastructure of any modern enterprise. High availability and anonymity make this technology a favorite tool for cybercriminals of all sizes – from large hacker groups extorting millions from corporations to ordinary hooligans settling personal scores on the Internet.

Given the scope and technical complexity of the threat, proactive DDoS protection is becoming a priority for any organization concerned with the security and stability of its web resources. Of course, such measures require the presence of sufficiently competent personnel and their technical capacities. However, you can also use the services of a specialized provider of anti-DDoS solutions, which will take care of the company’s cyber defense completely.

Back to top button