A major gaming platform goes dark in the middle of a tournament. A bank’s online services freeze for hours during a critical business day. A news website becomes completely unreachable the moment it publishes a controversial story. In every one of these scenarios, the likely culprit is the same: a distributed denial-of-service attack, commonly known as DDoS.
DDoS attacks have become one of the most common and most disruptive forms of cyber attack in existence, and yet the underlying question of why anyone would do this remains genuinely confusing to most people outside the security industry. Unlike attacks designed to steal money or data, a DDoS attack often does not directly enrich the attacker at all. So what is actually driving this behaviour?
This article breaks down the real reasons behind DDoS attacks, the different forms these attacks take, the legal consequences attackers face when caught, and what organisations can realistically do about it.
What Is a DDoS Attack, Quickly Explained
A distributed denial-of-service attack works by overwhelming a target server, network, or online service with such an enormous volume of traffic that it can no longer respond to legitimate requests. The word ‘distributed’ refers to the fact that this flood of traffic typically comes from thousands or even millions of different devices simultaneously, usually devices that have been compromised and organised into what is called a botnet, rather than from a single attacking machine.
The effect is similar to a crowd of people deliberately jamming every phone line into a business at once, so that real customers calling in can never get through. The target’s own systems are not necessarily broken into or stolen from directly — they are simply rendered unusable by the sheer volume of malicious demand thrown at them.
Why Do DDoS Attacks Happen? The Real Reasons
The motivations behind DDoS attacks are far more varied than most people assume, and understanding them helps explain why this attack type has remained persistently popular for over two decades.
Financial Extortion
One of the most direct motivations is straightforward extortion. Attackers launch a DDoS attack against a business, demonstrate their capability to take the target’s services offline, and then demand a ransom payment in exchange for stopping the attack. This model, sometimes called ransom DDoS or RDDoS, has targeted everything from online retailers during peak shopping periods to financial services firms, precisely because the cost of extended downtime often exceeds the ransom amount being demanded, creating pressure to simply pay.
Competitive Sabotage
In competitive industries, particularly online gaming, e-commerce, and digital services, some attacks are motivated by simple business rivalry. A competitor, or someone hired by a competitor, launches a DDoS attack against a rival business specifically during a critical period, such as a major sale event or product launch, to drive frustrated customers toward an alternative provider. While difficult to prove and rarely publicly admitted, this motivation has been documented in multiple criminal prosecutions over the years.
Ideological and Political Motivation
A significant share of DDoS activity is driven by ideological, political, or activist motivations rather than direct financial gain. Hacktivist groups have used DDoS attacks as a form of digital protest, targeting government websites, corporations involved in controversial practices, or organisations perceived as adversaries to a particular political or social cause. This form of attack, sometimes described as electronic civil disobedience by its participants, has targeted everything from government agencies to media outlets covering contentious geopolitical events.
Revenge and Personal Grudges
A surprisingly large proportion of smaller-scale DDoS attacks stem from personal disputes rather than organised criminal or political motives. Disgruntled former employees, rejected job applicants, online gaming rivals, and individuals involved in personal disputes have all been documented launching DDoS attacks against specific individuals or small businesses, often using cheap, easily accessible DDoS-for-hire services that require no real technical skill to operate.
Distraction for Larger Attacks
Sophisticated attackers sometimes use a DDoS attack as a deliberate smokescreen, flooding a target’s network with traffic specifically to overwhelm security teams and monitoring systems while a separate, more damaging intrusion — such as data theft or the deployment of ransomware — happens simultaneously in the background, hidden within the chaos the DDoS attack creates.
Geopolitical and Nation-State Conflict
Increasingly, DDoS attacks have become a tool used in geopolitical conflict, with state-sponsored or state-aligned groups launching large-scale attacks against critical infrastructure, government services, and media organisations in rival nations, particularly during periods of heightened international tension or active military conflict, where disrupting an adversary’s digital infrastructure serves broader strategic objectives.
| Industry Data Point: Major DDoS mitigation providers including Cloudflare and Akamai have reported year-over-year increases in attack volume and frequency for several consecutive years, with attack sizes regularly exceeding several terabits per second at the largest scale, driven significantly by the growing number of insecure IoT devices available for recruitment into botnets. |
Why Do Hackers Use DDoS Attacks Specifically?
Beyond the underlying motivations, it is worth understanding why DDoS specifically has become such a favoured tool among a wide range of attackers, from sophisticated criminal organisations down to teenagers with minimal technical skill.
- Low technical barrier: DDoS-for-hire services, sometimes called booter or stresser services, can be rented for as little as a few dollars, allowing virtually anyone to launch an attack without writing a single line of code or understanding the underlying technology.
- High visible impact: a successful DDoS attack produces immediate, highly visible disruption — a website going offline is obvious to everyone, which makes it an effective tool for attackers seeking attention, leverage, or public demonstration of capability.
- Difficult attribution: because attacks are distributed across thousands of compromised devices owned by unaware third parties, tracing an attack back to the actual person responsible is genuinely difficult, creating a perception of relative safety for attackers compared to crimes that leave more direct evidence.
- Scalable damage: the same botnet infrastructure used for one attack can be rented out repeatedly to multiple different customers, making DDoS capability itself a profitable commodity independent of any single attack’s specific motivation.
Types of DDoS Attacks
DDoS attacks are generally grouped into three broad categories, each exploiting a different layer of network and application infrastructure.
Volumetric Attacks
Volumetric attacks aim simply to consume all available bandwidth between the target and the broader internet, flooding the connection with such a high volume of traffic that legitimate data simply cannot get through. UDP floods and amplification attacks, which exploit misconfigured servers to multiply a small request into a massive flood of response traffic directed at the victim, fall into this category and represent the most common form of large-scale DDoS attack.
Protocol Attacks
Protocol attacks target weaknesses in the network protocols themselves, exhausting server resources or network equipment capacity rather than pure bandwidth. SYN flood attacks, which exploit the handshake process used to establish TCP connections by sending a flood of incomplete connection requests, are the classic example, designed to exhaust the connection tables of servers, firewalls, and load balancers until they can no longer process legitimate requests.
Application Layer Attacks
Application layer attacks, sometimes called layer 7 attacks, are more sophisticated and target the specific application running on a server rather than the underlying network infrastructure, mimicking legitimate user behaviour closely enough to evade simpler detection methods while still consuming enough server resources to cause a denial of service. HTTP flood attacks, which bombard a web server with seemingly legitimate page requests, are the most common example, and are often harder to distinguish from genuine traffic spikes, making them more difficult to mitigate effectively.
The Legality of DDoS Attacks
Launching a DDoS attack is unambiguously illegal in the vast majority of jurisdictions worldwide, and the legal consequences for those caught are genuinely severe.
In the United States, DDoS attacks are prosecuted under the Computer Fraud and Abuse Act, which criminalises unauthorised access to and disruption of computer systems, and convictions can carry substantial prison sentences alongside significant financial penalties, particularly when an attack causes measurable financial damage or targets critical infrastructure. The United Kingdom prosecutes DDoS activity under the Computer Misuse Act, while the European Union addresses it through the Directive on Attacks Against Information Systems, and most other countries maintain comparable legislation specifically criminalising this type of network disruption.
Importantly, the legal exposure extends well beyond the individuals who organise and direct an attack. Operating or even using a DDoS-for-hire service is itself illegal in most jurisdictions, and law enforcement agencies, including the FBI and Europol, have conducted multiple coordinated international operations specifically targeting booter and stresser service operators and their customers, resulting in numerous arrests and prosecutions over the past several years. Even attacks launched seemingly as a joke or a minor act of online revenge against a personal rival have resulted in real criminal charges, since the law generally does not distinguish based on the attacker’s stated motivation or the apparent triviality of the dispute behind it.
| Important Distinction: Authorised penetration testing and stress testing of your own systems or systems you have explicit written permission to test is legal and represents an entirely different activity from criminal DDoS attacks. The legality hinges entirely on consent and authorisation, not on the specific technical method used. |
The Bottom Line: Motive Varies, Consequence Doesn’t
The reasons behind DDoS attacks span an unusually wide range — extortion, sabotage, ideology, personal grudges, geopolitical conflict, and simple criminal opportunism among easily accessible attack tools. What unites nearly all of them is a fundamental disregard for the very real harm caused to the people and organisations on the receiving end, whether that harm is measured in lost revenue, disrupted services, or simple inconvenience to ordinary users trying to access a website or service they depend on.
Regardless of motive, the legal consequences for those caught launching these attacks are consistently severe across virtually every major jurisdiction, and law enforcement capability to investigate and prosecute this type of crime has improved substantially in recent years. Understanding why these attacks happen is the first step toward recognising the warning signs, building appropriate defences, and contributing to a broader culture that treats this behaviour with the seriousness the law itself already does.
Frequently Asked Questions
Q: Can a DDoS attack steal my personal data?
A: A DDoS attack on its own is generally not designed to steal data directly, since its primary purpose is to overwhelm a system and disrupt availability rather than to breach and extract information. However, DDoS attacks are sometimes used as a deliberate distraction technique, flooding a network with traffic specifically to overwhelm security monitoring while a separate, simultaneous attack focused on data theft or malware deployment occurs in the background, exploiting the chaos and reduced visibility the DDoS attack creates.
Q: How can I tell if my website is experiencing a DDoS attack?
A: Common warning signs include an unusually sudden and dramatic spike in traffic that does not correspond to any legitimate marketing activity or viral content, slow loading times or complete unavailability of your website or online service, an unusual pattern of traffic coming from a single suspicious geographic region or a narrow range of IP addresses, and server resource monitoring showing CPU, memory, or bandwidth usage maxed out without a corresponding increase in genuine customer activity. Most organisations confirm suspected DDoS activity using network monitoring tools or by consulting directly with their hosting provider or dedicated DDoS mitigation service.
Q: Is it possible to completely prevent a DDoS attack?
A: Complete prevention is extremely difficult given that attackers can theoretically generate traffic volumes that exceed almost any individual organisation’s available bandwidth, but effective mitigation is very achievable. Most organisations today rely on specialised DDoS protection services, such as those offered by Cloudflare, Akamai, or AWS Shield, which can absorb and filter massive volumes of malicious traffic before it ever reaches the target’s actual infrastructure, combined with properly configured firewalls, rate limiting, and network architecture designed with redundancy and scalability in mind.
Q: Why do attackers target gaming services and platforms so frequently?
A: Online gaming has consistently ranked among the most heavily targeted sectors for DDoS attacks for several specific reasons: competitive gamers sometimes launch attacks against opponents during matches to gain an unfair advantage, gaming platforms experience intense reputational and financial pressure during downtime since players will quickly switch to competing platforms, and the gaming community has historically had easy access to cheap, simple-to-use DDoS-for-hire tools specifically marketed toward this audience, lowering the barrier to entry for attacks driven by little more than personal rivalry or frustration.
Q: What should I do if I believe someone is launching a DDoS attack against me personally?
A: If you believe you are the target of a personal DDoS attack, the most important immediate steps are documenting everything you can about the attack, including timestamps and any available technical details, contacting your internet service provider to report the activity and request assistance, and reporting the incident to your national law enforcement cybercrime reporting channel, since DDoS attacks are criminal offences in nearly all jurisdictions. If the attack is connected to online gaming or a specific platform, consider using a VPN to mask your IP address going forward and report the behaviour to the platform itself, since many gaming services have policies and reporting mechanisms specifically addressing this issue.
Protect Your Business Before the Flood Hits
- DDoS attacks don’t ask permission. Make sure your defences don’t either.
- Evaluate DDoS protection: cloudflare.com | aws.amazon.com/shield | akamai.com
- Monitor your traffic patterns continuously, not just during an active incident
- Build an incident response plan before you need one
- Report attacks to law enforcement — silence only protects the attacker
Resilience isn’t optional anymore. It’s the cost of being online.
