Victimization in DDoS attacks: The role of popularity and industry sector

Distributed denial-of-service (DDoS) attacks may be driven not only by economic motives such as extortion, but also by social or political goals, including hacktivism and state-sponsored operations. Therefore, the monetary value of a target alone does not fully explain why some organizations are more frequently victimized. While cloud providers deploy advanced defenses — such as Anycast routing, traffic scrubbing, and filtering — they also concentrate many potential targets within a shared infrastructure, increasing their exposure to DDoS attacks. This study aims to understand what makes organizations more suitable DDoS targets by examining two key attributes: visibility and perceived value, represented by website popularity and industry sector. We also investigate how the customer portfolio of cloud and data center providers influences the DDoS threat to their infrastructure. Research Questions: • How do organizational characteristics related to value and visibility — specifically, popularity and industry sector — correlate with the threat of DDoS attacks? • How does the diversity of customer business sectors hosted by a cloud or data center provider influence the DDoS threat to its infrastructure? Methodology: We conducted a large-scale analysis of DDoS incidents inferred from network telescope data spanning five years. We estimated target visibility and value using Alexa ranks and Cisco Umbrella content categories. We also analyzed the relationship between customer sector composition and DDoS threat at the provider level. Key Findings: • Popular websites are more frequently attacked, though this pattern weakened during the COVID-19 pandemic. • Certain industry sectors face significantly higher and repeated DDoS threats. • Cloud providers serving a higher proportion of high-risk sectors are more likely to face frequent DDoS attacks.