The new DDoS threat landscape

Monetized, weaponized, inside your network

The DDoS threat landscape

The DDoS threat landscape has changed

The DDoS threat landscape has changed. For more than two decades, attacks have mostly come from shady but bulletproof hosting companies. They were at a gigabit scale and telecommunications providers could address them with a mature, predictable playbook. Today, ISPs and hosting providers face a new generation of threats — and many of the largest now come from their own subscribers. More than 200 million compromised subscriber devices worldwide, funded at industrial scale by AI scraping demand, and sub-leased to criminal organizations and nation-state actors, generate terabits per second of malicious traffic from inside Tier-1 carrier networks. The result is degraded performance, poisoned IP reputation, and the collapse of legacy DDoS response timing — most attacks now end within five minutes.

Internal threats

Attacks no longer come from outside the network — they come from your subscribers, weaponized without their knowledge.

AI proxies

AI scraping demand is funding the underlying residential proxy market at a hundred-million-dollar scale, sustaining the compromised installed base.

Rapid attacks

Most attacks now peak in 1–3 minutes and end within 5 — outpacing legacy detect-and-divert response cycles.

How DDoS got monetized and weaponized

Attacks now come from inside the network

For 20+ years, DDoS attacks have come from outside the network, for example from Eastern European bulletproof hosting environments, using amplification or spoofing, and resulting in tens or hundreds of gigabits of malicious traffic. At some point in 2025, that pattern broke. Tens of thousands or hundreds of thousands of subscriber handsets and home gateways in major Tier-1 networks worldwide are now compromised. They generate multi-terabit attacks against targets – globally. If marshaled simultaneously, the aggregate firepower across affected carriers would exceed hundred Tbps levels — enough to disrupt internet connectivity for many countries and even continents. DDoS has become a country-scale concern.

AI is the demand-side funder

The hidden engine is the residential proxy market — middlemen who pay app developers to embed proxy SDKs, and device manufacturers who even ship malware in factory firmware. Up to 2024, this was a tens-of-millions-of-dollars niche market, selling residential IPs to fraudsters. Today it is a multi-hundred-million-dollar business, with one leading vendor publicly stating that 14 of the top 20 LLM companies are its customers. A US Tier-1 mobile IP now retails for about $95 for two weeks. AI training and inference demand has, in effect, paid for the world's largest compromised installed base.

The same devices are weaponized for crime and conflict

Twenty to thirty distinct criminal organizations and nation-state actors have stepped into the same installed base, running cybercrime operations and contributing to state-sponsored DDoS. The compromised handsets in major Western markets have been simultaneously monetized for AI scraping and weaponized for cyber operations.

DDoS at country scale

If every compromised device in Tier-1 US mobile and fixed networks were used simultaneously for DDoS, the aggregate firepower would exceed many hundreds of Tbps — enough to disrupt the entire US internet and affect global internet traffic. The DDoS threat has moved from a single-operator concern into national security territory.

77%

of all attacks end within five minutes

37%

of all attacks end within two minutes

82%

of all attacks are below 50Gbps; modest individually, lethal collectively

58%

of all attacks are multi-vector

52%

of all attacks are multi-target

200M+

exploitable devices

These data points have been collected by the Nokia Deepfield Emergency Response Team (ERT) from samples obtained from our global deployments and from the Nokia Threat Intelligence Report 2025.

What's at stake for ISPs and hosting providers

When the threat comes from inside, the consequences hit the operator before they hit the target. Three layers of impact — operational, reputational, and customer-experience — combine to make this a P&L issue, not just a security issue.

RAN and backhaul absorb terabits of unsolicited outbound traffic

Compromised devices generate multi-terabit flows that sit on top of RAN, backhaul, and peering capacity — driving undiagnosed performance variation and silently consuming engineered headroom.

IP reputation is poisoned across the subscriber base

Tier-1 mobile CGNAT IPs now score 100 on third-party reputation engines. Subscribers face CAPTCHAs, payment-card declines, and content throttling — without knowing why or that their carrier is the cause.

Attacks end before legacy mitigation engages

78% of attacks now end within 5 minutes; 37% within 2. Time-to-peak is 1–3 minutes. Detect-and-divert response cycles inherited from a 100 Gbps world cannot meet that clock.

A national-scale problem hiding in plain sight

If marshaled simultaneously, compromised devices across Tier-1 US carriers could generate aggregate firepower in the hundreds of terabits — enough to disrupt the US internet. This is a national-security issue, not just an operator issue.

Most attacks are small, but lethal in swarms

82% of attacks are below 50 Gbps; 52% are carpet-bombing patterns hitting multiple prefixes; 58% are multi-vector. Modest individually, devastating collectively, invisible to threshold-based systems.

Anatomy of a 2025–2026 DDoS attack

Four structural traits define today's attacks. Each is documented across more than 140 operator deployments worldwide and reflected in the Nokia Threat Intelligence Report 2025.

Multi-vector attacks

58% of attacks now combine two or more vectors — for example, a SYN flood paired with a DNS amplification and an HTTP layer-7 attack. Defenders cannot tune for a single attack signature, and single-vector mitigations leave entire flanks exposed.

Under-5-minute bursts

78% of attacks now end within 5 minutes, up from 44% in 2024. 37% end within 2 minutes, with time-to-peak typically 1–3 minutes. By the time legacy alert systems escalate to mitigation diversion, the attack is over and the damage is done.

Multi-vector attacks

Carpet bombing

52% of attacks now spread across multiple destination prefixes simultaneously — hitting many hosts at once with traffic levels per host that stay below conventional triggers. The aggregate is devastating; the slice on any one prefix looks benign.

Terms shaping the new threat landscape

What is a botnet?

A network of compromised devices — handsets, routers, IoT gear, streaming boxes — remotely controlled by an attacker via command-and-control (C2) servers. Aisuru, Kimwolf, and Eleven11bot each span hundreds of thousands to millions of devices.

What is a residential proxy?

Residential proxies are IP addresses sold to look like ordinary household subscribers — not data-center IPs. Delivered via Android SDKs and Chinese factory firmware, they are bought by AI scrapers and exploited by attackers using the same devices.

Inbound vs outbound DDoS

Inbound DDoS arrives from outside the network, aimed at customers. Outbound DDoS originates inside the network from compromised subscribers, aimed at external targets — degrading the operator's RAN, peering, and reputation along the way.

Nokia Deepfield: Next-gen DDoS security

Discover Nokia's cutting-edge DDoS security, featuring AI-powered Deepfield Defender and Secure Genome for robust protection against evolving cyber threats.