The DDoS smoke screen: why restoring uptime may be your first mistake – 1v1 Video Chat & LIve Streaming & Influencer Subscription

By Jérôme Meyer

Tech Radar Pro

Tech Radar Gaming

Tech Radar Pro

TechRadar the business technology experts

Search TechRadar

View Profile

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

Expert Insights

Website builders

Web hosting

Best website builder
Best web hosting
Best office chairs
Best antivirus
Expert Insights

You may like

How cybercriminals have become smarter and more dangerous than ever before

5 questions for SMBs to reveal hidden security threats

“You have to find the needle in the haystack” – how preparation can save your business in a cyberattack

Jérôme Meyer
Social Links Navigation

Leads security research for Nokia Deepfield.
DDoS Attacks Today
Carriers that once saw two DDoS incidents a day now log hundreds, and 44% of these attacks are over in under five minutes. Blink and you miss the smoke screen—plus the burglary behind it.

Why the surge? Because a 100-gig “booter” subscription (to DDoS-for-hire services) costs less than Netflix. And because botnets ship pre-assembled: for instance, Eleven11bot drove hijacked webcams to launch record-breaking DDoS attacks, peaking at 6.5 Tb/s in February. That’s more than ten times Mirai’s original, 2016 record.
Attackers don’t show up to smash the furniture; they keep you chasing alarms while they lift the valuables—exfiltrating data, dropping ransomware, wiring in next week’s back-door.
Many teams let their guard down once the second latency graphs sag to normal, unaware they’re celebrating on the wrong lap. Stateful firewalls, last-minute ACLs (Access Control Lists), and a heroic operator attempt to handle raw volume right up to the moment an attacker overloads the very gear meant to stop them.
Picture the firewall as a nightclub bouncer armed with an exquisitely detailed guest list. Flood the door with a million party-crashers and the clipboard becomes decoration. In the chaos, the bouncer waves everyone through.
That reflex is fail-open.
Fail-open isn’t magic—it’s physics. Cram the firewall’s state table with a volumetric SYN flood and, once memory pegs, the firmware panics and slips into bypass, in a last-ditch attempt to keep links alive and traffic flowing. If the inspection daemon seg-faults under the strain, the chassis bridges traffic until it restarts. Kill the power or flap a link and the hardware relay shorts the ports together.
From the security operations center (SOC) chair, it’s eerie: logs go silent, session counters plunge, line-rate traffic barrels on, and NetFlow suddenly shows inbound RDP the policy never touched. The attacker didn’t avoid your defenses; they used them as the on-ramp.
What To Do Next
MITRE’s ATT&CK playbook spells it out: adversaries have been observed launching DDoS “to support other malicious activities, including distraction.” In other words, getting the service back up is merely Act I.
Four moves that can help your team keep the fireworks outside:
1. Baseline the who and the why, not just the how much
It’s midnight. Five thousand no-name IP-cams halfway across the globe all at once decide your Domain Name System (DNS) authoritative name-server is their new best friend. Bandwidth may not spike massively, but intent screams: cameras don’t spontaneously flood DNS.
Your detection engine should instantly flag anomalies like “Devices that typically whisper Network Time Protocol (NTP) are suddenly screaming DNS.” Layer flow data onto BGP, turning suspicious cameras into red dots on a heat map.
2. Let automation throw the first punch—under a minute, or it’s too slow
No human can out-type a terabit flood. Hand the reflex to silicon—gear that fires back before you’ve even seen the spike.
The second packets-per-second cross your threshold, edge routers should automatically shed malicious traffic or redirect it to mitigation gear, reverting when conditions stabilize.
3. Give your firewalls an airbag—let a stateless layer eat the crash
Firewalls are brilliant chess players with one fatal flaw: every new flow grabs a square on a state table, and that board is only so big. Fill it, and the box either drops everything or—worse—fails open. As a safeguard, bolt on a stateless “airbag” a hop upstream. It doesn’t care about SYNs or sequence numbers; it cares about the who and what—five thousand white-label cameras suddenly pelting your DNS server, for instance.
The second that odd waveform appears, the airbag inflates: drops the anomalous traffic on device or punts the junk to a scrubber. No sessions to track, no table to exhaust; just raw line-rate math absorbing the impact while the firewall keeps pondering the finer stuff: TLS fingerprints, strange HTTP verbs, and bots masquerading as browsers.
4. Audit the bouncers—make sure none of them silently swing the rope aside
Fail-open is a configuration choice, not a cosmic constant. Dramatically unplugging boxes mid-attack isn’t necessary; review your configurations instead. Verify each inline device explicitly states how it behaves if software crashes, links fail, or power dies. Anything set to silently bypass traffic without approval belongs at the top of tomorrow’s change list.
DDoS fireworks dazzle, but nobody robs the vault just for the spectacle. Spot the diversion, stay clear-eyed, and keep the attackers outside looking in. Next time the sky lights up, keep at least one eye on the basement door.
We’ve listed the best small and medium business (SMB) firewall software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Jérôme Meyer

Social Links Navigation

Leads security research for Nokia Deepfield.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

How cybercriminals have become smarter and more dangerous than ever before

5 questions for SMBs to reveal hidden security threats

“You have to find the needle in the haystack” – how preparation can save your business in a cyberattack

Man’s best friend: why DNS is the secret cybersecurity superpet

Digital fortress or open vault? Community banks on the cybersecurity front lines

Rely on cybersecurity fundamentals, not LLMs, in the face of emerging threats

Latest in Pro

Europe needs to decouple from Big Tech USA: Here’s 5 ways it can be achieved

Venture capital giant IdeaLab confirms breach, says private data was stolen in attack

Microsoft quits Pakistan, but says customers won’t be affected

Experts warn this top GenAI tool is being used to build phishing websites

French government hit by Chinese hackers exploiting Ivanti security flaws

Will tech-driven risks be the most likely cause of compliance issues for firms in the next year?

Latest in Opinion

Europe needs to decouple from Big Tech USA: Here’s 5 ways it can be achieved

Will tech-driven risks be the most likely cause of compliance issues for firms in the next year?

You wouldn’t skip handwashing – so why skip mobile security hygiene?

Why AV is an overlooked cybersecurity risk

Making AI useful at every level of the business

AI’s energy demands are surging – the grid needs to catch up