Defending against DDoS tsunamis and piranhas: why modern DDoS defense needs two kinds of intelligence
A better metaphor than mice and elephants
The industry has long described the two ends of the DDoS attack spectrum as mice and elephants. It is tidy framing, but imperfect. Elephants are intelligent, social, and largely peaceful animals. Mice connote harmlessness. Neither image matches the threat, damage, or persistence that the class of attack actually represents.
Let's offer a sharper pairing: tsunamis and piranhas.
Tsunamis are sudden, enormous, and visible. They announce themselves on the horizon, and the damage is measured in what they wash away in minutes. The defensive response is equally blunt: seawalls, evacuation, raw capacity.
Piranhas are the opposite. Individually, they do not pose a major threat. What makes them dangerous is the swarm: dozens of simultaneous bites, each small enough to ignore, each coordinated with the others. The water barely stirs. A seawall is useless against them. What you need is the ability to notice the swarm forming, to see the bites in aggregate, and to respond before the prey is stripped clean.
They inflict comparable harm on targets. But the intelligence and the tooling required to stop each one are not the same.
How much is 30 Tbps? A scale check.
On 9 October, 2025, the Nokia Deepfield Emergency Response Team observed a 33 Tbps DDoS attack against a gaming provider. Days earlier, on 6 October, the Aisuru botnet had set a record of 29.6 Tbps. The Nokia Threat Intelligence Report 2025 reports that 5-10 Tbps peaks have become a daily norm — and that terabit-scale DDoS attacks now occur roughly five times more frequently than a year earlier.
A number like 33 Tbps resists intuition. To make it concrete, compare it to some of the busiest neutral interconnection platforms on the planet — the places where the internet exchanges its traffic at peak.
|
Internet exchange point |
Most recent reported peak (Tbps) |
Source and date |
|
IX.br aggregate (Brazil, 38 locations) |
50 |
|
|
IX.br São Paulo (world's largest IXP by participants) |
32 |
|
|
DE-CIX global platform (60 exchanges) |
27.71 |
|
|
AMS-IX Amsterdam |
~15 |
|
|
NL-ix |
12.27 |
|
|
LINX global platform |
12.07 |
The punch line is uncomfortable. A single DDoS attack from a single botnet family, in a single burst, generated more traffic than many leading global IXP peering platforms saw during their peak periods.
33 Tbps exceeded the combined peak traffic of NL-ix and LINX globally. During that burst, a single DDoS attack generated more traffic than the combined peering traffic of two major IXPs globally. Or more traffic than the world's largest IXP in Sao Paulo, Brazil.
That is what the tsunami looks like, and it is why it dominates the industry conversation. But if tsunamis were the whole story, this would be a capacity problem, and it would already be solved.
The piranhas: small, fast, adaptive, and everywhere
While the record books track terabits, the operational reality for most targets looks very different. The Nokia Threat Intelligence Report 2025 found that 78% of DDoS attacks now conclude within 5 minutes, up from 44% in 2024. 37% end in under 2 minutes. Even the record-breaking 33 Tbps event was measured in seconds, not hours. Short bursts are now the norm, not the exception.
Within that trend, a more unsettling pattern emerges: 82% of DDoS floods remain below 50 Gbps. Individually, each of these is well inside what modern networks can absorb without blinking. Collectively, running in parallel across thousands of targets, cycling vectors and adapting in real time, they can inflict damage comparable to that of the headline attacks, but against the detection and response assumptions operators have built their defenses around.
Three dynamics amplify the problem.
Residential proxies have rewritten the source map. The Nokia Threat Intelligence Report 2025 identifies more than 100 million residential endpoints (roughly 4 percent of global broadband connections) that are potentially exploitable via residential proxy networks and Mirai-derivative botnets such as Eleven11bot/RapperBot and Aisuru. In hotspots such as Brazil and China, residential proxies now account for around 10 percent of observed DDoS traffic. The defensive implication is severe: you cannot firewall household traffic. It is legitimate in origin and legitimate in shape; it just happens to be weaponized.
The botnet ecosystem is modular, not monolithic. In April 2026, the Nokia Deepfield ERT published research documenting five linked botnets — Aisuru, Jackskid, Kimwolf, MossadProxy, and Cecilio — that share tools, target different device classes, and are designed so that disrupting any one leaves the others intact. When the supply of attack capacity is redundant and composable, the tempo and variety of small-to-medium campaigns rise accordingly.
Collateral damage is upstream. The blast radius of a modern DDoS campaign increasingly sits in peering fabrics, IXP ports, and shared cloud edges, not just the target host. A target may survive, yet its neighbors brown out when queues collapse or automated abuse controls trip. Sub-saturating swarms across a wide prefix surface produce exactly this effect — aggregate pressure on the fabric, without any single flow looking alarming on its own.
There are a couple of factors that make detection and mitigation of piranha DDoS much more difficult than detecting tsunami DDoS attacks:
- Sub-threshold traffic per target. Per-IP detection misses it entirely. Legacy mitigation triggers on the wrong signal, or not at all.
- Horizontal attack surface. Web, DNS, mail, APIs, VPNs and access networks are hit together. Collateral damage compounds, and root-cause isolation gets harder, not easier.
- Continuous adaptation. Vectors cycle, source IPs rotate, packet rates and protocols mutate inside a single campaign. Static rules age out in minutes.
From the target's perspective, the impact — degraded service, lost revenue, reputational harm, customer churn — is indistinguishable from a hypervolumetric hit. The difference is that operators often do not realize it is happening until customer complaints arrive.
Two threats, two kinds of intelligence
Seawalls do not catch piranhas. The reverse is also true: a high-fidelity anomaly detector tuned for coordinated swarms will not absorb a 30 Tbps flood on its own. Modern DDoS defense needs both, and the requirements are genuinely different.
For the tsunamis:
- Massive, distributed mitigation capacity embedded in the network fabric itself — not concentrated in a single scrubbing center that traffic must be rerouted to. When an attack ends in under two minutes, BGP-based traffic diversion arrives after the battle is over.
- Sub-second detection on known volumetric signatures — reflection and amplification, UDP floods, hyper-volumetric HTTP.
- Automated, deterministic enforcement. Human-in-the-loop response cannot keep pace with a 35-second attack; the decision to mitigate must be made in hardware at line rate.
For the piranhas:
- Network-wide visibility that correlates real-time observability across IPs, prefixes, ASNs, and time — not just per-host thresholds. The DDoS attack's impact is by the aggregate activity, not by any single flow.
- Continuously learned baselines for what normal looks like at every granularity, so that small but coordinated campaigns are still visible against the noise floor of legitimate traffic.
- Adaptive, context-aware mitigation that recognizes a morphing campaign across vector changes instead of treating each new variant as a fresh, isolated event.
- Real-time threat intelligence grounded in continuous traffic observation — known bad sources, compromised device classes, residential proxy behavior — so that a swarm whose individual members look benign is still recognizable collectively.
The common thread is that piranha DDoS defense is an intelligence problem before it is a capacity problem. Scrubbing bandwidth is necessary but not sufficient. Without the ability to see small, correlated, coordinated activity across the entire footprint, the DDoS attack never crosses the threshold that triggers a mitigation — yet the damage still occurs.
The uncomfortable implication
Industry marketing tends to cluster around whichever record was most recently broken. That is understandable — 33 Tbps (and any number above that) is a legitimately dramatic number, and it matters. But the organizations can still be quietly hollowed out by sub-50 Gbps swarms, by two-minute bursts that cycle through vectors while operators are still parsing the first alert, by coordinated carpet-bombing DDoS campaigns across a /20 subnet.
Two kinds of attacker intent now operate in parallel. One wants to be seen and feared. The other wants to avoid being seen at all. A defense posture that only handles the first will keep losing to the second, which is now far more frequent.
The right question for network operators in 2026 is not "can we stop the next 50 Tbps attack?" It is "can we stop both the 50 Tbps attack and the ten thousand simultaneous sub-50 Gbps ones, running in the same hour, on the same backbone, aimed at different customers."
Those are not the same problems, and they do not have the same answer.
Tsunamis and piranhas. You need to defend against both, with different tools, and the market is only now catching up with the fact that the second half of that statement is the harder one.
-
For more information about our approach to DDoS security, check https://www.nokia.com/ip-networks/deepfield/defender/
-
For more information about our DDoS security solution, visit https://www.nokia.com/ip-networks/deepfield/defender/.
-
Follow our public DDoS research at https://github.com/deepfield/public-research.
