Distributed denial of service (DDoS) attacks have been used by adversaries for many years as a means of unleashing chaos. The threat is showing no signs of slowing down, with DDoS attacks becoming bigger, more frequent and difficult to stop.

In 2025, DDoS activity more than doubled year-on-year, reaching over 47 million attacks globally, according to infrastructure provider Cloudflare’s DDoS threat report. Network-layer attacks – which sees services flooded with traffic so they can’t be accessed – fuelled that growth, accounting for 78% of all DDoS attacks.

Meanwhile, the size of DDoS grew over 700% in 2025. The largest is was in December 2025, when the Aisuru/Kimwolf botnet launched a massive DDoS attack that peaked at 31.4 terabits per second (Tbps) and 200 million requests per second (rps), setting a new record.

The types of adversaries using DDoS attacks are evolving beyond traditional hacktivists, with more sophisticated attackers using the method as part of wider state-backed campaigns. With this in mind, how should UK firms respond?

 DDoS Evolution 

DDoS is evolving at lightning speed. Michael Tremante, VP product management at Cloudflare says the firm regularly sees attacks that “would have been considered exceptional just a couple of years ago.”

He cites the example of the Aisuru-Kimwolf botnet. “Things are intensifying to a worrying degree.”

This means that when DDoS does hit, the impact is “immediate and tangible,” says Cody Barrow, CEO, EclecticIQ. “Services go offline, transactions fail, customer-facing systems become unreachable, and internal teams are pulled into emergency response.”

For telecoms and service providers, the downstream effect “multiplies across every business customer they carry,” he says. “A successful attack does not just inconvenience an organisation, it can trigger service level agreement (SLA) breaches, regulatory scrutiny and reputational damage that outlasts the outage itself.”

Beyond this, DDoS is increasingly being used as a distraction layer, warns Barrow. “Attacks are timed to saturate response capacity while a secondary, quieter operation runs in parallel, aimed at exfiltration, credential theft and lateral movement.”

Beyond Hacktivists DDoS 

Beyond size and scale, experts cite another worrying trend. Historically, DDoS attacks have been most closely associated with hacktivists. However, that era has waned, replaced by “more escalatory groups advancing state-backed narratives,” with geopolitical tensions acting as the “defining catalyst,” says Dr Ric Derbyshire, principal security researcher Orange Cyberdefense.

“While private companies are still getting hit, there has been a notable focus on the public sector and critical national infrastructure (CNI) as a result of this trend,” he adds.

It’s hard to tell who is behind DDoS attacks, says Tremante. “But what we can see is that there is significant investment and sophistication to reach the scale and ferocity of some of the attacks we have seen – like the Aisuru-Kimwolf Night Before Christmas campaign. This is an industrial and coordinated effort with some serious people behind it.”

The picture is more varied than most assume, agrees Barrow. “Nation-state actors and sophisticated criminal groups use DDoS as a weapon of deliberate disruption, often timed to degrade an organisation's ability to respond while something else is happening elsewhere in their environment.”

Adding to the risk, the commoditisation of botnet-for-hire services means that for a few hundred dollars, “virtually anyone can direct Tbps-scale traffic at a target,” he says

Darren Anstee, chief technology officer for security at NETSCOUT, describes how an increasing number of hacktivist groups are launching DDoS attacks to advance their geo-political or ideological agendas.

Probably the best known of these groups is NoName057(16), a group with self-declared pro-Russian motives that has targeted government, transportation, banking and financial services, conducting over 1,500 DDoS attacks in its first two years of activity during 2022 to 2024, he says.

Meanwhile, attack groups are beginning to collaborate. For example, Keymous+ announced a partnership with threat actor DDoS54 in 2025, amplifying their joint attack capability, says Anstee.

Target Businesses 

Businesses in certain jurisdictions are often targeted by adversaries seeking geopolitical gains. In 2025, China was the most attacked nation, followed by Hong Kong, with the UK jumping up 36 places to become the sixth most attacked country, according to Cloudflare’s data.

Some industries are more at risk from DDoS. Cloudflare's Q4 2025 data shows telecoms and service providers as the primary targets, followed by IT services and gaming.

While almost all organisations are potential targets, certain sectors face a “disproportionately higher risk,” says Peter Jones, cyber security specialist, Conscia UK. Telecommunications, hosting and online gaming providers are frequent targets due to “the broad and immediate impact a successful service disruption can have on customers and critical services,” he says.

In recent years, multi-terabit-per-second DDoS attacks have been directed at major cloud and platform providers such as Google, Amazon Web Services and Microsoft, says Jones. “ While these attacks were significant in scale, the majority were successfully mitigated through the use of advanced detection, automation and globally distributed mitigation capabilities.”

Growing Threat

The threat is already growing, but experts say attacks will become more sophisticated as adversaries take advantage of technology such as AI.

AI is unlikely to make DDoS attacks much bigger, but it will make them more precise, says Orange Cyberdefense’s Dr Derbyshire. “Instead of overwhelming an entire website, adversaries can learn which functions are costly to run and subtly overload them under normal-looking traffic, leaving the service online but slow or expensive to operate.”

At the same time, AI lowers the skill required to carry out an attack, Dr Derbyshire says. “Tools can assist inexperienced users with target selection, traffic tuning and basic evasion, meaning disruption no longer needs specialist knowledge.”

NETSCOUT’s Anstee describes how AI chatbots are being integrated into DDoS-for-hire services as a natural language front-end, with enhanced automation capabilities. “Now, rather than running a reconnaissance, interpreting the results and selecting the relevant attacks using a nice GUI, you can just ask the service to create a set of attacks that will impact a business during core hours in natural language."

DDoS Protection 

There is no single tool that stops DDoS attacks, so organisations should focus on “absorbing and diluting the traffic” rather than blocking it outright, says Orange Cyberdefense’s Dr Derbyshire. “Using edge protection and distributed hosting keeps adversaries away from core systems, while caching and rate limits make each request cheaper to handle.”

Just as important is removing easy exposure, such as public admin panels or unprotected APIs, which often cause outages long before bandwidth is exhausted, he says. “In practice the aim is not perfect defence, but making the attack ineffective, short-lived and commercially pointless.”

When considering DDoS risk, organisations should address two distinct layers of attack: Volumetric attacks at Layers 3 and 4, and application-layer attacks at Layer 7, says Conscia UK’s Jones. “For volumetric threats, working closely with your internet service provider is critical, as this typically provides access to large-scale mitigation capabilities delivered by vendors such as Radware, Akamai or Cloudflare.”

Application-layer attacks require additional, more granular protections, such as a Web Application Firewall (WAF) or Web Application and API Protection (WAAP) platform, Jones says. “These controls are designed to detect techniques such as code injection and abuse of application logic, applying behavioural analytics to distinguish legitimate users from malicious traffic and ensure continued availability of critical services.”

Beyond direct security controls, organisations should also build resilience into their environments, Jones advises. “This includes auto-scaling applications and load balancers, as well as deploying services across multiple regions to minimise single points of failure. Regardless of the solution deployed, it is essential to regularly test resilience measures and establish clear escalation paths with service providers to ensure rapid, coordinated response when an attack occurs.”

Kate O'Flaherty Cybersecurity and privacy journalist