analyst @ nohacky :~/briefings $
cat / briefings / why-ddos-refuses-to-die
analyst@nohacky:~/briefings/why-ddos-refuses-to-die-2026.html
reading mode 9 min read
category DDoS / Analysis
published 14 Mar 2026
read_time 9 min

Why DDoS Refuses to Die: The $30 Weapon That Took Down 110 Organizations in a Weekend

Distributed denial-of-service is the oldest trick in the attacker playbook. It should be a solved problem by now. Instead, DDoS attacks increased 168% in 2025, a single botnet reached 31.4 Tbps, and a coalition of hacktivist groups used the technique to hit 110 organizations across 16 countries in 72 hours. This article asks a question that the incident reports do not: why does the simplest attack in cybersecurity keep getting more dangerous, and what structural forces make it essentially impossible to eliminate?

The cybersecurity industry has spent three decades building faster, smarter, more expensive defenses against distributed denial-of-service attacks. And yet, here we are. In March 2026, twelve hacktivist groups coordinated 149 DDoS attacks against 110 organizations in 16 countries within a single 72-hour window following the U.S.-Israel strikes on Iran. The attacks targeted government portals, airports, banks, telecoms, and a U.S. port. The technique they used — network denial-of-service (MITRE ATT&CK T1498) — dates back to the 1990s.

Every few years, the industry declares DDoS a nuisance-level threat, something to be absorbed by scrubbing centers and CDN providers. And every few years, the data says otherwise. Understanding why requires looking past the headlines about specific campaigns and into the structural mechanics that make DDoS not just persistent, but accelerating.

The Numbers That Should Alarm You

Three major reports published in early 2026 collectively paint a picture of a threat that has fundamentally changed in scale.

Cloudflare's 2026 Threat Report, drawing on telemetry from roughly 20% of global web traffic, documented 47.1 million DDoS attacks across 2025 — more than double the previous year. Network-layer attacks alone tripled year over year. The company's Cloudforce One team recorded 19 new world-record DDoS attacks during the year. The largest was a 31.4 Tbps UDP flood launched by the Aisuru botnet in November 2025, nearly six times the peak volume of the largest attack observed in 2024. The Aisuru botnet and its successor, Kimwolf, collectively control an estimated one to four million infected hosts, according to the Cloudflare report, with Kimwolf seeing over 550 command-and-control nodes null-routed in early 2026.

Radware's 2026 Global Threat Analysis Report, released on February 19, 2026, found that network-layer DDoS attacks targeting OSI layers 3 and 4 increased 168.2% year over year, with peak volumes approaching 30 Tbps. In the second half of 2025, the average Radware customer experienced over 25,351 network-layer DDoS attacks — an average of 139 attacks per day. Web DDoS attacks increased 101.4%, and malicious application and API transactions rose 128%.

Link11's European Cyber Report 2026, published March 2, 2026, found that documented DDoS attacks on their network rose 75% in 2025, following 137% growth the prior year. Three separate attacks surpassed 1 Tbit/s. The longest sustained attack lasted 12,388 minutes — over eight days without interruption. Active DDoS attacks were observed 88% of the time, covering 322 days of the year. After an initial attack, there was a greater than 70% probability of at least one follow-up, with an average of 2.8 subsequent attacks per incident.

We are experiencing a clear paradigm shift. DDoS is no longer a disruptive one-off event but rather a permanent strategic burden on digital business models. Those who only react when an attack occurs have already lost. — Jens-Philipp Jung, Founder and CEO, Link11

These are not isolated statistics from vendors selling protection products. They describe a convergent trend across three independent global datasets. DDoS has become a background condition of being connected to the internet.

The Anatomy of a Technique That Will Not Quit

To understand why DDoS persists, it helps to understand what it is at a technical level — and more importantly, what makes it fundamentally asymmetric.

MITRE ATT&CK technique T1498 (Network Denial of Service) describes the adversary goal of degrading or blocking the availability of targeted resources by saturating the network bandwidth or overwhelming the compute capacity of the target. It includes two sub-techniques that represent distinct mechanisms with different defensive challenges.

T1498.001 — Direct Network Flood is the brute-force approach. The attacker directs traffic from a controlled botnet — a network of compromised devices — directly at the target. The traffic might use UDP, TCP SYN, ICMP, or other protocols. The goal is raw volume: overwhelm the target's inbound bandwidth or exhaust its ability to process connection requests. Defense requires absorbing or filtering traffic that can reach tens of terabits per second, which is beyond the capacity of any single organization's network infrastructure without upstream mitigation.

T1498.002 — Reflection Amplification is the force multiplier. Instead of sending traffic directly, the attacker sends small requests to legitimate third-party services (DNS resolvers, NTP servers, memcached instances) with a spoofed source address — the victim's IP. Those services respond to the victim with much larger payloads. A single 64-byte DNS query can generate a 3,000-byte response, yielding roughly a 50x amplification factor. Memcached amplification can exceed 50,000x. This means an attacker with 1 Gbps of outbound capacity can direct 50 Gbps or more at a target using only freely available, legitimate internet infrastructure.

MITRE ATT&CK reference

Network Denial of Service is documented as MITRE ATT&CK technique T1498. The sub-techniques — Direct Network Flood (T1498.001) and Reflection Amplification (T1498.002) — represent fundamentally different attack mechanics that require layered defensive strategies. Understanding both is essential for building DDoS resilience.

The core asymmetry is this: the cost to generate attack traffic is negligible compared to the cost of absorbing it. And that asymmetry is getting worse, not better, thanks to three converging forces.

Force One: The $30 Subscription Economy

DDoS attacks do not require sophisticated tooling, deep technical knowledge, or substantial financial resources. They require a subscription.

The DDoS-for-hire market — consisting of services variably marketed as "booters," "stressers," or "IP stress testing" platforms — operates on a SaaS model with pricing that mirrors legitimate cloud services. Cloudflare's documentation notes that basic monthly booter plans start as low as $19.99. Research from Searchlight Cyber found subscription tiers ranging from $30 per month to $18,000 per quarter for premium services, with the most expensive options offering unlimited daily attacks, two-hour attack durations, and 100 concurrent sessions. Kaspersky research found that daily attack fees range from $20 to $10,000 depending on the target and duration, while Arbor Networks (now NETSCOUT) previously estimated that a $60-per-day DDoS service can inflict approximately $720,000 in damage to a victim organization.

This is not a fringe market. One platform analyzed by Searchlight Cyber, Nightmare Stresser, had over 566,000 registered users and 52 attack servers supporting 28 different methods across Layer 4 (UDP/TCP) and Layer 7 (application). These services accept cryptocurrency, require no verification of the buyer's relationship to the target, and provide polished dashboards, customer support via Telegram, and even free trial tiers.

The pipeline from the underground economy to real-world damage was illustrated starkly in March 2026. Poland's Central Bureau for Combating Cybercrime (CBZC) identified seven minors, aged 12 to 16, who had been running a profit-driven DDoS tool distribution operation. According to investigators, the group administered tools used to attack auction portals, IT domains, hosting services, and booking platforms. Officers seized smartphones, laptops, storage drives, and handwritten documentation during searches across four Polish regions. Separately, in February 2026, CBZC arrested a 20-year-old who had operated a multi-layered botnet using C2 stressers, confessing to global DDoS attacks against strategically important websites.

the pipeline problem

Law enforcement is pursuing DDoS sellers aggressively. Poland's CBZC reported a 30% increase in cybercrime charges in 2025, participated in Europol's Operation PowerOFF, and nearly doubled its staff to over 1,000 officers. But the economic model regenerates faster than enforcement can suppress it. Searchlight Cyber found DDoS-for-hire services thriving despite coordinated international takedowns.

Force Two: The IoT Botnet Arms Race

The supply side of DDoS has fundamentally changed because the internet itself has changed. There are now billions of IoT devices online — cameras, routers, DVRs, smart home devices — and the security posture of these devices has not kept pace with their deployment.

The Aisuru botnet, responsible for the record-setting 31.4 Tbps attack observed by Cloudflare in November 2025, controls an estimated one to four million infected hosts. These are not compromised enterprise servers. They are consumer devices with default credentials, unpatched firmware, and no monitoring. Kaspersky's research has documented that IoT-based botnets are cheaper to build and operate than server-based botnets because cameras and consumer devices are less secure — a vulnerability that device owners routinely ignore.

This matters because it creates an essentially unlimited supply of attack infrastructure at near-zero cost to the attacker. Every unsecured webcam, every home router running outdated firmware, every smart plug with a default password is a potential node in the next record-breaking DDoS campaign. And unlike server-based infrastructure that can be traced and taken down, consumer IoT devices are distributed across millions of residential networks with no centralized point of remediation.

Cloudflare noted that the majority of DDoS attacks in 2025 lasted under 10 minutes, a critical detail. These are not sustained sieges. They are rapid, automated bursts designed to overwhelm before human-led response can engage. The attack window has shrunk below the practical reaction time of any security operations center operating without automated, always-on mitigation.

Force Three: Geopolitics as an Accelerant

The March 2026 campaign demonstrated the third structural force with brutal clarity: geopolitical conflict converts the latent DDoS ecosystem into a directed weapon overnight.

When the U.S. and Israel launched their joint strikes against Iran on February 28, 2026, hacktivist groups mobilized within hours. According to Palo Alto Networks Unit 42, an entity called the "Electronic Operations Room" was established on the same day as the strikes to coordinate hacktivist campaigns. Within 72 hours, 149 DDoS attack claims had been recorded against 110 organizations in 16 countries, according to analysis from Radware, Cisco Talos, and others.

The campaign was not random. Radware's data, cited by multiple outlets, found the activity was dominated by three groups — Keymous+, DieNet, and NoName057(16) — who collectively accounted for 74.6% of the attacks. Intel 471's analysis identified that Israel was the hardest-hit country, followed by Kuwait and Jordan, with national government, aerospace and defense, and technology as the primary target sectors. Targets ranged from Israeli banks to Qatari government portals to the Port of Los Angeles.

The geopolitical dimension matters because it provides the one ingredient that the commercial DDoS pipeline cannot supply on its own: motivation at scale. A $30 booter subscription is a tool. A geopolitical trigger is what turns thousands of individuals with access to those tools into a coordinated force. Radware's 2026 Global Threat Analysis Report found that the primary driver of DDoS activity globally in 2025 remained geopolitical and ideological conflict, with Europe absorbing 48.4% of all hacktivist-claimed attacks and government services accounting for 38.8% of targets.

Organizations must adopt resilient, automated defenses capable of responding in seconds — not minutes — to stay ahead in this environment. — Pascal Geenans, VP of Threat Intelligence, Radware

The Question Nobody Is Asking Loudly Enough

Coverage of the March 2026 DDoS campaign has focused on attribution: which groups attacked, what they hit, how many claims were made. That reporting is valuable. But it skips over a harder question: what would it take to make DDoS fundamentally unviable as a technique?

The honest answer is that nothing currently on the horizon achieves that. Here is why.

DDoS exploits the architecture of the internet itself. TCP/IP was not designed with sender authentication as a default. Source IP addresses can be spoofed, enabling reflection amplification. The protocol stack has no built-in mechanism to distinguish a legitimate connection request from an attack packet until significant processing has already occurred. This is not a bug in a specific product. It is a design characteristic of the network layer that all internet-connected systems share.

BCP38 (Best Current Practice 38), also known as network ingress filtering, was published in 2000 and would significantly reduce spoofed-source attacks if universally deployed. It has not been universally deployed. Twenty-six years later, adoption remains incomplete because there is no enforcement mechanism and no economic incentive for networks that are not themselves being targeted. The networks that source spoofed traffic bear no cost for enabling it.

Application-layer DDoS (Layer 7) makes the problem even harder. These attacks imitate legitimate user behavior — valid HTTP requests, proper TLS handshakes, realistic browsing patterns — and cause gradual performance degradation without triggering volumetric alarm thresholds. Link11 specifically flagged this trend, noting that modern attacks are combining extreme bandwidth with tactical patience and increasingly targeting Layer 7 to evade classic detection.

Then there is the question of accountability in the IoT supply chain. The devices powering the largest botnets are manufactured by companies that have no legal obligation to maintain their security posture post-sale, sold through distribution chains that add no security layer, and operated by consumers who have no visibility into whether their devices are participating in attacks. Until the economic incentives in this supply chain change — through regulation, liability, or mandatory security standards — the botnet recruitment pool will continue to grow.

the smokescreen problem

DDoS is increasingly used as a distraction for more damaging operations happening simultaneously. During the March 2026 campaign, Cisco Talos confirmed that the Iranian APT group Seedworm (MuddyWater) deployed a previously unknown custom backdoor called Dindoor against U.S. companies, while Unit 42 identified phishing campaigns using weaponized Android packages. Link11's CEO has warned that DDoS attacks in 2026 will serve primarily as smokescreens for data theft, malware deployment, and network intrusion.

What Defenders Need to Internalize

If DDoS is a permanent condition rather than an intermittent event, the defensive posture has to change accordingly. The guidance from the threat intelligence community is converging around several principles.

Always-on beats reactive. With attacks averaging under 10 minutes in duration and follow-up attacks occurring more than 70% of the time, manual response is no longer viable for initial mitigation. Automated, always-on DDoS protection is the baseline requirement, not a premium add-on.

Layer 7 is the new front line. Link11 and Radware both emphasize that Web Application and API Protection (WAAP) solutions are now essential complements to network-layer DDoS mitigation. Attackers are increasingly targeting application logic, APIs, and authentication flows rather than raw bandwidth, and these attacks can degrade service without triggering traditional volumetric alerts.

Every DDoS event is a potential indicator of something worse. The March 2026 campaign proved this in real time: DDoS served as the visible layer while APT groups deployed backdoors and phishing infrastructure underneath. Security operations teams should treat any DDoS alert as a trigger for enhanced monitoring across the entire environment, not just the targeted endpoint.

IoT hygiene is upstream defense. CrowdStrike's Adam Meyers specifically flagged IoT device isolation as a priority in his guidance following the Iran conflict escalation. Segmenting IoT devices from production networks, enforcing credential changes on deployment, and monitoring for unusual outbound traffic patterns are measures that reduce the likelihood of organizational devices being recruited into the botnets powering these attacks.

DDoS resilience is a business risk, not a network problem. Link11's Jens-Philipp Jung framed it directly: digital availability is a competitive factor, and cyber resilience determines whether a business model can withstand constant pressure. Revenue impact, SLA violations, regulatory exposure, and reputational damage are the real costs of DDoS. The network team cannot own this risk alone.

Key Takeaways

  1. DDoS is a permanent background condition of the internet. Link11 recorded active attacks 88% of the time in 2025 — 322 out of 365 days. Cloudflare documented 47.1 million DDoS attacks in a single year. This is no longer an event to respond to. It is an environment to operate within.
  2. The economics favor the attacker and will continue to do so. Booter subscriptions start at $20-$30 per month. IoT botnets provide nearly unlimited attack infrastructure at near-zero cost. Reflection amplification turns small outbound capacity into massive inbound floods. No realistic enforcement or market correction is eliminating these advantages.
  3. Geopolitical conflict is the match that lights the existing fuel. The March 2026 campaign was not an anomaly. It was the predictable result of a pre-existing DDoS ecosystem encountering a geopolitical trigger. The infrastructure, the tools, and the motivated operators were all already in place. The strikes on Iran simply provided the coordination signal.
  4. DDoS is evolving from the main attack to the cover story. The simultaneous deployment of APT backdoors and phishing campaigns alongside the March 2026 DDoS barrage confirms that sophisticated adversaries now treat DDoS as a distraction layer. Defending against the flood while ignoring what moves beneath it is a catastrophic error.
  5. The internet's architecture is the root cause, and it is not changing. Source address spoofing, the absence of sender authentication at the network layer, and incomplete BCP38 adoption are structural features of TCP/IP that DDoS has exploited for 30 years. Until these change — and there is no indication they will — DDoS remains a permanent feature of the threat landscape.

Sources

  • Cloudflare, "Introducing the 2026 Cloudflare Threat Report," Cloudflare Blog, March 2026
  • Cloudflare data via Help Net Security, "Cloudflare Tracked 230 Billion Daily Threats," March 3, 2026
  • Radware, "2026 Global Threat Analysis Report," GlobeNewswire, February 19, 2026
  • Link11, "European Cyber Report 2026: DDoS Attacks Become a Constant Threat," PRNewswire, March 2, 2026
  • Palo Alto Networks Unit 42, "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran," March 2, 2026
  • Cisco Talos, "Update, March 10: Talos on the Developing Situation in the Middle East," March 10, 2026
  • Radware / The Hacker News, "149 Hacktivist DDoS Attacks Hit 110 Organizations," March 11, 2026
  • Intel 471 via Industrial Cyber, "Cyber Retaliation Surges After US-Israel Strikes on Iran," March 10, 2026
  • CrowdStrike (Adam Meyers) via The Hacker News, March 11, 2026
  • Help Net Security, "Teen Crew Caught Selling DDoS Attack Tools," March 10, 2026
  • The Register, "Polish Cops Bust Alleged Teen DDoS Kit Sellers," March 10, 2026
  • Help Net Security, "Poland DDoS Suspect Arrested," February 5, 2026
  • Searchlight Cyber, "Attack-for-Hire Services and the Evolution of DDoS Attacks," 2023
  • Cloudflare, "What Is an IP Stresser? DDoS Booters," cloudflare.com/learning
— end of briefing