Herd immunity for the internet
Network-level defense across the botnet lifecycle
When people talk about defending against DDoS, they usually mean the final couple of minutes: an attack arrives at the customer edge or gets diverted to a scrubbing center, and the cleanup begins. That is most of the fight, and the Nokia Threat Intelligence Report 2025 makes the timing brutally clear: 78% of attacks end within five minutes, 37% within two. Defenders get those minutes to respond to something the attacker has often been preparing for weeks. A botnet typically spends weeks scanning the internet for new hosts, days delivering malware to recruits, and hours coordinating who hits what and when. All that activity crosses someone's network, and most of it is visible from the peering edge.
It comes in four stages, with four chances to do something about it.
The first stage: reconnaissance
A lot of malicious activity on the internet starts with scanning: looking for exposed SSH, unpatched routers, internet-facing industrial gear, anything reachable that should not be. Botnets use scanning to find new hosts, though it is not their only recruitment channel. Other actors scan the same surfaces with worse intentions, looking for a foothold into a subscriber's network as a prelude to data theft or ransomware. The scanning itself is not harmless either; at high rates it can overwhelm telco firewalls and inline appliances, or their customers', long before any compromise occurs. From a single host this looks like noise. From the peering edge it is a distinctive signal, often pointing back to a small set of providers known for tolerating, and sometimes catering to, this kind of activity. Legitimate security researchers look nothing like this. Telling the two apart is the whole game.
The second stage: delivery
When a scanner finds a vulnerable host, the exploit itself usually does not contain the malware; it contains a small payload that fetches the real thing from a staging server elsewhere on the internet. Block those servers and you sever the line between exploitation and infection. The catch is that staging addresses rotate constantly, sometimes within hours, and a list maintained by hand is stale before it ships. What makes this work is not the block but the pipeline behind it: research into active botnet families, attribution of new infrastructure as it appears, and automation that keeps the list current. The block is easy; knowing what to block is the work, and it is exactly the kind of work the Nokia Deepfield Emergency Response Team does.
The third stage: command and control (C2)
An infected device is inert without instructions; the C2 channel is how the operator tells it what to do, where to scan, what to download, when to attack and against whom. Sever the channel by null-routing the destination or blocking the address at the network, and the botnet goes quiet even though every infected device is still infected. More than one party benefits. The wider internet is spared whatever attack was being marshaled, a cost that always lands well beyond the immediate target. The operator's own network benefits too, since infected subscribers generate support calls and consume capacity. And hosting providers benefit as well: with the steady stream of high-severity Linux and server-side vulnerabilities lately, compromised servers now make up an increasing share of any sizable botnet, often with far more bandwidth per host than a residential subscriber.
The fourth stage: the attack itself
A surprising amount of attack volume still rides on a small set of well-understood reflection and amplification vectors: DNS, NTP, CLDAP, memcached, the usual suspects. They are not sophisticated; they do not need to be. They are cheap to launch and can still generate plenty of tonnage, which is most of what a volumetric attack actually requires. There is no good reason to defend against the same handful of basic vectors one customer at a time. When a carpet-bombing attack spreads across dozens of prefixes at once, per-customer mitigation has to fire dozens of times for the same traffic shape that could have been policed once, at the network, before it ever fanned out. Sophisticated application-layer and botnet-driven attacks are where customer-specific defenses earn their keep. The obvious stuff belongs in the obvious place.
Each of these interventions does real work on its own. Layered together, they make operating a botnet meaningfully harder and more expensive: the scanner gets dropped, the malware does not arrive, the C2 channel goes dark, the vector gets policed before it becomes an event.
This only works from the network.
Per-customer defenses, whether at the customer edge or in a scrubbing center, act after the traffic has already reached them. And then, it may be too late.
Only the telecom providers sit at all four stages at once. From the peering edge, they can see attack infrastructure taking shape across the internet; inside their own networks, they can see the infected hosts contributing to it. That combination, plus the reach to act once and protect everyone downstream, is what no other defender has.
Operators already drop bogons and filter spam without anyone calling it overreach; refusing to carry known attack infrastructure is the same instinct, extended.
Call it herd immunity for the internet: an ounce of prevention, a terabit of cure.
For more information about our approach to DDoS security, check https://www.nokia.com/ip-networks/deepfield/defender/.
Follow our public DDoS research at https://github.com/deepfield/public-research.
