All news with #ddos tag

📈 NETSCOUT’s ATLAS platform recorded more than 8 million DDoS attacks across 203 countries during the second half of 2025, revealing a decisive shift toward multiterabit capacity and AI-enabled operations. IoT-based botnets such as Aisuru and TurboMirai variants produced demonstration floods up to 30Tbps and 4Gpps, while dark-web LLMs and conversational interfaces lowered the barrier for complex, multivector campaigns. Persistent pressure on DNS root servers and NTP services highlighted the importance of globally distributed, intelligence-driven defenses.

🛡️Masjesu, also tracked as XorBot, is a stealthy DDoS-for-hire botnet that targets diverse IoT devices including routers, gateways, cameras, DVRs and NVRs. First observed in 2023 and updated through 2024, it uses XOR-based obfuscation, avoids blocklisted ranges (including DoD IPs), and emphasizes persistence and low visibility. After binding a hard-coded TCP port (55988) the malware establishes persistence, disables common tools like wget and curl, and connects to remote controllers to receive flood commands. Its traffic is concentrated in Vietnam, Ukraine, Iran, Brazil, Kenya and India, with Vietnam accounting for nearly half of observed activity.

🛡️Programmable Flow Protection lets Magic Transit customers author and deploy custom eBPF programs across Cloudflare’s global edge to define what constitutes legitimate UDP traffic. Programs run in a verified userspace BPF VM and can pass, drop, or challenge packets using helper functions for state, cryptographic validation, and challenge emission. In beta for Magic Transit Enterprise customers, the feature enables stateful, protocol-aware DDoS mitigation that distinguishes legitimate clients from scripted or replay attacks.

🛡️Gcore's semiannual Radar report found that registered DDoS attacks doubled in the second half of 2025 versus the first half, rising to about 2.25 million incidents and bringing the year total to 3.42 million. Peak attack throughput jumped to 12 Tbit/s compared with 2.2 Tbit/s in 2024. Network-layer volumetric strikes made up 82% of events—about three quarters lasting under a minute and 84% using UDP floods—while the remaining 18% were longer, targeted application-layer attacks against APIs, authentication and backend systems. Technology, financial services and gaming firms were the most frequently targeted sectors.

🛡️ Law enforcement in Germany, Canada and the United States have jointly disrupted two of the world’s largest DDoS botnets, taking critical infrastructure offline and seizing evidence. The operation targeted Aisuru, which infected poorly secured IoT devices, and the related Kimwolf, which focused on Android and consumer devices. Authorities recovered multiple data carriers and seized five-figure cryptocurrency holdings, though arrests were limited and the criminal network is not yet fully dismantled.

🚨 U.S., German, and Canadian authorities dismantled command-and-control infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad IoT botnets, seizing virtual servers, domains, and related assets. The Justice Department says the four botnets had ensnared more than three million devices and issued hundreds of thousands of DDoS commands, including record-setting attacks by Aisuru. Private firms such as Akamai assisted, warning the campaigns disrupted ISP services and even targeted government IPs including DoDIN.

🔒 The U.S. Department of Justice announced a court-authorized operation that disrupted command-and-control infrastructure used by multiple IoT Mirai variants, including AISURU, Kimwolf, JackSkid, and Mossad. Authorities from Canada and Germany, assisted by major vendors such as AWS, Cloudflare, and Akamai, helped dismantle networks that collectively enslaved roughly 3 million devices and enabled record-breaking DDoS attacks exceeding 30 Tbps. The action seeks to curb a cybercrime-as-a-service market that sold access to compromised DVRs, webcams, routers, and off-brand Android TVs.

🛡️ The U.S. Justice Department, with Canadian and German partners, dismantled infrastructure for four major IoT botnets — Aisuru, Kimwolf, JackSkid and Mossad — that compromised more than three million devices and launched hundreds of thousands of DDoS attacks. The action targeted U.S.-registered domains and virtual servers and aimed to stop further infections and future attacks. Law enforcement credited nearly two dozen tech firms for assisting in the operation.

⚡Eon reports a sharp rise in cyberattacks on its power distribution networks, now seeing several hundred daily probes—a tenfold increase compared with five years ago, board member Thomas König said. The company highlights the security challenges of an increasingly digitized grid. Eon engages external providers to run attack simulations and strengthen defences while operating about one third of Germany's distribution network.

🚗 Local authorities in Perm, Russia, reported a large-scale cyberattack that knocked the city's automated parking payment systems offline, attributing the outage to a massive DDoS attack. The permparking.ru portal and associated payment channels were overwhelmed, prompting officials to waive parking fees from 10–13 March while recovery teams worked. Authorities aimed to have services restored by 16 March. DDoS campaigns typically use botnets to flood services and block legitimate transactions.

🔒Operation Lightning dismantled the malicious proxy service SocksEscort, which investigators say compromised hundreds of thousands of routers and IoT devices globally. The service marketed thousands of proxy endpoints that enabled criminals to hide originating IPs and carry out bank and cryptocurrency account takeovers, fraudulent unemployment claims, ransomware operations, DDoS attacks and distribution of CSAM. Authorities seized domains and servers, froze cryptocurrency assets, and urged users and vendors to regularly update device firmware and apply security patches.

🚨 Authorities dismantled the criminal proxy service SocksEscort, which enslaved thousands of residential routers worldwide to operate a large-scale proxy botnet and sold anonymous access for fraud and other crimes. U.S. and European partners executed a court-authorized disruption, seizing domains and servers and freezing roughly $3.5 million in cryptocurrency. The service relied on AVrecon malware that exploited SOHO router vulnerabilities to persistently infect devices and route traffic for criminal customers.

🔒 The war in the Middle East has expanded cyber risk globally, from physical strikes on AWS data centers to waves of Iran-aligned cyber activity. Within hours of kinetic operations, hacktivists and state-aligned APTs mobilized, using DDoS, defacement, wipers and supply-chain compromises. Organizations should prioritize inventorying internet-facing assets, enforcing phishing-resistant MFA, auditing MSP and cloud dependencies, and preparing offline backups. The guidance focuses on pragmatic hardening where adversaries historically find weak spots.

🚨 Cybersecurity firms reported 149 hacktivist DDoS claims from Feb 28–Mar 2 that targeted 110 organizations across 16 countries, with 107 attacks concentrated in the Middle East. Two groups, Keymous+ and DieNet, drove nearly 70% of activity while NoName057(16) and others composed most remaining operations. Government, finance, and telecom sectors were disproportionately targeted, and vendors including Radware, Orange Cyberdefense, and Unit 42 provided attribution and telemetry. Analysts warn allied nations and critical infrastructure to increase monitoring and harden defenses.

⚠️ Five days into the US-Israel–Iran conflict, widescale Iranian cyber retaliation has not yet materialized, but security agencies warn the danger is acute and ongoing. The UK NCSC and Canada CCCS issued broad advisories while CISA has not updated since October. Observed DDoS activity is limited, yet vendors highlight the greater risk from destructive wipers (e.g., Shamoon) and an arsenal of 15+ Iranian families. High‑profile APTs such as APT35/APT42 and APT33 remain concerning; organizations should harden OT, remove unmanaged RMM tools, implement phishing‑resistant MFA (FIDO2/WebAuthn), patch VPNs and monitor endpoints for wiper indicators.

🛡️ Amazon Web Services announced Amazon GameLift Servers DDoS Protection, a new capability that provides proactive UDP-based defense for session-based multiplayer games using GameLift Servers. The feature co-locates a relay network to authenticate client traffic with access tokens and enforce per-player traffic limits, helping prevent both targeted and volumetric DoS/DDoS disruptions while adding negligible latency. It is available at no additional cost to GameLift Servers customers and includes console and API integration with sample code for Unreal Engine and native C++.

🔍 The 2026 Cloudflare Threat Report from Cloudforce One documents a shift from brute-force intrusion toward high-trust exploitation, introducing a new metric: the Measure of Effectiveness (MOE). The report identifies eight trends — including AI-driven attack automation, token theft that neutralizes MFA, weaponized cloud tooling, and record-setting hyper-volumetric DDoS — that favor speed and throughput over sophistication. It urges organizations to adopt autonomous, real-time defenses and previews an upgraded automated threat-events command center to help harden the connective tissue of modern networks.

🔒 A representative survey by the Centre for European Economic Research (ZEW) found that a notable share of German companies experienced cyberattacks in 2025. In the information economy about one in seven firms and in industry about one in eight reported damage. Larger firms (100+ employees) were more frequently affected. The most common consequence was operational downtime, alongside financial losses, ransom demands, and data exfiltration.

🔍 Cisco Talos is actively monitoring the evolving conflict in the Middle East for cyber-related activity and currently reports no significant, state-sponsored cyber impacts. Incidents observed to date are limited — primarily website defacements, small distributed-denial-of-service (DDoS) campaigns, and opportunistic phishing using conflict-themed lures. Talos assesses that Iranian-aligned groups historically operate in espionage, destructive attacks, and hack-and-leak operations, which remain plausible avenues. Organizations should prioritize MFA, timely patching, robust monitoring, and targeted third-party risk controls to reduce collateral exposure.

⚠️The UK National Cyber Security Centre (NCSC) has issued an advisory warning British organisations of an elevated risk of Iranian cyberattacks amid the ongoing Middle East conflict. While the NCSC says there is not yet a significant change in the direct threat to the UK, state‑sponsored and Iran‑linked actors likely retain some capability despite Iran’s domestic Internet blackout. Organisations with operations or supply chains in the region are urged to follow guidance on DDoS, phishing, and ICS targeting, review external attack surfaces, and increase monitoring.