Here’s the thing about distributed denial-of-service attacks: for years, terabit-scale floods were the cybersecurity equivalent of a hundred-year storm.
You’d read about them in incident reports, nod gravely, and go back to worrying about ransomware. 2025 ended that comfortable abstraction.
Leads security research for Nokia Deepfield.
Terabit-level DDoS attacks are now a daily occurrence for major telecommunications providers. Not weekly. Not “several times a month.” Daily. The first attack exceeding 10 Tbps landed in September. By October, we were tracking incidents past 30 Tbps.
The industry is already bracing for 100 Tbps: not as a theoretical ceiling, but as an inevitable milestone. What changed? Everything, as it turns out.
The five-minute problem
Start with timing. In 2024, roughly 44% of DDoS campaigns concluded within five minutes. This year, that figure jumped to 78%, and more than a third of them were wrapped up in under two minutes.
If your detection and mitigation systems can’t respond at the network edge within sixty seconds, you’re performing post-incident analysis, not defense.
This isn’t attackers getting lazy. It’s the opposite: campaigns have become algorithmically orchestrated, cycling through attack vectors faster than human operators can respond to them.
A typical automated attack might open with TCP carpet bombing, pivot to UDP floods when it detects countermeasures activating, add some DNS amplification, then finish with a high-rate SYN flood — all within three minutes, each wave calibrated to the defender’s response thresholds.
The attacks aren’t just faster. They’re smarter. Systems now monitor defender behavior in real time, adjusting parameters like high-frequency trading algorithms responding to market conditions. When your mitigation kicks in, the attack pivots. When you adapt, it pivots again.
The call is coming from inside the house
The more fundamental shift involves where attack traffic originates. Traditional DDoS botnets relied on compromised IoT devices: cameras, DVRs, routers with exposed ports, and the occasional parking meter.
At peak, the total active bot population across all these fragmented networks might reach a million devices, with no single botnet controlling more than a fraction. That era is ending.
Residential proxy networks have quietly assembled something far larger: an estimated 100 to 200 million consumer endpoints capable of retransmitting traffic on command. These aren’t exposed servers.
They’re ordinary home devices (cheap Android TV boxes running uncertified open-source firmware, mobile phones with “free” VPN apps, backdoored home routers) sitting behind NAT, invisible to external scanning.
How did this happen? Follow the economics. AI companies need massive datasets for training, and web scraping at scale requires the use of constantly rotating IP addresses to avoid detection.
Residential proxy services provide exactly that: millions of “clean” consumer IPs that look like legitimate traffic. The demand created a thriving gray market, and criminals recognized an opportunity.
There’s an old butcher’s saying: tout est bon dans le cochon, everything in the pig is good. The operators of these networks took it to heart. Freshly compromised devices first serve as premium proxy exits, generating revenue from legitimate customers who need residential IPs for web scraping, ad verification, or market research.
Once repeated use degrades an IP’s reputation score, that same endpoint transitions to DDoS-for-hire operations. Every node gets monetized twice.
The scale is staggering. Roughly 4% of global home internet connections are now available as latent attack infrastructure. Brazil alone hosts approximately 25 million proxy nodes.
The aggregate bandwidth capacity of these networks exceeds 100 Tbps — more than most national internet backbones can absorb. And symmetric gigabit fiber rollouts keep making the math worse: average upstream bandwidth per compromised endpoint increased 75% year-over-year in North America.
What this means for defenders
The uncomfortable reality is that yesterday’s DDoS defenses were designed for yesterday’s DDoS attacks. Manual runbooks and fifteen-minute response windows assumed attacks would last long enough to invoke them. Static thresholds assumed that attackers wouldn’t probe to determine exactly where those thresholds sit.
Modern defense requires three things organizations have historically resisted: automation, scale, and intelligence integration. Automation is necessary because humans cannot match algorithmic attack speeds.
Scale because terabit floods require terabit-class absorption capacity at the network edge, not in a distant scrubbing center. Intelligence is required because identifying attack traffic from residential IPs that look identical to legitimate users demands behavioral analysis, not simple blocklists.
The carpet-bombing trend adds another complication. Over half of attacks now target multiple hosts simultaneously, spreading traffic across entire network ranges rather than focusing on single targets.
This technique dilutes traditional per-host detection thresholds and can overwhelm network segments even when individual hosts remain below alert levels.
So now what?
None of this is insurmountable, but it does require abandoning assumptions that served well for a decade. Networks must evolve from reactive, manually-driven processes to proactive, self-defending architectures: systems that detect, mitigate, and adapt without waiting for human intervention.
The attackers have already made that transition. The question is how many defenders will catch up before the next order-of-magnitude jump.
Check out our list of the best DDoS protection.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
