When someone is murdered, the detective usually asks the question “cui bono?”. Well, they may not ask it in Latin, but they want to know who benefits from this person’s death.
I wanted to know the same thing when a DDOS attack is executed. Some of the largest were done not for gain, but for revenge. For example, Spamhaus was DDOSed in 2014 by a group calling themselves Stophaus.
I can summarize this attack as “You made me mad, so I’m gong to knock you off the net.”
Who gains from this? The person making the attack gets satisifaction, usually accompanied by the bully’s battle cry “Look what you made me do!”. No monetary gain there at all. The defender has to buy a defense to keep themselves on the network, so they lose money and the only one to gain in this situation is the provider of the DDOS defense.
On the other hand, there are businesses receiving extortion letters. Pay us off or we DDOS you. Apparently there’s little follow through on it, but if you pay off a blackmailer expect to keep paying. The best bet is to strengthen your defenses.
Again, the attackers gain nothing monetarily and it’s the DDOS defense companies who make money.
DDOS is also occasionally a political act between countries.
There’s no money changing hands here either, except for the defenders.
The exception to all of this, of course, is if you buy your DDOS from someone else. Then they get money. It’s shockingly easy to buy a DDOS.
Knowing all of this, what can we do to interrupt the DDOS economic model?
If you have ideas or something you think will spark interest, write aField Note and submit it at https://dtrap.acm.org/ Share your ideas with researchers and practitioners and help bridge the gap.