15 August 2022

Attacker’s psychology: what to consider when defending against DDoS attacks

Although DDoS attacks are mainly carried out with bots, the initiators and coordinators of the attacks are humans. The nature of the attacks, their intensity and duration largely depend on their motivation and behaviors.

Common behavioral characteristics

According to our observations, attackers who launch DDoS attacks almost always want to ensure that their efforts have been successful and that the availability of the resources they are targeting has decreased significantly for some time. The subsequent reaction may vary: Many attackers are ecstatic when they discover that the DDoS attack was successful, while other, more professional hackers simply tell their customers about the attack and move on to the next.

The owners of the attacked resources and those who provide their DDoS protection are fighting "on the other side of the barricades," so it is in their best interest to ensure that the attacker does not learn how successful the attack was. There is no reason to give our adversaries reasons to triumph and feel victorious. Even if some of your resources or their components have been unavailable for some time, attackers should not see this. Of course, this is not always possible. At the very least, we should try to hide information from the attackers that will allow them to understand that the attack was successful. 

If the attacker could not estimate the success of the attack or concludes that it failed, they will most likely try to repeat his DDoS attack on your resources, for example, by selecting their most vulnerable components. If the attacker is not very motivated or if your resources are far from being the only target of his attacks, they will most likely leave you alone, at least for a while.

Motivation of the attackers

It is much easier to predict the further actions of an attacker if you correctly assess his motivation. In our practice, we regularly come across the following types of motivation of attackers using DDoS attacks.

1. The desire to have fun, to hold one's own, to settle scores, or just plain hooliganism. Usually, these motives are pursued by young talents who try their hand at hacking, want to prove something to themselves or their friends, or harm them in some small way, for example, by making their school's website inaccessible or a gaming service with which they have not established a relationship. In such cases, DDoS attacks are usually carried out using simple, cheap, but quite effective means. It is relatively easy to defend against such attacks - if your resources are under professional protection.
2. Defending or enforcing ideas - political, social, environmental, cultural, etc. Those who attack "for an idea" are usually trying to harm those who disagree with them or to achieve a broad public response. These attacks should not be underestimated at all.
3. Damaging competitors - until recently, this motivation of attackers was perhaps the most common in our practice: in an effort to gain at least some competitive advantage, some unscrupulous market players launched attacks on their competitors in order to damage them and force their customers to switch to other websites. Such attacks are particularly strong and painful during periods when traffic seasonally spikes, such as the pre-Christmas shopping season. DDoS attacks of this type often prove to be very powerful, and therefore their defense requires not only the involvement of professional anti-DDoS services, but also the careful elaboration of a whole set of measures to ensure the stability of Internet resources against DDoS attacks, because if the attack order is well paid, the hacker  will do everything possible to execute it.
4. We have also encountered extortion and blackmail frequently in recent years. Attackers driven by this motivation not only attack, but also make their demands to the victim - usually they name the amount of compensation in cryptocurrency, after receiving which they promise to end the attack. And although ransomware attackers usually do not carry out super-powerful attacks, they still often show enviable perseverance in achieving their goals: Even if the owners of the attacked resources connect protection, extortionists try to find vulnerabilities in them to launch new DDoS attacks. In addition, they can carry out complex multi-vector attacks in which the DDoS attack is used as a diversionary tactic, for example, to gain access to the victim's confidential data and then extort it by promising to "embed" the data in the network or destroy it in case of refusal to pay a ransom.
5. Cyberterrorism is one of the rarest and most difficult situations to detect, and a variety of motives may lie behind it: large-scale revenge attacks, industrial espionage, cyberwar attacks, etc. As a rule, such attackers do not limit themselves to DDoS attacks and use them to disguise hacking. Their goals can cover a wide spectrum - from publishing false news and stealing confidential data, to falsifying data, taking control of the victim's systems, changing business logic, injecting malicious code, etc., to completely destroying data and systems - immediately or with a time delay.

What to do and what to prepare for?

Since an attacker's motivation is not always clear at the beginning of a DDoS attack, we recommend carefully studying and analyzing the course of each attack and evaluating the possible consequences. We also offer some of our other recommendations.

• As we have already noted, it is necessary to try to hide the results of the attack from the attacker as much as possible - for this purpose, you need to take care of the security of your Internet resources in advance.
• We must be prepared for the fact that, in addition to a DDoS attack, there may be an attempt to hack Internet resources and penetrate the company's information systems. Actually, it is reasonable to entrust the reflection of the attack to the anti-DDoS provider and focus on monitoring the security events themselves to detect a hacking attempt in time when it is attempted.
• You also need to be prepared for the fact that a DDoS attack can drag on for several days or even weeks. Therefore, you need to ensure that your resources are resilient to DDoS attacks and can maintain their availability and operability for an extended period of time.
• It cannot be ruled out that a successfully repelled DDoS attack will be followed by new attacks. If an attacker is strongly motivated to disable your resources, they will make new attempts to attack, for example, by targeting the weakest and most unprotected components of your Internet systems. Therefore, if possible, be fully prepared and do not relax once the attack has subsided.