Welcome to the era of where terabit-level DDoS happens daily

The ceiling moved. Distributed denial of Service (DDoS) attacks now peak at over 22 terabits per second (Tbps), with floods that strike like a sledgehammer and campaigns that persist for hours. Qianxin XLab’s latest work ties multiple record events to AISURU and documents a botnet with approximately 300,000 nodes. 

Let’s scale this threat in human terms: picture a stadium where forty thousand people each have a typical U.S. home connection. Today, the median fixed broadband speed ranges between 285 and 300 Mbps. If everyone starts sending data at this speed simultaneously, we will be approaching 12 Tbps. That is what recent DDoS floods look like. However, they do not stay in a sandbox; they spill into the shared internet and carrier network fabric, where congestion creates “collateral damage” and hurts neighbors who were never the intended target. With these new volume levels of DDoS attacks, the blast radius is often significantly larger and can affect entire networks.

Million-box botnets, terabit DDoS tsunamis

The pool of machines that can be co-opted for malicious uses is larger and more liquid. BADBOX 2.0 grew beyond 10 million Android-class devices. Historically, it began as a means to monetize ad fraud and residential proxies, but this capacity can be leveraged to deliver DDoS “packets on demand.” Think of it as latent energy that can be task-switched.  Vo1d adds another at-scale reservoir: Qianxin’s sinkholes saw around 1.6 million Android TVs across 200+ countries. Much of that inventory is already wired into proxy ecosystems. The path from their use for residential proxies to DDoS flooding is a matter of policy, not engineering. 

A useful term for the bigger picture is ResHydra. It is not a single botnet: it is the vast assortment of compromised residential nodes—TV boxes, routers, cameras—operated today as “residential proxy” inventory and increasingly reused for hyper-volumetric DDoS. ResHydra includes crews and supply chains behind BADBOX, Vo1d, and Aisuru, some of which expose proxy features alongside their DDoS flooding modules. Recent reporting explicitly highlights this “reservoir” and its potential for national-scale disruption of communications, including critical infrastructure. 

Tactics evolved with the numbers.  Attackers probe your limits with short, sub-minute bursts to see when mitigation turns on. Then they hold the flood just below that line. Disruptive enough to hurt, quiet enough to dodge your automatic blocks. Carpet bombing DDoS attacks spread traffic across many individual hosts, so per-destination limits never trigger the protection, yet shared links still saturate. Campaigns swing from sub-minute terabit-level spikes that thrash state and hashing, to multi-hour pressure that consumes headroom and attention. The economics are simple. Make defenders spend on telemetry, control-plane churn, and collateral cleanup.

DDoS today: Not just brute force, but sophistication, too

Some argue that huge DDoS floods “don’t matter” because they lack sophistication. However, in 2025, the blast radius is often upstream, encompassing peering fabrics, internet exchange (IX) ports, and shared cloud edges. A target may survive the attack, yet its neighbors brown out when queues collapse or automated abuse controls kick in. 

The defenses these DDoS attacks break are not always the ones they aimed at. Qianxin’s AISURU work shows the size of the danger. The public record shows the “reservoir.” Combine them, and you have a different threat surface.   

First rule of defense: Stay calm

But you need to stay calm. DDoS defense requires core traits of elite pilots, like Captain Sullenberger. It’s about resilience, hardiness and focus. 

It’s also about the core traits of people, companies, and products you entrust with your DDoS defense. 

And this is how we handle it at Nokia, and more specifically, how the cornerstone of our DDoS security solution, Deepfield Defender, handles it. 

Defender was built for internet-scale visibility and granular action. It ingests flow-level telemetry (including sampled mirrored packets) across large networks, attributes traffic to sources and methods (bursts, carpet bombing, threshold probes), and turns that knowledge into surgical filtering, instructing router silicon to apply fast action. 

The system keeps mitigations atomic and precise so that you can install or retire hundreds of targeted rules (IP filters or Access Control Lists, ACLs) in seconds without starving legitimate flows. The defense scales in both directions: from a handful of small, clean blocks for probe-like bursts to hardened policies for the largest volumetric floods. 

The goal is straightforward: keep links alive, keep caches and control planes operational, and absorb both sub-minute spikes and multi-hour pushes with the same efficiency.

Today’s DDoS is bimodal: bigger and smarter. The numbers are no longer abstract; a full Stamford Bridge stadium pressing “send DDoS” all at once is a new unit of measure for the size and impact of today’s DDoS. 

Plan your defenses accordingly; defend your network fabric, not just the box(es).

Learn more about Deepfield Defender and the Nokia DDoS security solution here.