Record-Breaking DDoS Attacks & the Security Landscape Heading Into 2026

Hello everyone and welcome to This Week in NET. It's our last episode of the year, 2025 was quite the year and there's a lot of episodes you can unpack if you want to check our feed from the future of content and AI to firewall for AI, code mode, what does it mean for AI agents and much more. There's a lot to unpack on security, privacy in episodes this year. You can check on thisweekinnet.com all the episodes and some highlights there. Today it's all about security and DDoS attacks. I'm your host João Tomé based in Lisbon, Portugal and with me I have returning to the show our DDoS expert Omer Yoachimik. Hello Omer, how are you? I'm doing well, thank you. It's great to be back. How are you? I'm good. End of the year, many things to talk about and of course there was DDoS report, Q3 report, a blog post that we have in our blog, there was record -breaking DDoS attacks, there were many trends of course around AI. In the last episode that we did about the DDoS report, I think it was about the Q2, the second quarter of the year, you mentioned something that I found really interesting which is related to generative AI and AI in general and the use that everyone is doing, most people are doing about AI. Attackers are also doing using generative AI to make things more convincing, to help them use tools to do bigger attacks and more successful attacks. You definitely mentioned that at the beginning. What would be the sum up of 2025 for you in terms of DDoS attacks specifically? So I would say that there are three main themes. One is that attacks just increase in size, in proportions that we considered theoretical before and what's also interesting is the sophistication of these attacks, not just the attacks themselves and the properties of the attacks and you know we can talk about what makes an attack sophisticated but also the botnets behind the attack. There are a variety of infected hosts that comprise these botnets and one specific botnet that we're talking about, the ISURU botnet and putting that all together makes it one of the most dangerous things on the Internet right now and I would say that the third thing that we've seen is the effect of geopolitical events and how they are also expressed or how we see them in the cyber realm. This ranges from attacks on generative AI companies themselves all the way to the EU -China trade talks and what implications those had on certain industries as well as protests and various movements around the world. It's quite interesting because actually I was writing a blog post about Internet services, the most popular Internet services and I was seeing also impact regarding Internet services especially on news sites but for the same issues, the same situations. So news sites are having more traffic and increasing and attackers are also maybe using those geopolitical situations to attack as well. Yeah exactly these geopolitical situations whether they are for example various topics that came up in the recent EU-China trade deals or during election events or during other types of you know even sporting events and the Eurovision and anything you can think of. Anything that becomes a hot topic even temporarily lures threat actors into wanting to take a stance whether it's whether it's a kind of a form of cyber vandalism you know instead of going out and graffiting the face of a building. This is their attempt to disrupt a service or a company that happens to stand in the other side of the ideology or you know if ideologies are involved. There's also a lot of kind of trying to show off in the threat actor community so being able to show and prove that as a threat actor I managed to do this and that you know get some street cred. And important in a sense. Yeah exactly and for botnet operators also it's a kind of serves as the certificate of a force of power of what their botnet can do because ultimately these botnets are offered for hire so for just a few hundred dollars or thousand dollars you can launch attacks that are that can take pretty much any organization that's not really optimized in their protection or you can take them down or at least disrupt them as we've seen throughout the One of the things that I find surprising is the the numbers and you have this in the report that we had about Keytree and about the iZero botnet and as you mentioned it's like a massive army in this case of an estimated of one to four million infected hosts globally only for this botnet in particular so they can definitely launch those hyper volumetric DDoS attacks and that could easily break records. In the later part of this year we had several records being broke in a sense. In the recent year in review from Radar that we put out we mentioned a new record from the 29.7 terabits per second a few weeks ago so now it's like 31.4 terabits per which is like crazy amount of numbers. In what sense these botnets are being dealt with? How do we deal with them in terms of our automated systems in a way? So the approach that we have is basically to tap into our systems to our networks global coverage and distributed nature and to use the distributed nature of the attack against it because if you're launching such a large attack it's originating from many many sources for example the 29.7 terabit per second attack originated from or we mitigated it in 113 countries where we have data center presence. It originated from over 17,000 different networks different ASNs autonomous systems and so and our and so keeping that in mind we've spent the good part of the last five years even longer ensuring that our network is able to deal with these types of attacks with no human intervention and the way that we do that is by allowing every single one of our servers and every single one of our data centers to detect and mitigate these attacks autonomously and there is kind of this threat intel sharing where the server the servers a multicast a multicast or gossip the threat intel between each server so there's coordination you know within a data center within a colo where we're present in a co-location right and there's also coordination between the colos and our kind of our global network but these attacks hit so fast and so and they can be so short so the 29.7 attack was less than 70 seconds long you really need to be able to respond quickly and we have the main mitigation system that does the bulk of the work here for us is our real-time fingerprinting system and this system based on heuristics that has been curated by our engineering teams instructs the system how to or or when it's um when it's sampling packets what type of a packet attributes to look for that are suspicious how to create a fingerprint given certain conditions and when to determine that fingerprint is suspicious and to qualify it as an attack and install a mitigation rule in the most cost -efficient place so we can mitigate the attacks very quickly you know in some cases it's some of our systems activate within single digit microseconds other cases it can be up to one two seconds so mitigation is really quickly very performant because we do it in kind of the in the innermost place of the server in the kernel where we can drop packets fast at wire speed it makes sense one of the things that i i find surprising is for example there's a big increase in some of these attacks especially the hyper volumetric ones this year right so that there's definitely like a trend there it's one of the trends of the year in terms of increase those types of attacks right yeah the attacks crown you know if we look at um october 2024 for example uh the largest attack was uh 5.6 terabits per second i think that was the world record back then now we're at um you know to compare october to october in october 2025 the largest figure was 29.7 terabits per second now we're already at 31.4 terabits per second but you know the one of the things that the botnet operators um or the authors of the of this botnet kind of i think came to a conclusion which is is that you don't really need that entire force to to take down Internet properties and what we're seeing is that chunks of the botnets are being sold as a or kind of resold via distributors as a botnet for hire because in many cases all you need is a few terabits per second and you know if if you if you're relying on an on-demand service on-demand protection service where you need to route traffic or when you only route traffic to a dedicated scrubbing center facility that is meant to deal with DDoS attacks and DDoS attacks alone these attacks will clog up your Internet link unless you have multi terabits per second of capacity for ingress during your peak hours for example but before you even have a chance to divert to the scrubbing center that these legacy what i call a historical mistake and we can dive a little into that if you want but before there's any time for even for a machine to respond to divert traffic the attack can already be over and the impact can be prolonged for engineering and operational teams it can take quite some time to safely recover and restore systems and i think we've seen in the past sometimes this is used for several reasons in terms of attacks sometimes they're trying to enter in a vector they're attacking making a DDoS attack at the same time to to try to confuse those themes so there's a lot of possibilities there in terms of how is this used right exactly because when you launch a a volumetric attack a DDoS attack the security operation center or the network operation center or whichever team is monitoring your services the SREs or and so on they're now dealing with if you're if you're subject to an attack they're now dealing with an incident where they have CPUs spiking up maybe servers crashing links that are Internet links that are being saturated you have customer complaints starting to come in via support you have management and other stakeholders starting to page and ping and ask questions and demand resolution and so there's a whole lot going on and this creates the type of chaotic environment where if you if you've kind of orchestrated for a specific data exfiltration or a different type of an attack it can kind of go hidden unseen undetected and you're creating so much noise from this DDoS attack that's serving as a smokescreen that even afterwards in the investigation process there will be so many logs and so many so much data to try and analyze to understand what exactly happened and what the actual intent of the attack was. Of course, makes sense. One of the things that we usually mention in the DDoS reports and over 20 in this past few years so a lot but one of the things we do mention is who's being attacked like the set of industries that are the top attack targets for example in the Q3 was a lot about IT services, telecommunications, banking, gaming. Are we seeing any predictable patterns in why certain industries are targeted specifically? You mentioned already like the geopolitical in some situations but gaming usually is high, right? Yeah, gaming and gambling and kind of casinos and these are the types of industries that are very or services that are very latency sensitive and there's also winners and losers in terms of, you know, if you're playing a game if you're betting and if you're gambling yeah so and in many cases also the users that you know the gamers themselves may tend to be more technical savvy and so if and so kind of if you put those factors together a latency sensitive service that has in many cases clear winners or losers that can impact your ego, your reputation, your wallet as well so that leads to and the fact that there are very tech savvy users that are using those services that can lead to a desire to retaliate, to disrupt, to vandalize, to get back. It's not unheard of that a user is banned from some gaming server and then decides to attack it as a result because again these attack tools and botnets for hire are there and they are very they're easily accessible if you want to find them. Makes sense. Another thing that we usually publish is the source of attacks but also the most attacked locations. In Q3 for example it was China and Turkey and also Germany for example. Is there any pattern, any trend that we see in terms of the most attacked locations specifically during this year? Well yeah we saw that well China is usually kind of up there in the top first and second places for the most part but I think what's interesting is that this quarter the US jumped 11 spots to being the fifth most attacked location. I should also kind of clarify that when we say attacked location it doesn't necessarily mean that the nation itself is being attacked but rather that Cloudflare customers with a billing address of that location are being attacked. Yeah and the country that saw the largest spike was actually the Philippines that made it into the 10th place. It jumped 20 spots quarter over quarter. Do we know why some of these things happen sometimes like why a certain country or the customers in those countries are being sometimes more attacked than in previous years for example? Yes so it's a lot about correlation because while you do have threat actors that sometimes take credit it's hard to know if they're actually the ones that launch the attack without getting a proper forensic analysis and intervention of law enforcement agencies. It is possible to correlate between things so for example in France there was the block everything movement. This was a kind of a campaign launched by the French trade unions in September to oppose President Macron's government over basically new austerity measures and the pension systems changes to them and the rising cost of living and they called for coordinated strikes and of the you know transport blockades to paralyze the country and during that same time we saw that France jumped 65 spots making it the 18th most attacked country in the world. So that's one example and we saw similar examples in Brussels where protests there also caused a massive increase in attacks against Belgium-based Klauthera customers. Similarly in the Maldives that's a country that where we saw the highest increase of 125 spots making it the 38th most attacked country and this was as part of or correlated to the stop the looped movement a chant that kind of became the symbol of a movement against government corruption and democratic backsliding things that the UN human rights chief warned that could seriously undermine media freedom for example. And there goes the geopolitical references that you also mentioned in the beginning for sure in some of those elements. Also curious in the past when you spoke about earlier this year two myths that the DDoS landscape sometimes comes with. Can you revisit those two myths that are the typical ones for DDoS perspectives? You'll have to remind me of those two myths. It was the it was I'm not an important target and I can just use an on-demand service if I get attacked. Yeah so so yeah so the two myths a lot of organizations that don't consider themselves or in the past haven't considered themselves being a subjected or being a potential target for DDoS attacks have since seen have since saw that they are in fact that they have come in the crosshair of DDoS threat actors and that's because they just happen to be related to a hot topic or happen to be on the other side of a conflict an ongoing conflict and they were an easy target because if you assume that no one's going to attack you and you don't have protection in place then threat actors will take abuse advantage of that. A simple example of that is just as the EU China the 25th EU and China trade deals or trade summit took place there were reports of rising tensions over rare earth minerals for example rare earth exports and coincidentally the industry of mining minerals and metals surged by 24 spots quarter for quarter making it the 49th most attacked industry in the world and you know why would you could think why would someone attack these types of industries we saw the same thing with the automotive industry that leaped by 62 places and this is whilst again in the EU trade talks there were also discussions about tariffs against or relating to electrical vehicles for example. So it could be really anyone is at risk really because attackers are just trying to find and if you're not protected you don't think too much I won't be attacked there's more potential reasons for you to to be attacked in a sense. Right yeah you can think of it like this you can think you know if you think about your home and maybe you think you know I don't have anything worthy here to you know for someone to steal I don't have jewelry or cash laying out so why would anyone break into my home so I'll just leave my front door open so organizations that don't protect themselves don't have an inline protection service that's always on basically you just have their door open and someone will take advantage of it. And there's also the how easy it is to do DDoS attacks these days with attackers manipulating AI systems right and improve attack scripts for them so that also brings sophistication but also ease of attack so they can attack many players many different sites almost at the same time in a way right. Exactly you can just ask one of the generative AIs to help you create a load testing tool and then iterate from there so it has never become easier for zero knowledge threat actors to launch very sophisticated attacks or very large attacks ones that we would in previous years would have associated to nation state actors. Makes sense there's also the potential recommendations that we can give even in terms of lessons from 2025 for enterprise companies that could be more on the lookout what would be the advice that we can give to customers or not or non-customers regarding DDoS attacks and the protection they should have in place. Yeah so that's a good that's a good question and so I think the there are a few practical steps that every organization should take because there are you know there's there's the cost of doing something and the cost of not doing something and when when you try and kind of quantify the cost of of not doing something such as protecting your Internet properties it can if you're not protected the cost can be infinite to the point like what what I mean by that is that it can lead to total bankruptcy as we've seen with many companies I won't name companies but and these companies have been maybe their data has been stolen maybe it was under a DDoS attack and and so the practical steps to take to reduce that risk is to first identify and adopt a cyber security framework some a strategy something that you can implement and depending on where you're located there might be frameworks offered by your local cyber security agency depending on the country the region there are also industries that are regulated and must adhere to these types of frameworks but the kind of there's there's four main principles that I would call out or steps which is one is to identify the digital inventory um and the risks based on the threat landscape and the importance or the how critical each one of your digital properties your Internet properties is and according to that prioritize them and then start dealing with each one of those Internet properties to apply the relevant or the appropriate safeguards to protect them if it's a if it's your DNS infrastructure if it's your database if it's your API servers and so on the the the third one the third step is to implement alerting to have processes in place for early detection for significant events so you want to be notified first you want to be alerted before for example your customers are alerted you want to be you want to have the the advantage of being able to respond the fastest the quickest and lastly number four is to respond to those threats and to learn from them iterate and make sure that this is a something that is understood and implemented by all teams in your company in your organization because security starts from you know from from a single employee because no matter how many safeguards you have if you have one employee that clicks a link from an email and you didn't have the proper protections in place you can see your entire organization or your entire database encrypted and locked out makes sense why not starting to think also of 2026 and what should come could come in this area what do you expect the DDoS landscape to look like next year would it be like continuing growth in these record scale attacks or maybe a different focus on the different on different types of vectors and and attacks so I think that we're going to see attacks that are much more difficult to defend against with the with kind of the mainstream or the what I would call at this point the legacy scrubbing center providers the capacity or the rate the force of attacks will unfortunately continue to rise we're still seeing the increase in attack size and this is not just in um in the layer 3-4 world you know in terabits per second but also in the DNS world and also in the HTTP world so we're seeing larger and larger attacks so we're going to see probably more permutations of the ISURU botnet and larger and more sophisticated attacks from those botnets as they as the operators learn and improve their um their attack vectors we're going to see the beginning of the end of the scrubbing center era because a scrubbing center solution with a few terabit per second capacity or 10-20 terabits per second capacity is just irrelevant anymore with the level of attacks that we've been seeing yeah if you just do like an average of the capacity per data center that these providers have you can you can see how um an attack can even a few terabit per second attack can take them offline what we're going to see is so the larger attacks attacks that are harder to stop and require more significant or more intelligent solutions and this is kind of a tease to some of the things that we've been building and deploying to counter these threats that we're seeing and the rise of the zero knowledge a threat actor where with vibe coding or botnets for hire you can pretty much disrupt an entire nation and with the consequences the big consequences that that could bring to to the digital infrastructure that is now really people depend on on those infrastructures right everything from um emergency services to critical messages that need to be sent out to civilians electric water hospitals you name it everything relies on on the Internet and if and if you think about the um the um you know undersea cables or terrestrial cables that connect various countries it's enough to disrupt a few of them during peak hours to cross the cause absolutely on the effort you already spoke about the risks there but on the defense side how are uh how is koffler using ai and machine learning to maybe improve what's coming yeah so we have been over the past i would say over a year um we've been investing in a um in a new system that leverages signals from across the Cloudflare network because we have a um you know depending on when you measure it around 20 to 30 percent of the Internet traffic routing through us and we see so much so many threats these signals are used to um teach a new um what i what i like to call a botnet incrimination system about botnets so this system has already shown its value in the http world in q3 we reached a milestone where that system that incriminates botnets in real time and blocks them reached a milestone of almost 50 percent of all http ddos attack mitigations were because of that system which we're now expanding into layer we've been expanding into layer 3 4 so it's more of the um using the data that we have along with machine learning models that add additional signals to be able to protect our customers and the fact that these services are integrated with or these systems are integrated with our other clouds or services um ranging from you know the our WAF or bot management systems our Zero Trust solutions we're able to tap into all of those signals in order to detect malicious activity and block it and once a botnet has been has been incriminated against one customer then all customers are immediately protected so it's it's it's about that type of real-time intelligence that can be leveraged at scale to block malicious traffic the network actually is learning and protecting all the customers in the network because of that knowledge uh in a sense exactly which makes perfect sense it's quite a really interesting to see let's end on on a note for something for 2026 on the security realm note do you have some wish for the security perspective in 2026 that would be good to to have what i'd love to see is um organizations take security really seriously and protect their infrastructure protect their data because ultimately they're protecting us our users their users and the more that organizations adopt strong security postures the better and the safer the Internet will be so i'm uh wishing us a um a safer and more protected uh Internet and let's see how 2026 plays out hopefully safer and with with not too bad too many bad attacks there thank you omar this was great thank you joah my pleasure thanks for having me and that's a wrap and 2026 is coming so why not wishing everyone a great 2026 a secure one as well and don't forget stay tuned geek out and check our website thisweekinnet.com and you where you can subscribe to our podcast in your favorite podcast platform and that's a wrap