Record-Breaking DDoS Attacks & the Security Landscape Heading Into 2026

[Music] [Applause] Hello everyone and welcome to this week in net. It's our last episode of the year. 2025 was quite the year and there's a lot of episodes you can unpack if you want to check our feed from the future of content and AI to firewall for AI code mode. what does it mean for AI agents and much more. There's a lot to unpack on security, privacy in episodes this year. You can check on this weekinet.com. Uh all the episodes and some highlights there. Today it's all about security and DOS attacks. I'm your host Runtome in Lisbon Portal and with me I have returning to the show our DOS expert Homer Yakushimi. Hello Homer. How are you? I'm doing well, thank you. It's great to be back. How are you? I'm good. end of the year, many things to talk about and of course there was DDoS report, Q3 report, a blog post that we have in our blog. There was record-breaking DOS attacks. There were many trends of course around AI. In the last episode that we did about the the DOS report, I think it was about the Q2, the second quarter of the year. Uh you mentioned something that I found really interesting which is related to generative AI and AI in general and the use that we every everyone is doing. most people are doing about AI. Attackers are also doing using generative AI to make things more convincing to help them use tools to do bigger attacks and more successful attacks. You definitely mentioned that at the beginning. What would be the sum up of 2025 for you in terms of DOS uh attacks specifically? So I would say that there are three main themes. One is that attacks just increase in size in proportions that we considered theoretical before. And what's also interesting is the sophistication of these attacks. Not just the attacks themselves and the properties of the attacks. And you know we can talk about what makes an attack sophisticated but also the botn nets behind the attack. There are a variety of infected hosts that comprise these botn nets and one specific one specific botnet that we're talking about, the Isuru botnet. And putting that all together makes it one of the most dangerous things on the internet right now. And I would say that the third thing that we've seen is the effect of geopolitical events and how they are they are also expressed or how we see them in the cyber realm. Um, this ranges from attacks on generative AI companies themselves all the way to the EU China trade talks and and what implications those had on certain industries as well as protests and and various movements around the world. It's quite interesting because actually I was writing a blog post about internet services the most popular internet services and I was seeing also impact regarding internet services especially on news sites but for the same the same issues the same situations. So new news sites are having more traffic and increasing and attackers are also maybe using those geopolitical situations to to attack as well. Yeah, exactly. these geopolitical situations, whether they are, for example, various topics that came up in the recent EU China trade deals or during election events or during other types of, you know, even sporting events and the Eurovvision and anything you can think of, anything that becomes a hot topic, even temporarily, lures thread actors into wanting to take a stance whether it's whe whether it's a kind of a form of cyber vandalism, you know, instead of going out and graffitiing um the the face of a building. This is their attempt to disrupt a service or a company that happens to stand in the other side of the ideology or um um that you know if if ideologies are involved. There's also a lot of kind of trying to show off in the threat actor community. So, being able to show and prove that as a as a threat actor, I managed to do this and that, you know, get some street cred. I'm important in a sense. Yeah, exactly. And for botnet operators also it's a kind of serves as the certificate of a force of power of what their botnet can do because ultimately um these botn nets are offered for hire. So for just a few hundred or $1,000 you can launch attacks that are that can take pretty much any organization. um that's not really optimized in their protection. You can take them down or at least disrupt them as we've seen throughout the year. One of the things that I find surprising is the the numbers and you have this in the report that we had about K3 and about the Azerbotnet and as you mentioned is like a massive army in this case of an estimated of 1 to 4 million infected hosts globally only for this botnet in particular. So they can definitely launch those hypervolometric DOS attacks and that could easily break records. Uh in the later part of this year we had uh several records being broke in a sense in the recent year in review from Radar that we put out. We mentioned a new record from from the 29.7 terabits per second uh a few weeks ago. So now it's like 31.4 4 terabits per second which is like crazy amount of numbers in in what sense uh these these botn nets are being dealt with how we do we deal with them in terms of our automated systems in a way so the approach that we have um is um to basically to tap into our systems to our networks global coverage and distributed nature and to use the distributed nature of the attack against it because if you're launching such a large attack, it's originating from um many many sources. For example, the um 29 uh7 uh terabit per second attack originated um from or we mitigated it in 113 countries where we have um data center presence. it originated from over um 17,000 different networks, different ASNs, autonomous systems. Um and so and our and so keeping that in mind, we've spent the good part of the last five years, even longer, ensuring that our network is able to deal with these types of attacks with no human intervention. And the way that we do that is by allowing every single one of our servers and every single one of our data centers to detect and mitigate these attacks autonomously. And there is kind of this threat intel sharing where the server the servers multiccast a multiccast or gossip um the thread intel between each server. So uh there's coordination you know within a data center within a colo where we're present in a collocation right and there's also coordination between the coloss and um our kind of our our global network but these attacks hit so fast and so and they can be so short. So the 29.7 attack was uh less less than 70 seconds long. you really need to be able to respond quickly. And um we have um the main mitigation system that does the bulk of the the the work here for us is our real time fingerprinting system. And this system based on uh huristics um that has been curated by our um engineering teams instructs the system how to uh or or when it's um when it's sampling packets what type of a packet attributes to look for that are suspicious. how to create a fingerprint given certain conditions and when to determine that fingerprint is suspicious and to qualify it as an attack and install a mitigation rule in the most costefficient place so we can mitigate the attacks very quickly. Um you know in some cases um it's some of our systems activate within singledigit micros secondsonds other cases it can be up to one two seconds. So mitigation is really quickly very performant because we do it in kind of the in the innermost place of the server in the kernel where we can drop packets fast at wire speed. Makes sense. One of the things I I I find surprising is for example there's a big increase in some of these attacks especially the hypervolometric ones this year right so that there's definitely like a trend there it's one of the trends of the year in terms of increase those types of of uh attacks right yeah the attacks grown you know if we look at um October 2024 for example uh the largest attack was uh 5.6 six terabytes per second. I think that was the world record back then. Now we're at um you know to compare October to October. In October 2025 the largest figure was 29.7 terabits per second. Now we're already at 31.4 terabits per second. But you know the one of the things that the botnet operators um or the authors of of this botnet kind of I think came to a conclusion with is is that you don't really need that entire force to to take down internet properties. And what we're seeing is that chunks of the botn nets are being sold as a or kind of resold via distributors as a botnet for hire because in many cases all you need is a few terabits per second. And you know if if you if you're relying on an ondemand service on demand protection service where you need to route traffic or when you only route traffic to a dedicated scrubbing center facility that is meant to deal with DOS attacks and DOS attacks alone. These attacks will clog up your internet link unless you have multi terabytes per second of capacity for ingress during your peak hours for example. But before you even have a chance to divert to the scrubbing center the these legacy what I call a historical mistake and we can dive a little into that if you want but before there's any time for even for a machine to respond uh to divert traffic the attack can already be over and the impact can be prolonged for engineering and operational teams it can take quite some time to safely recover and restore systems and I think we've seen in the past. Sometimes this is used for several reasons in terms of attacks. Sometimes they're trying to enter in a vector. They're attacking making a DOS attack at the same time to to try to confuse those seams. So there's a lot of possibilities there in terms how how is this used? Right. Exactly. Because when you launch a a a Volutric attack, a DOS attack, the security operations center or the um network operations center or whichever team is monitoring your services, the SRRES or and so on, they're now dealing with if you're if you're subject to an attack, they're now dealing with an incident where they have CPUs spiking up, maybe servers crashing, links that are internet links that are being saturated. You have customer complaints starting to come in via support. You have management and other stakeholders starting to page and ping and ask questions and demand resolution. And so there's a whole lot going on. And this creates the type of chaotic environment where if you if you've kind of orchestrated for a specific data exfiltration or a different type of an attack, it can kind of go hidden, unseen, undetected. And you're creating so much noise from this DOS attack that's serving as a smoke screen that even afterwards in the investigation process there will be so many logs and so many so much data to try and analyze to understand what exactly happened and what the actual intent of the attack was. Of course makes sense. One of the things that we usually mention in the DOS reports and over 20 uh this past few years so a lot but one of the things we do mention is who's being attacked like the set of industries that are the top attack targets for example in the Q3 was a lot about IT services telecommunications banking gaming are we seeing any predictable patterns in why certain industries are targeted specifically you mentioned already like the the geopolitical in some situations but uh gaming usually is Right. Yeah. G um gaming and gambling and kind of casinos and these are the types of industries that are very or services that are very latency sensitive and there's also winners and losers in terms of you know if you're playing a game, if you're betting um if you're gambling. Yeah. So, and in many cases also the users that you know the gamers themselves may tend to be more technical savvy. And so if and so kind of if you put those factors together a latency sensitive service that has in many cases clear winners or losers that can impact your ego, your reputation, your wallet as well. So that leads to and the the fact that there are very tech-savvy users that are using those services that can lead to a desire to retaliate to to disrupt to vandalize to to get back. It's it's not unheard of that a user is banned from some gaming server and then decides to attack it as a result because again these attack tools and botn nets for hire are there and they are very they're easily accessible if if you want to find them. Makes sense. Another thing that we usually publish is the the source of attacks but also the most attacked locations. In Q3 for example, it was China and Turkey and also Germany for example. Is there any pattern any trend that we see in terms of the the most attacked locations specifically during this year? Well, yeah, we saw that. Well, China is usually kind of up there in the top first and second places for the most part, but I think what's interesting is that this quarter the the US jumped 11 spots um to being the fifth most attacked location. I should I should also kind of clarify that when we say um attack location, it doesn't necessarily mean that the nation itself is being attacked, but rather that Cloudflare customers with the billing address of that of that location um is uh are being attacked. Mhm. Yeah. And the country that saw the largest spike was actually the Philippines that made it into the 10th place. It jumped 20 spots quarter over quarter. Do do we know why some of these things happen sometimes like why a certain country or the customers those countries are being sometimes more attacked than in previous years for example. Yes. So, it's a lot a lot about correlation because while you do have threat actors that sometime take credit, it's hard to know if they're actually the ones that launch the attack without getting a proper forensic analysis and intervention of law enforcement agencies. It it is possible to correlate between things. So, for example, in uh France in France there was the block everything movement. This was a um kind of a um campaign launched by the French uh trade unions unions in September uh to oppose uh President Mcron's um government um over basically new austerity measures and the pension systems changes to them and the rising cost of living and they called for coordinated strikes um and um of the um you know transport blockades to paralyze the country. And uh during that same time we saw that uh France jumped um uh 65 spots making it the 18th most attacked country in the world. So that's one example and we saw similar examples in uh Brussels where pro protests there also caused a massive increase in attacks against Belgium based cloud for customers. Uh similarly in uh in the Maldives um that's the country that where we saw the highest increase um of 125 spots um making it the 38th most attacked country and this was um as part of or um correlated to the uh stop the looped movement a chant that kind of became the symbol of a movement against government corruption and democratic backsliding, things that the UN human rights chiefs warned um that could seriously undermine media freedom for example. And there goes the geopolitical references that you also mentioned in the beginning for sure in some of those elements. Also curious in the past when you you spoke about earlier this year two myths that that the DOS landscape sometimes comes comes with. Can you revisit those two myths that are the typical ones for DOS perspectives? You'll have to remind me of those two myths. It was the It was I'm not an important target and I can just use an ondemand service if I get attacked. Yeah. So So yeah. So the two myths a lot of organizations that don't consider themselves or in the past haven't consider themselves being a subjected or or being a potential target for DOS attacks have since seen have since saw that they are in fact that they have come in the crosshair of DOS threat actors and that's because they just happen to be related to a hot topic or happen to be on the other side of a conflict, an ongoing conflict, and they were an easy target because if you assume that no one's going to attack you and you don't have protection in place, then threat actors will take abuse, advantage of that. Um a simple example of that is um just as the EU China the 25th EU and China trade deals or trade summit took place there were reports of rising tensions over rare earth minerals for example rare earth exports and coincidentally the industry of mining minerals and metals surged by 24 spots quarter for quarter making it the 49th most attacked industry in the world and you know why would and you could think why would someone attack these types of industries. We saw the same thing with the automotive industry that leaped by 62 places and this is whilst again in the EU trade talks there were also discussions about tariffs against uh or relating to electrical vehicles for example. So it could be really anyone is at risk really because attackers are just fi trying to find and if you're not protected you don't think too much I won't be attacked there's more potential reasons for you to to be attacked in a sense uh right yeah you you can think of it like this you can think you know if you think about your home and maybe you think you know I don't have anything worthy here to you know for someone to steal I don't have jewelry or or cash laying out. So, why would anyone break into my home? So, I'll just leave my front door open. So, organizations that don't protect themselves don't have an inline protection service that's always on. Basically, you just have their door open and uh someone will take advantage of it. And there's also the the how easy it is to do DOS attacks these days with attackers manipulating AI systems to write and improve attack scripts for them. So that also brings sophistication but also ease of attack. So they can attack many players, many different sites almost at the same time in a way. Exactly. you can just ask one of the generative AIs to help you create a low testing tool and then iterate from there. So it has never become easier for zero knowledge thread actors to launch very sophisticated attacks or very large attacks, ones that we would in previous years would have associated to nation state actors. Makes sense. There's also the potential recommendations that we can give even in terms of lessons from 2025 uh for enterprise companies that could be more on the lookout. What would be the advice that we can give to customers or or non-C customers regarding DDOS attacks and the protections they should be have in place? Yeah. So that's a good that's a good question and um so I think the there are a few practical steps that every organization should take because there are you know there's there's the cost of doing something and the cost of not doing something. And when when you try and kind of quantify the cost of of not doing something such as protecting your internet properties, it can if you're not protected, the cost can be infinite to the point like what what I mean by that is that it can lead to total bankruptcy as we've seen with many companies. I won't name companies but and these companies have been maybe their data has been stolen. maybe it was under a DOS attack. Um and and so the practical steps to take to reduce that risk is to first identify and adopt a cyber security framework, some a strategy, something that you can implement. And depending on where you're located, there might be frameworks offered by your local cyber security agency depending on the country, the region. Uh there are also industries that are regulated and must adhere to these types of frameworks. But the kind of there's there's four main principles that I would call out or steps which is one is to identify the digital inventory um and the risks based on the threat landscape and the importance or the how critical each one of your digital properties, your internet properties is and according to that prioritize them and then start dealing with each one of those internet properties to apply the relevant or the appropriate safeguards to protect them. If it's a if it's your DNS infrastructure, if it's your database, if it's your API servers and so on. The the the third one, the third step is to implement alerting to have processes in place for early detection for significant events. So, you want to be notified first. You want to be alerted before, for example, your customers are alerted. You want to be you want to have the the advantage of being able to respond the fastest, the quickest. And lastly, number four is to respond to those threats and to learn from them. Iterate and make sure that this is a something that is understood and implemented by all teams in your company in your organization because security starts from you know from from a single employee because no matter how many safeguards you have if you have one employee that clicks a link from an email and you didn't have the proper protections in place you can see your entire organization or your entire database encrypted and locked out. Makes sense. Why not starting to think also of 2026 and what should come in this area? What do you expect the DOS landscape to look like next year? Would it be like continuing growth in these record scale attacks or maybe different focus on the different on different types of vectors and and attacks? Yeah. So, I think that we're going to see attacks that are much more difficult to defend against with the with kind of the mainstream or the um what I would call at this point the legacy scrubbing center providers. The capacity or the rate the force of attacks will unfortunately continue to rise. We're still seeing the increase in attack size. And this is not just in um in the layer 34 world, you know, in terabits per second, but also in the DNS world and also in the HTTP world. So, we're seeing larger and larger attacks. So, we're going to see probably more permutations of the Isuru botnet and larger and more sophisticated attacks from those botn nets as they as the operators learn and improve their um their uh attack vectors. We're going to see the beginning of the end of the scrubbing center era because a scrubbing center solution with a few terabit per second capacity or 10 20 terabit per second capacity is just irrelevant anymore with the level of attacks that we've been seeing. Yeah. Uh if you just do like an average of the capacity per data center that these providers have, you can you can see how uh um an an attack can even a few terabit per second attack can take them offline. Um what we're going to see is um so uh the larger attacks, attacks that are harder to stop and require more um significant uh or more intelligent solutions. Um, and this is kind of a tease to some of the things that we've been um uh building and deploying um to counter these threats that we're uh seeing and the rise of the zero knowledge threat actor where with vibe coding or botnets for hire you can pretty much disrupt an entire nation. And with the consequences, the big consequences that that could bring to to the digital infrastructure that is now really people depend on on on those infrastructures, right? Everything from um emergency services to critical messages that need to be sent out to civilians, electric, water, hospitals, you name it. Everything relies on on the internet. Yeah. And if and if you think about the the um you know undersea cables or terrestrial cables that connect various countries it's enough to disrupt a few of them during peak hours to cross to cause absolutely on the AI front you already spoke about the risks there but on the defense side how are uh how is Cflair using AI and machine learning to maybe improve what's coming. Yeah. So we have been over the past I would say over a year um we've been investing in a um in a new system that leverages signals from across the Cloudflare network because we have a um you know depending on when you measure it around 20 to 30% of the internet traffic routing through us and we see so much so many threats these signals are used to teach a new um what I what I like to call a botnet incrimination system about botn nets. So this system has already shown its value in in the HTTP world. In Q3 we reached a milestone where that system that incriminates botn nets in real time and blocks them reached a milestone of almost 50% of all HTTP DOS attack mitigations were because of that system which we're now expanding into layer we've been expanding into layer 3 4. So it's more of the um using the data that we have along with machine learning models that add additional signals to be able to protect our customers and the fact that these services are integrated with or these systems are integrated with our other cloudflare services um ranging from you know the our W our bot management systems um our zero trust solution ions were able to tap into all of those signals in order to detect malicious activity and block it. And once a botnet has been has been incriminated against one customer, then all customers are immediately protected. So it's it's it's about that type of realtime intelligence that can be leveraged at scale to block uh malicious traffic. H the network actually is learning and protecting all the customers in the network because of that knowledge uh in a in a sense. Exactly. Which which make makes perfect sense. It's quite really interesting to see. Let's end on on a note wishing uh for something for 2026 on the security realm note. Do you have some wish for the security perspective in 2026 that would be good to to have? What I'd love to see is um organizations take security really seriously and protect their infrastructure, protect their data, because ultimately they're protecting us, our users, their users. And the more that organizations adopt strong security postures, the better and the safer the internet will be. So, I'm uh wishing us a um a a safer and more protected uh internet and let's see how 2026 plays out. Hopefully safer and with with not too bad too many bad attacks there. Uh thank you, Omar. This was great. Thank you, Jo. My pleasure. Thanks for having me. And that's a wrap. And 2026 is coming, so why not? Wishing everyone a great 2026. a secure one as well. And don't forget, stay tuned, geek out and check our website this weekend.com uh and you where you can subscribed to uh our podcast in your favorite podcast platform. And that's a wrap.