After a DDoS attack, the most common executive question is: 'Who did this?' The honest technical answer is usually: 'We can't say with certainty.' Attribution in DDoS is fundamentally different from attribution in data breaches — and the gap between what's knowable and what's claimed in press releases is vast.
Why DDoS Attribution Is Difficult
- Botnet nodes are compromised third-party devices — the real attacker is behind them.
- Reflection attack traffic appears to originate from legitimate servers.
- C2 infrastructure is typically operated through multiple VPN and proxy layers.
- Booter services mean even low-skill attackers can launch terabit attacks — capability no longer indicates sophistication.
What Can Be Attributed
- Attack tooling: specific tool fingerprints, timing patterns, and protocol signatures.
- C2 infrastructure: occasionally linkable to known threat groups through prior takedown data.
- Motive inference: timing relative to political events, business disputes, or extortion demands.
- Email attribution: ransom demand emails sometimes contain trackable metadata.
When Attribution Matters
For law enforcement prosecution, for cyber insurance claims requiring attribution, and for proportional response planning, attribution work is worth doing even when incomplete. Preserve all logs during an attack — Akarguard's detailed attack logs include source ASN distribution, attack vector breakdown, and timeline data that support both law enforcement requests and insurance claims.