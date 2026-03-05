Threat actors ramp up sophistication of DDoS attacks

Sophisticated attacker collaboration, resilient botnets and compromised IoT infrastructure drove more than eight million DDoS attacks worldwide – some as large as 30 terabits per second (Tbps) – in the second half of 2025.

According to NetScout Systems’ 2025 Distributed Denial-of-Service (DDoS) Threat Intelligence Report, this marks a new era of hyperscale, coordinated threat activity that continues to outpace global takedown efforts.

Meanwhile, the accelerating growth of DDoS-for-hire services is empowering a broader range of threat actors, intensifying operational risk to digitally connected organisations and enterprises.

Implications for security professionals extend far beyond volumetric concerns and include reconnaissance and adaptive evasion which challenge traditional defence paradigms. Organisations must match adversarial innovation with intelligent, autonomous defences, or risk operational disruption at levels previously considered theoretical.

“Threat actors identify organisations that haven’t invested in the right defences to stay ahead of sophisticated and coordinated DDoS attacks to take down critical infrastructure,” says Richard Hummel, director: threat intelligence at NetScout.

“Traditional security defences are no longer working, and with attackers hitting new attack size and complexity ceilings, implementing automated and proactive defences has become a business-level risk mandate – not just a technical concern for security professionals.”

Key research findings include:

Massive attacks on a global scale – More than 8-million attacks were identified across 203 countries and territories globally.

– More than 8-million attacks were identified across 203 countries and territories globally. Continued use of multi-vector attacks – approximately 42% of DDoS attacks employed two to five distinct attack vectors, with some adapting dynamically throughout the attack to complicate detection and mitigation.

– approximately 42% of DDoS attacks employed two to five distinct attack vectors, with some adapting dynamically throughout the attack to complicate detection and mitigation. Outbound attacks impact broadband and mobile services – Extensive direct-path attacks revealed that compromised IoT and customer-premises equipment can generate outbound floods exceeding 1 Tbps, creating liability, service, and reputational risk for broadband and mobile providers.

– Extensive direct-path attacks revealed that compromised IoT and customer-premises equipment can generate outbound floods exceeding 1 Tbps, creating liability, service, and reputational risk for broadband and mobile providers. Critical infrastructure targeted – High‑value services such as NTP and DNS continue to face sustained attack pressure, emphasising the need for resilient, globally distributed architectures to maintain service continuity.

High‑value services such as NTP and DNS continue to face sustained attack pressure, emphasising the need for resilient, globally distributed architectures to maintain service continuity. Threat actors scale up collaboration – A surge of more than 20 000 botnet-driven attacks in July 2025 exemplified how coordinated threat activity can rapidly overwhelm defences and disrupt critical government, finance, and transportation services.

– A surge of more than 20 000 botnet-driven attacks in July 2025 exemplified how coordinated threat activity can rapidly overwhelm defences and disrupt critical government, finance, and transportation services. Threat actor persistence – Despite international law enforcement dismantling multiple DDoS-for-hire platforms, hacktivist groups and botnets remain resilient, exerting increased pressure.

– Despite international law enforcement dismantling multiple DDoS-for-hire platforms, hacktivist groups and botnets remain resilient, exerting increased pressure. AI integration accelerates operations and collaboration – AI has transitioned to an operational reality, with large language models (LLMs) on the dark web accelerating vulnerability exploitation and botnet expansion, and underground forums documenting a 219% increase in mentions of malicious AI tools. Groups like Keymous+ have demonstrated how partnerships between threat actors amplify attack power, with bandwidth increasing nearly fourfold.

NetScout maps the DDoS landscape through passive, internet vantage points, providing visibility into global attack trends.