One night last November the traffic graphs at sports-betting firm, 1win, went vertical. Hours later the lines flattened, LEDs flicked green, ticket closed. End of story—until forensics showed that, while terabits of junk battered the perimeter, someone tip-toed off with 96 million customer records. The fireworks were loud enough that nobody heard the vault door click.
The culprit? Distributed Denial of Service (DDoS) attacks.
What was once digital vandalism—flood the pipe, claim bragging rights—has evolved into outright misdirection, hogging every console and CPU cycle while the real break-in unfolds elsewhere.
Leads security research for Nokia Deepfield.
DDoS Attacks Today
Carriers that once saw two DDoS incidents a day now log hundreds, and 44% of these attacks are over in under five minutes. Blink and you miss the smoke screen—plus the burglary behind it.
Why the surge? Because a 100-gig “booter” subscription (to DDoS-for-hire services) costs less than Netflix. And because botnets ship pre-assembled: for instance, Eleven11bot drove hijacked webcams to launch record-breaking DDoS attacks, peaking at 6.5 Tb/s in February. That’s more than ten times Mirai’s original, 2016 record.
Attackers don’t show up to smash the furniture; they keep you chasing alarms while they lift the valuables—exfiltrating data, dropping ransomware, wiring in next week’s back-door.
Many teams let their guard down once the second latency graphs sag to normal, unaware they’re celebrating on the wrong lap. Stateful firewalls, last-minute ACLs (Access Control Lists), and a heroic operator attempt to handle raw volume right up to the moment an attacker overloads the very gear meant to stop them.
Picture the firewall as a nightclub bouncer armed with an exquisitely detailed guest list. Flood the door with a million party-crashers and the clipboard becomes decoration. In the chaos, the bouncer waves everyone through.
That reflex is fail-open.
Fail-open isn’t magic—it’s physics. Cram the firewall’s state table with a volumetric SYN flood and, once memory pegs, the firmware panics and slips into bypass, in a last-ditch attempt to keep links alive and traffic flowing. If the inspection daemon seg-faults under the strain, the chassis bridges traffic until it restarts. Kill the power or flap a link and the hardware relay shorts the ports together.
From the security operations center (SOC) chair, it’s eerie: logs go silent, session counters plunge, line-rate traffic barrels on, and NetFlow suddenly shows inbound RDP the policy never touched. The attacker didn’t avoid your defenses; they used them as the on-ramp.
What To Do Next
MITRE’s ATT&CK playbook spells it out: adversaries have been observed launching DDoS “to support other malicious activities, including distraction.” In other words, getting the service back up is merely Act I.
Four moves that can help your team keep the fireworks outside:
1. Baseline the who and the why, not just the how much
It’s midnight. Five thousand no-name IP-cams halfway across the globe all at once decide your Domain Name System (DNS) authoritative name-server is their new best friend. Bandwidth may not spike massively, but intent screams: cameras don’t spontaneously flood DNS.
Your detection engine should instantly flag anomalies like “Devices that typically whisper Network Time Protocol (NTP) are suddenly screaming DNS.” Layer flow data onto BGP, turning suspicious cameras into red dots on a heat map.
2. Let automation throw the first punch—under a minute, or it’s too slow
No human can out-type a terabit flood. Hand the reflex to silicon—gear that fires back before you’ve even seen the spike.
The second packets-per-second cross your threshold, edge routers should automatically shed malicious traffic or redirect it to mitigation gear, reverting when conditions stabilize.
3. Give your firewalls an airbag—let a stateless layer eat the crash
Firewalls are brilliant chess players with one fatal flaw: every new flow grabs a square on a state table, and that board is only so big. Fill it, and the box either drops everything or—worse—fails open. As a safeguard, bolt on a stateless “airbag” a hop upstream. It doesn’t care about SYNs or sequence numbers; it cares about the who and what—five thousand white-label cameras suddenly pelting your DNS server, for instance.
The second that odd waveform appears, the airbag inflates: drops the anomalous traffic on device or punts the junk to a scrubber. No sessions to track, no table to exhaust; just raw line-rate math absorbing the impact while the firewall keeps pondering the finer stuff: TLS fingerprints, strange HTTP verbs, and bots masquerading as browsers.
4. Audit the bouncers—make sure none of them silently swing the rope aside
Fail-open is a configuration choice, not a cosmic constant. Dramatically unplugging boxes mid-attack isn’t necessary; review your configurations instead. Verify each inline device explicitly states how it behaves if software crashes, links fail, or power dies. Anything set to silently bypass traffic without approval belongs at the top of tomorrow’s change list.
DDoS fireworks dazzle, but nobody robs the vault just for the spectacle. Spot the diversion, stay clear-eyed, and keep the attackers outside looking in. Next time the sky lights up, keep at least one eye on the basement door.
We've listed the best small and medium business (SMB) firewall software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
English (US) ·