2.2. Meet the Attackers

Who are the likely perpetrators of DDoS attacks? We have evidence from studies that thousands of attacks occur on a regular basis, yet very few attackers have been caught and prosecuted. This is partly due to the inability of victims to meet the minimum damage limits necessary to prosecute, or because the victim doesn't feel prosecution is worthwhile or fears negative publicity. Another factor is the ease of performing a DoS attack without leaving many traces for investigators to follow. It is impossible to judge the profile of perpetrators from such a small sample of provable crimes. Still, from the lack of sophistication in many attacks, it is safe to assume that a very large percentage seem to be perpetrated by inexperienced hackers, so-called script kiddies. These hackers download crude attack tools from the Internet and use them unaltered. While such attacks can still severely cripple the victim, sufficient traces sometimes exist for investigators to be able to understand much about the attacker. Such crude attacks also frequently generate an easily recognizable traffic pattern that can be controlled by simple filters.

Another type of a DoS perpetrator is a sophisticated hacker who uses several means to obscure her identity and create subtle variations in traffic patterns to bypass defenses. While these attacks are less common than the simple ones, they are particularly vicious and hard to handle. Sophisticated hackers may act on their own accord (when attacking for supremacy in their peer circle or for revenge) or may be hired by an underground movement or a criminal organization.

The most dangerous potential attacker is the nation-state actor that has significant resources and skill available to write his own tools, using sophisticated command and control techniques, and taking advantage of intelligence resources that are hard to come by. Such an attacker could create very subtle effects that are difficult to even notice using common methods or tools. Besides, the monitoring tools may potentially have vulnerabilities themselves that can be exploited to hide the presence of the attack. To date, no DDoS attacks can be confidently ascribed to such nation-state actors, but they are inherently better at covering their tracks. If no such attacks have occurred yet, they may well occur in the future.