The Psychology Behind DDoS: Motivations and Methods

DDoS attacks, also known as
distributed denial of service attacks, are one of the oldest internet cyberweapons used today by everyone from hacktivists and governments to disgruntled video game players and thrill-seekers purely for personal enjoyment.

The attacks disrupt access to web sites and servers or take them offline completely by using co-opted online resources such as zombie PCs and servers or Internet of Things (IoT) bot networks that flood and overwhelm victims with online traffic.

If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack,” says security researcher Bruce Schneier. “

These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense.

But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.”

Although individual and group motivations may differ, DDoS attacks have the same objective: take a target server or servers offline with internet traffic until the internet services are no longer operational.

DDoS targets range from individuals to government organizations and businesses such as e-commerce sites, banks, stock exchanges, credit bureaus, gaming sites or internet service providers.

DDoS Attack Psychological Motivations

The motivations and psychology behind DDoS attacks vary. They span financial or economic benefits, revenge, ideological beliefs, cyberwarfare or even solely personal enjoyment.

Large scale DDoS cyber attacks tend to be the result of group efforts, as opposed to individual actors, with a specific goal or agenda in mind.

DDOS graph

 Images from Elsevier Inc, 2015

The majority of DDoS cyber-attack psychological motivations fall into several categories:  

  • Financial gain or economic benefit. DDoS attacks against e-commerce sites and banks is a growing trend, especially during the holidays, according to technology industry research firm Forrester. And extortion or blackmail is another motivating factor to use DDoS attacks. Using DDoS attacks as a financial weapon is also a favorite technique for hackers who demand Bitcoin via email to stop the onslaught of traffic.
  • Revenge. It’s a DDoS attack motivation used against companies, organizations, and individuals where victims include non-profit organizations, community colleges, courts and law enforcement entities, or journalists. In most cases, the disgruntled individual or group behind the attack has a goal of inflicting damage for a perceived wrong.
  • Ideological belief. Also known as hacktivism, some attackers become motivated to attack political targets because of their ideological beliefs against a nation-state or government policies. This motivation has become an influential reason behind many DDoS attacks where independent “hacktivists” DDoS government websites to cause outages and disruption. In January 2019, Zimbabwean government-related websites were hit with a DDoS attack by hacktivist group Anonymous protesting internet censorship in the country.
  • Intellectual challenge. Some attackers DDoS web sites to demonstrate their technical capabilities skills. DDoS tools and even services are available via the Dark Web making it easy for attackers to deploy and experiment with the latest technologies such as automation and botnets against targets.
  • Personal Enjoyment. This type of DDoS attack falls under the category of cyberbullying and trolling. It’s intentional and meant to be either fun or vindictive (or both) while at the same time demonstrating the power to disrupt a web site or network.
  • Cyberwar. Used for political and military advantage, cyberwarfare is normally associated with nation-states. It’s designed to inflict economic or physical impact on its targets. Groups that use cyber warfare strategies and tactics and are well-trained, organized, and belong to government militaries or terrorist organizations. Many world governments have devoted significant resources and time to conduct attacks that have disrupted an adversary’s online and critical infrastructure.

DDoS Attack Methodologies

DDoS attacks consist of three major phases and four different sub-components, according to researchers. The sub-components are an attacker, multiple control master or handler computers, multiple “slave” computers or botnets, agents, or zombies, and a victim or target machine. 

In the first phase of a DDoS attack, hackers take control of network-attached computers called “masters or handlers” to control other machines that will ultimately execute the DDoS attack.

Creating a network of handlers and attack machines is an automated process where hackers scan the internet for computers or Internet of Things devices that can be compromised, usually with malware. 

When the desired number of compromised machines is reached, hackers start the second attack phase. The aggregate number of machines, called a botnet, is loaded with the necessary instructions and commands to launch an attack by the network of compromised zombie computers.

In the final DDoS phase, hackers direct the botnet to execute the attack or attacks on victim machines. The distributed nature of the attack sends massive amounts of internet traffic to the victim’s system or online resources that in turn disrupts or slows down the intended target’s services.

Spoofed or fake IP addresses hide compromised device identities and discourage the victims to filter out malicious traffic to find the attack source.

Increasing DDoS Sophistication

The threat landscape of today is constantly opening up new opportunities for attackers to take advantage of the latest internet-connected devices and cloud technologies to launch even more massive DDoS attacks.

These new attacks have also gotten easier to execute with zombie botnets able to take down large corporations or government entities.

The latest attack vector is physical access control systems installed in places including corporate headquarters, factories, or industrial parks. “Hackers are actively searching the internet and hijacking smart door/building access control systems, which they are using to launch DDoS attacks,” according to firewall company SonicWall.

Hackers are now scanning the internet for exposed Nortek Security & Control (NSC) Linear eMerge E3 devices and exploiting one of the ten newly discovered vulnerabilities, according to SonicWall.

Their primary purpose is to control what doors and rooms employees and visitors can access based on their credentials (access codes) or smart cards and then block or disrupt access to physical buildings.


To mitigate the popularity and accessibility of DDoS attacks as a tool for non-technical attackers, security researchers and law enforcement agencies regularly track and take down malicious web services that are now offering for-profit DDoS-as-a-Services that have weaponized for the masses what was once only done by sophisticated hackers.  

Called “booter” or “stresser” sites, cybercriminals are marketing and selling attack-for-hire services that can be easily purchased online. According to Cloudflare, “Booters are slickly packaged as SaaS (Software-as-a-Service), often with email support and YouTube tutorials.

Packages may offer one-time service, multiple attacks within a defined period, or even “lifetime” access. A basic, one-month package can cost as little as $19.99. Payment options may include credit cards, Skrill, PayPal or Bitcoin (though PayPal will cancel accounts if malicious intent can be proved).”

And security journalist Brian Krebs says “Booter sites are dangerous because they help lower the barriers to cybercrime, allowing even complete novices to launch sophisticated and crippling attacks with the click of a button.” 

DDoS-as-a-Service provides yet another attack vector for non-technical users to use for cybercrime, revenge, hacktivism, enjoyment or even cyberwar. 

Finally, the motivation or psychology behind DDoS attacks can also be viewed as merely a tool meant for distraction. Hosting company LiquidWeb claims that “while your security team is distracted mitigating the denial of service attack, the party responsible is free to go after what they actually want – whether it is financial information, intellectual property, or client data.”

If, as LiquidWeb states, DDoS attacks are the “equivalent of driving a bus through the front door of a bank while an associate tunnels into the bank vault from below,” then organizations must be vigilant about their IT security and take an approach that makes securing the network edge against all attacks a top priority.