TL;DR

  • Network-layer DDoS attacks increased 168.2% year over year in 2025, with peak attack volumes reaching nearly 30 Tbps, according to Radware's 2026 Global Threat Analysis Report [1].
  • Web DDoS (application-layer) attacks climbed 101.4%, with 94.4% of attacks now lasting under 60 seconds — too fast for manual response [1].
  • Malicious web application and API transactions rose 128%, with vulnerability exploitation now driving nearly 58% of application-layer attacks in Q4 2025 [1].
  • Bad bot activity increased 91.8%, fuelled by generative AI tools that lower the barrier to entry for automated attacks [1].
  • Business resilience is achievable: automated, cloud-based DDoS mitigation and API security are now the realistic baseline for any organisation with an online presence [1][2].

What's Driving the Surge in DDoS Attacks?

Distributed Denial of Service (DDoS) attacks — where an overwhelming flood of traffic is sent to knock a website, application, or network offline — have historically been a blunt-force weapon. In 2025, they became something more sophisticated. Radware's 2026 Global Threat Analysis Report, released on February 19, 2026, and based on comprehensive analysis of attack data from cloud and managed security services across the full year, reveals a threat landscape that has changed significantly in both scale and technique [1].​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌‌​‌‌​‍​​‌‌‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​

‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​

Network-layer DDoS attacks (targeting layers 3 and 4 of the OSI model — the underlying protocols that route internet traffic) increased 168.2% year over year [1]. Peak attack volumes reached nearly 30 Terabits per second — a volume that would overwhelm the internet connections of all but the largest cloud providers [1]. The average Radware customer experienced more than 25,351 network-layer DDoS attacks in the second half of 2025 alone: that is 139 attacks per day [1].

Two trends are powering this surge. First, geopolitical conflict: hacktivist groups pursuing political objectives generated sustained, high-volume campaigns throughout 2025, with the group NoName057 alone claiming 4,693 attacks — a new historical record [1]. Second, automation: generative AI tools have dramatically lowered the barrier to launching automated attacks, enabling threat actors to operate at machine speed and scale [1][2].​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌‌​‌‌​‍​​‌‌‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​

Why 60-Second Attacks Are a New Kind of Problem

Not all DDoS attacks are built the same in 2026. The Radware report reveals a deliberate tactical shift in Web DDoS (application-layer, or layer 7) attacks: 94.4% of attacks now measure under 100,000 requests per second, and most high-impact attacks last under 60 seconds [1].

That sounds reassuring until you understand the implication. Traditional DDoS mitigation relies on detecting a sustained flood of traffic and gradually blocking it. When attacks pulse in short bursts — 30 or 45 seconds at a time — they complete before human-in-the-loop defences can even identify what is happening, let alone respond [1]. Short, frequent attacks create customer-facing disruption (error pages, slow load times, failed transactions) without tripping the thresholds that trigger automated defences or human escalation.

For businesses with e-commerce sites, customer portals, or booking systems, this translates directly into lost transactions and eroded customer trust — without a clear "we were attacked" signal to point to afterward.

Web DDoS attacks grew 101.4% year over year, with the Asia-Pacific region experiencing the fastest growth at 485% [1]. Online services, financial services, and retail organisations experienced the highest volumes of web DDoS activity — reflecting attackers' strategic focus on revenue-generating digital platforms [1].

The API Attack Problem: Your App's Back Door

Web APIs — the interfaces that allow applications to communicate with each other, and which power everything from payment processing to delivery tracking — are now a primary attack surface. Radware reports that malicious web application and API transactions rose 128% in 2025, with vulnerability exploitation accounting for 41.8% of observed application-layer attacks overall, rising to nearly 58% in Q4 2025 [1].

This shift matters for two reasons. First, APIs are often less protected than websites: many organisations apply strict security to their customer-facing front end while leaving API endpoints with weaker controls [1]. Second, attackers are no longer relying on brute-force volume. Business logic attacks — exploiting the way an application is supposed to work, rather than overwhelming it — are increasingly common [1]. These are harder to detect and block because the traffic patterns look like legitimate use.

Technology-driven organisations with extensive API ecosystems — SaaS providers, cloud platforms, fintech firms, and increasingly any business using third-party integrations — face the highest levels of application-layer exploitation [1].

According to the 2026 Cybersecurity Insiders Outlook, 58% of financial firms say they lack continuous visibility into third-party exposures [2]. If your business relies on external APIs for payments, logistics, or customer data, your third-party vendors' security posture is also your security posture.

Bad Bots: AI Is Arming the Other Side Too

Bad bot activity — automated, malicious traffic used for credential stuffing, scraping, account takeover, and price manipulation — increased 91.8% in 2025 [1]. In just the first six months of 2025, bad bot volume reached 89.2% of the total volume seen across all of 2024 [1]. Generative AI tools, which allow attackers to write convincing phishing content, generate bypass logic, and automate reconnaissance at scale, are the accelerant [1][2].

North America accounted for 40.7% of malicious bot transactions globally, followed by Asia-Pacific at 25% [1]. For Australian businesses, this is not a distant threat: APAC is the fastest-growing target region for web DDoS attacks [1], and Australia's high density of banking, retail, and e-commerce infrastructure makes it a logical target for both hacktivist campaigns and financially motivated bot operations.

For businesses with online portals, the practical impact of bad bots includes: customer accounts being locked out due to credential stuffing attempts, inventory systems scraped for competitive intelligence, and legitimate users experiencing degraded performance while bots consume server resources.

What Can Your Business Actually Do? A Practical Protection Plan

The good news: effective DDoS and bot protection is no longer exclusively the domain of enterprise organisations with dedicated security operations centres. Cloud-based mitigation services have matured substantially, and the baseline for reasonable protection is achievable for Australian SMBs.

Use Cloud-Based DDoS Protection

On-premises DDoS mitigation is effectively obsolete against modern volumetric attacks. At peak volumes near 30 Tbps, only cloud-scale scrubbing infrastructure can absorb and filter attack traffic before it reaches your network [1]. Cloudflare's Q4 2025 DDoS Threat Report corroborates this picture: hyper-volumetric attacks are increasingly the norm, making cloud-based scrubbing the baseline expectation rather than an enterprise luxury [6]. Services from providers like Cloudflare, AWS Shield, and Radware sit in front of your infrastructure and filter malicious traffic upstream.

Cloudflare's free and Pro tiers provide meaningful protection for most small business websites. For organisations with higher availability requirements — e-commerce, financial services, healthcare — Cloudflare Business or Enterprise, AWS Shield Advanced, or a dedicated managed DDoS service is appropriate.

Enable Automated, Sub-Second Response

Radware's report explicitly states that attacks completing in under 60 seconds make "manual mitigation and human-in-the-loop defenses increasingly ineffective" [1]. The implication: your DDoS protection must be automated. Configure automatic rate limiting, challenge pages, and traffic shaping rules. Human review should be for post-incident analysis — not the first line of response.

Audit Your API Exposure

Work with your development team or IT provider to document every public-facing API endpoint. Apply authentication requirements, rate limiting, and input validation — OWASP's API Security Top 10 provides a practical baseline checklist for exactly these controls [7]. Review API traffic logs for anomalous patterns — bursts of failed requests, unusual geographic sources, or access to endpoints that should not be public. The 2026 Radware report's finding that vulnerability exploitation is driving 58% of application-layer attacks means that an unpatched or misconfigured API is now a priority target [1].

Implement Bot Management

Web Application Firewalls (WAFs) with bot management capabilities — available through Cloudflare, Imperva, and AWS WAF — distinguish legitimate user traffic from automated bot traffic using behavioural analysis and device fingerprinting. For e-commerce or membership platforms where credential stuffing is a risk, bot management is not optional.

Test Your Resilience

The only way to know how your business responds to a DDoS event is to test it before an attacker forces the test. Engage a cybersecurity professional to conduct a simulated DDoS exercise or table-top response planning session. Know in advance: Who gets called? What gets shut down? What's the customer communication plan? The ACSC provides DDoS-specific threat guidance and mitigation frameworks for Australian businesses [8].

The Industry Targeting Picture: Are You in a High-Risk Sector?

According to Radware's 2026 report, the technology sector accounted for 45% of all network-layer DDoS attacks — up sharply from 8.77% in 2024 — with telecommunications and financial services also heavily targeted [1]. For web DDoS, online services, financial services, and retail faced the highest volumes [1].

Government services were the primary target for hacktivist campaigns, accounting for 38.8% of all claimed hacktivist attacks [1]. For businesses in these sectors, a proactive DDoS protection posture is a table-stakes operational requirement.

Even outside these specific sectors, the 139 average daily network-layer attacks observed per customer in the Radware dataset signals that automated, opportunistic DDoS attacks are now ambient internet noise [1]. The question is not whether your business will see malicious traffic, but whether your infrastructure is positioned to handle it without business disruption.

FAQ

A Distributed Denial of Service (DDoS) attack is when a large number of systems — often thousands of compromised computers or IoT devices — simultaneously flood a target website, application, or network with traffic, overwhelming its capacity to respond to legitimate users. The goal is to make the service unavailable. Modern DDoS attacks range from raw volumetric floods to sophisticated application-layer attacks that target specific functionality rather than raw bandwidth.

Costs vary significantly by business size and sector. For e-commerce businesses, every minute of downtime translates directly to lost sales. For service businesses, unavailability damages customer trust and triggers SLA penalties. Beyond direct revenue loss, incident response, reputational damage, and potential regulatory scrutiny add to total impact. Radware's data showing peak attack volumes of nearly 30 Tbps indicates attacks capable of taking down even large, well-resourced organisations without appropriate mitigation in place [1].

Yes. While large enterprises and government targets receive the most media coverage, small businesses are regularly targeted by opportunistic attackers, competitors using unethical tactics, and as collateral damage from shared hosting environments where a co-hosted site is the real target. E-commerce and financial services SMBs face heightened risk due to the revenue impact of downtime. Cloudflare's free tier and entry-level DDoS protection services make basic mitigation accessible even with small budgets.

Three factors: geopolitics (hacktivist campaigns tied to international conflicts are generating sustained attack volumes [1]); AI and automation (generative AI tools lower the technical barrier to launching sophisticated attacks [1][2]); and the commercialisation of DDoS-as-a-service platforms that allow anyone to "rent" attack infrastructure for as little as a few dollars per hour. The Radware report notes that bad bot activity reached 89.2% of full-year 2024 volumes in just the first half of 2025 [1].

Network-layer (L3/L4) DDoS attacks flood the underlying network infrastructure with raw traffic volume — UDP floods, SYN floods, and similar techniques targeting bandwidth and connection capacity. Web DDoS (layer 7) attacks target the application itself, sending requests that look like legitimate user behaviour but in overwhelming volume. Layer 7 attacks are generally more sophisticated and harder to mitigate because they require understanding the difference between legitimate and malicious requests rather than simply blocking traffic based on volume thresholds.

References

[1] Radware, "2026 Global Threat Analysis Report," GlobeNewswire, Feb. 19, 2026. [Online]. Available: https://www.globenewswire.com/news-release/2026/02/19/3240861/8980/en/Radware-2026-Global-Threat-Report-Shows-DDoS-Attacks-Jump-168-as-Cyber-Threats-Escalate-Across-Networks-and-Applications.html

[2] Cybersecurity Insiders, "2026 Cybersecurity Outlook: A Maturity Reckoning," Cybersecurity Insiders, Feb. 19, 2026. [Online]. Available: https://www.cybersecurity-insiders.com/2026-cybersecurity-outlook-a-maturity-reckoning/

[3] Palo Alto Networks Unit 42, "2026 Unit 42 Global Incident Response Report — Attacks Now 4x Faster," Palo Alto Networks Blog, Feb. 17, 2026. [Online]. Available: https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/

[4] StockTitan, "Radware 2026 report: DDoS attacks up 168%," StockTitan, Feb. 19, 2026. [Online]. Available: https://www.stocktitan.net/news/RDWR/radware-2026-global-threat-report-shows-d-do-s-attacks-jump-168-as-jxrmyarssbii.html

[5] Cybersecurity Ventures, "AI-driven cybercrime techniques accelerating attack speed and scale," cited in ET Edge Insights, Feb. 18, 2026. [Online]. Available: https://etedge-insights.com/in-focus/trending/top-cybersecurity-threats-to-watch-in-2026/

[6] Cloudflare, "DDoS Threat Report 2025 Q4," Cloudflare Blog, Jan. 2026. [Online]. Available: https://blog.cloudflare.com/ddos-threat-report-2025-q4/

[7] OWASP, "OWASP API Security Top 10," OWASP Foundation, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0x11-t10/

[8] Australian Cyber Security Centre (ACSC), "Denial of Service," cyber.gov.au. [Online]. Available: https://www.cyber.gov.au/threats/types-of-cyber-threats/denial-service

Strong DDoS resilience means your services stay up when others go down — protecting revenue, maintaining customer trust, and making your infrastructure a competitive advantage rather than a liability. lil.business helps Australian SMBs design and implement DDoS-resilient architectures: cloud protection configuration, WAF deployment, API security hardening, and response playbooks. Book a free consultation to see how your current infrastructure is positioned.

ELI10: Websites Are Being Buried Under Fake Visitors

Explained Like You're 10 — by lilMONSTER at lil.business

Imagine you own a small café. On a normal day, 50 people walk in, order coffee, sit down, and chat. You can handle it easily.

Now imagine someone organises a flash mob of 50,000 strangers to walk into your café all at once — not to buy anything, just to block the door. Real customers can't get in. You can't serve anyone. Your café grinds to a halt.

That is exactly what a DDoS attack does to a website.

What Is a DDoS Attack?

DDoS stands for Distributed Denial of Service. The idea is simple: flood a website with so much fake traffic that it can't respond to real visitors. The website crashes, goes slow, or shows error pages.

In 2025, these attacks got a lot bigger and a lot smarter. A new report released this week from a cybersecurity company called Radware found that DDoS attacks jumped 168% compared to the year before. In fact, the biggest attack measured was nearly 30 Terabits per second — that's like trying to push the entire internet through a garden hose.

Why Are They Getting Worse?

Two big reasons:

  1. AI tools are making it easy. Attackers now use AI to automate attacks — they can launch thousands of fake visitors per second with minimal effort. Bad bot activity (automated, fake traffic) grew 92% last year.

  2. Political conflicts online. Many attacks are launched by groups with political goals, trying to knock down government websites or disrupt businesses they disagree with. This kind of attack — called hacktivism — is now a major driver of the surge.

New Trick: The 60-Second Hit and Run

Here's a sneaky evolution. Most attacks used to be big, sustained floods that lasted hours. Security systems learned to spot those.

Now attackers are doing short, sharp bursts: hit hard for 30-45 seconds, disappear, repeat. It's like a mob of strangers rushing your café door for one minute, leaving before security arrives, then coming back five minutes later. It's enough to keep real customers away — but it's hard to stop.

What Does This Mean for Your Business?

If your business has a website, booking system, online shop, or customer portal, a DDoS attack can:

  • Make your site go down during peak times
  • Stop customers from completing purchases
  • Crash your payment terminal integrations
  • Damage your reputation if people can't reach you

The sectors hit hardest? Online retail, financial services, and technology companies. But small businesses are not immune — especially if they use shared hosting, where your website sits next to someone else who gets targeted.

What Can You Do?

Here are three things any business can do right now:

  1. Use Cloudflare (free tier). Cloudflare sits between your website and the internet, filtering out attack traffic before it reaches you. It's free for most small sites and takes about 30 minutes to set up. Ask your web person to enable it.

  2. Enable rate limiting. This tells your website to only allow a certain number of visitors per second from any one location. Most hosting providers and platforms like Shopify or WordPress (via plugins) support this.

  3. Have a "site down" plan. Know in advance: who do you call? What do you post on social media? Where do customers go if your booking system is down? A plan written before the crisis is worth ten plans written during one.

The Big Picture

You don't need to be a big company to be targeted. You just need to be online. The good news: basic protection is free or cheap, and taking 30 minutes this week to set it up is one of the best investments your business can make.

lil.business helps Australian small businesses set up DDoS protection, WAF (web firewalls), and "stay online" plans without needing to become a tech expert. Book a free 30-minute consult and let's make your website resilient.

TL;DR

  • Explained Like You're 10 — by lilMONSTER at lil.business Imagine you own a small café. On a normal day, 50 people w
  • Now imagine someone organises a flash mob of 50,000 strangers to walk into your café all at once — not to buy anythin
  • Action required — see the post for details

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation