The Quarter at a Glance
Q1 2026 continued the trajectory that defined 2025: more attacks, bigger attacks, and faster attacks. The numbers paint a picture of a threat landscape that is intensifying on every axis simultaneously. Multi-vector campaigns are the norm, not the exception. Attack durations are shrinking while peak intensities climb. And the intersection of geopolitics and DDoS has never been more visible.
Several data points stand out. Cloudflare's 2026 Threat Report confirmed a sustained upward trend in hyper-volumetric events, building on the 47.1 million attacks mitigated across 2025. StormWall's Q1 2026 report documented continued growth in multi-vector attacks targeting enterprises across finance, government, and critical infrastructure sectors. Perhaps most strikingly, January 2026 alone saw 41 "mega attacks" exceeding 100 Gbps recorded in a single month, representing a 78% increase over December 2025. The baseline for what qualifies as a significant DDoS event has shifted upward yet again.
Against this backdrop, three themes dominated the quarter: volumetric attacks reaching new peaks driven by botnet evolution, geopolitically motivated hacktivism surging in response to real-world military operations, and law enforcement mounting the most aggressive takedown campaigns in DDoS-for-hire history.
Record-Breaking Volumetric Attacks: The AISIRU/Kimwolf Era
The volumetric attack ceiling continued its rapid ascent in Q1 2026. The AISIRU botnet (also tracked as Kimwolf and Airashi) solidified its position as the most capable DDoS threat infrastructure in operation, powering attacks that would have been dismissed as theoretical just 18 months ago.
The headline number: a record 31.4 Tbps attack attributed to AISIRU/Kimwolf infrastructure. The attack lasted only 35 seconds. That duration is not a typo. Thirty-five seconds of sustained multi-terabit flooding, long enough to saturate upstream links, overwhelm stateful devices, and cause cascading failures across downstream services, but short enough that any mitigation workflow requiring human decision-making would arrive after the damage was already done.
This 35-second duration represents a deliberate tactical evolution. When the same botnet infrastructure powered a 5.6 Tbps flood in Q4 2024, that attack lasted approximately 80 seconds. The trend is clear: higher intensity, shorter duration. The attackers understand that speed is their ally. Every second shaved from the attack window reduces the probability that a defender's mitigation pipeline will engage before the flood reaches its target.
A 31.4 Tbps attack that lasts 35 seconds is not something you respond to. It is something your systems either handle autonomously or they do not. There is no middle ground at this timescale.
Microsoft Azure disclosed its own encounter with AISIRU-class infrastructure during this period. In October 2025, Azure mitigated a 15.72 Tbps flood targeting an Australian customer. The attack characteristics were consistent with the same botnet family: massive UDP volumes from geographically distributed IoT bots, rapid ramp-up, and short overall duration. Azure's disclosure is significant because it confirms that AISIRU-scale attacks are not confined to a single mitigation provider's visibility. Multiple tier-one cloud platforms are independently observing and mitigating floods in the 10+ Tbps range.
The 41 mega attacks exceeding 100 Gbps recorded in January 2026 alone underscore a broader pattern. While the 31.4 Tbps record captures attention, the more operationally significant trend is the normalization of multi-hundred-gigabit events. Attacks that would have warranted individual incident reports two years ago are now background noise in the daily traffic of major transit providers and scrubbing services. For organizations running their own infrastructure, this means that any DDoS protection strategy sized for "typical" attack volumes from 2024 is already undersized.
Geopolitical Hacktivism: DDoS as a Weapon of Information Warfare
The intersection of real-world military conflict and DDoS activity reached a new intensity in Q1 2026. The most dramatic example: US and Israeli joint airstrikes against Iran in late February 2026 triggered more than 150 hacktivist DDoS attacks within 72 hours of the strikes being reported in international media.
This wave of retaliatory DDoS campaigns targeted government websites, financial institutions, critical infrastructure operators, and media organizations across the United States, Israel, and allied nations. The attacks were coordinated through established hacktivist channels on Telegram and other messaging platforms, with multiple groups claiming responsibility and sharing target lists in near-real-time. The speed of mobilization was notable. Within hours of the first news reports, organized target lists were circulating, volunteer botnets were being marshaled, and attacks were underway.
The sheer volume of 150+ attacks in 72 hours represents a qualitative shift in hacktivist coordination. Previous geopolitical DDoS surges, such as the campaigns following Russia's invasion of Ukraine in early 2022, developed over days and weeks. The February 2026 response compressed that timeline to hours. This acceleration reflects maturing hacktivist infrastructure: pre-organized groups with established communication channels, pre-built attack tooling, and the operational discipline to rapidly pivot from standby to active targeting.
NoName057: The Most Active Threat Group in Q1 2026
NoName057(16) emerged as one of the single most active DDoS threat groups across Q1 2026, conducting sustained campaigns against targets in France, the United Kingdom, Spain, Germany, Romania, and across the Middle East. The group, which has been active since at least mid-2022 and is widely assessed to operate in alignment with Russian state interests, executed a persistent campaign of politically motivated DDoS attacks throughout the quarter.
NoName057's operational model is distinctive. The group operates a volunteer-driven attack tool called DDoSia that allows supporters to contribute their own bandwidth and computing resources to coordinated DDoS campaigns. This crowdsourced approach gives the group access to a distributed attack infrastructure without requiring a traditional botnet of compromised devices. Target selection is driven by geopolitical events: government websites in countries that announce military aid to Ukraine, media outlets that publish content critical of Russian policy, and financial institutions in nations that impose or expand sanctions.
The breadth of NoName057's targeting in Q1 2026 is significant. Rather than concentrating on a single region, the group maintained concurrent campaigns across Western Europe and the Middle East simultaneously. This geographic spread suggests either a growing participant base in the DDoSia program or more efficient tooling that allows existing participants to generate more attack traffic per node.
For defenders, the hacktivist DDoS threat introduces a complication that purely criminal DDoS does not: unpredictability linked to external events. A military operation, a diplomatic incident, or even a provocative public statement can trigger a wave of DDoS activity within hours. Organizations in government, defense, finance, and media sectors need to treat geopolitical escalation events as DDoS threat indicators and proactively elevate their monitoring posture when tensions rise.
Layer 7 Sophistication: Evading Rate Limits at Scale
While volumetric attacks dominated the bandwidth charts, the most technically sophisticated attacks of Q1 2026 occurred at Layer 7. Application-layer DDoS continued to evolve in ways that challenge traditional defenses, and the quarter produced a standout example of what the next generation of L7 attacks looks like.
The attack in question peaked at 2.45 billion HTTP requests, distributed across 1.2 million unique IP addresses. This IP diversity is the critical detail. Traditional rate-limiting defenses work by tracking request rates per source IP and throttling or blocking IPs that exceed a threshold. When the attack traffic is spread across 1.2 million sources, each individual IP generates a request rate that falls comfortably below any reasonable per-IP rate limit. The attack volume is enormous in aggregate but invisible at the per-source level.
This represents a fundamental challenge to rate-limit-based defenses. An attack generating 2.45 billion requests from 1.2 million IPs averages roughly 2,000 requests per IP over the course of the attack. Depending on the attack duration, that per-IP rate may be indistinguishable from a legitimate user with an active browsing session. The attacker achieves devastating aggregate volume while maintaining per-source behavior that looks normal.
Where did 1.2 million attack-capable IPs come from? Several possibilities exist. Residential proxy networks, which aggregate bandwidth from millions of consumer devices running proxy SDK code, can provide massive pools of unique residential IP addresses. Compromised IoT devices with HTTP-capable stacks are another source. Some L7 botnets also leverage browser-based execution through injected JavaScript on compromised or ad-serving websites, turning legitimate user browsers into unwitting attack participants.
The 2.45 billion request attack signals where L7 DDoS is headed: massive IP diversity that renders per-source rate limiting ineffective. Defenders need to shift from rate-based to behavior-based detection, analyzing request patterns, header fingerprints, and session characteristics rather than simple volume thresholds.
Multi-vector attacks that combine L3/L4 volumetric floods with concurrent L7 campaigns continued to grow in prevalence, as confirmed by StormWall's Q1 2026 analysis. The combination is strategically effective: the volumetric component forces defenders to focus on bandwidth saturation and infrastructure protection, while the L7 component targets the application directly. Defenders who lack unified visibility across both layers may successfully mitigate the volumetric flood only to discover that their application servers have been overwhelmed by an L7 campaign running simultaneously.
Law Enforcement Strikes Back: Botnet Takedowns and DDoS-for-Hire Disruption
Q1 2026 was arguably the most consequential quarter in the history of DDoS-related law enforcement action. Two major operations targeted different layers of the DDoS ecosystem, and their combined scope was unprecedented.
DOJ Botnet Infrastructure Takedown
The US Department of Justice announced the dismantling of infrastructure behind four major botnets responsible for compromising more than 3 million devices worldwide. The operation targeted the command-and-control infrastructure that botnet operators used to issue attack commands to their fleets of compromised devices. By seizing C2 domains and servers, law enforcement severed the link between botnet operators and their infected device populations.
The 3+ million device figure is significant. It represents a substantial portion of the global botnet capacity available for DDoS attacks. While the compromised devices themselves remain infected (cleaning millions of IoT devices is a separate and largely unsolved problem), severing the C2 link renders them inert from an attack perspective until operators can re-establish control through alternative infrastructure.
The operational impact of the takedown will depend on how quickly the affected botnet operators can reconstitute their C2 infrastructure. History suggests that sophisticated operators can rebuild within weeks to months, particularly if they maintained backup C2 channels or domain generation algorithms (DGAs) that allow bots to discover new control servers without manual intervention. Less sophisticated operators may lose access to their bot populations permanently. In either case, the takedown creates a temporary but meaningful reduction in available DDoS capacity.
Operation PowerOFF: The Largest DDoS-for-Hire Crackdown in History
Operation PowerOFF represented the most extensive law enforcement action ever directed at the DDoS-for-hire (booter/stresser) ecosystem. The operation spanned 21 countries, targeted 75,000+ users of DDoS-for-hire services, seized 53 domains, and exposed approximately 3 million accounts across the targeted platforms.
The scale of PowerOFF dwarfs previous operations against the booter/stresser market. Earlier efforts, such as the December 2022 seizure of 48 DDoS-for-hire domains by the FBI, targeted the service infrastructure but not the user base. PowerOFF's focus on the 75,000+ users represents a strategic shift: rather than playing whack-a-mole with service operators who can relaunch under new domains, law enforcement is now targeting the demand side of the market.
The exposure of 3 million accounts has implications beyond direct prosecution. Even users who are not individually charged face the risk of identification, which serves as a deterrent. The operational security of DDoS-for-hire customers has historically been poor, with many using personal email addresses, payment methods linked to their real identities, and browser fingerprints that connect their booter accounts to their real-world online presence. The message from law enforcement is clear: purchasing DDoS services is not anonymous, and the customer databases will eventually be obtained and analyzed.
For the DDoS threat landscape, Operation PowerOFF's impact is likely to be significant in the short to medium term. The booter/stresser market serves as the entry point for the majority of DDoS attacks by volume. While the largest and most sophisticated attacks come from dedicated botnets like AISIRU, the vast majority of DDoS incidents targeting small and medium businesses, game servers, and individual targets originate from DDoS-for-hire services. Disrupting this market reduces the overall volume of DDoS activity even if it does not affect the top end of the threat spectrum.
What Defenders Should Take Away from Q1 2026
The Q1 2026 landscape reinforces several principles that should guide defensive strategy for the remainder of the year and beyond. These are not theoretical recommendations. They are operational necessities driven by the specific threat characteristics documented above.
Sub-Second Detection Is No Longer Optional
When the record-setting attack lasts 35 seconds, detection that takes minutes is detection that arrives after the attack is over. The AISIRU/Kimwolf trend toward extreme intensity combined with ultra-short duration means that any detection system polling at 1-minute or 5-minute intervals will miss or undercount the most damaging events. Per-second monitoring at every ingress point is the minimum viable detection posture for organizations that could be targeted by botnet-class attacks.
Flowtriq was built around this reality. Per-second PPS, bps, and flow monitoring on every node means that a 35-second flood is captured with full fidelity, not averaged into a 5-minute polling bucket where it becomes invisible. Automatic baseline deviation analysis triggers incidents within seconds, not minutes, giving automated mitigation pipelines the time window they need to engage before the attack peaks.
Automated Mitigation Must Be Pre-Configured
If your mitigation workflow requires a human to approve an action before it takes effect, you are operating on a timescale that the current threat landscape has outgrown. FlowSpec rules, RTBH announcements, scrubbing service activation, and upstream notification should all be triggerable without manual intervention for attack profiles that match pre-defined criteria. The human role shifts from "approve this action" to "review this automated action after the fact."
Flowtriq's auto-mitigation rules support this model directly, triggering BGP FlowSpec or RTBH announcements automatically when an incident matches configured thresholds. The system handles the time-critical response while operators review and adjust after the immediate threat is contained.
Per-Node Visibility Matters More Than Aggregate Dashboards
Multi-vector attacks that combine L3/L4 volumetric floods with L7 application-layer campaigns require visibility at every layer of your stack. An aggregate bandwidth graph that shows "traffic is elevated" is not sufficient when you need to distinguish between a volumetric flood hitting your border routers and an L7 campaign targeting your application servers. Per-node monitoring across routers, switches, firewalls, and application infrastructure gives defenders the granularity to identify which layer is under attack and engage the appropriate mitigation for each vector.
Geopolitical Awareness Is a Security Input
The 150+ hacktivist attacks triggered within 72 hours of the US-Israel airstrikes against Iran demonstrate that geopolitical events are now DDoS early warning indicators. Organizations in government, defense, financial services, media, and critical infrastructure should maintain awareness of geopolitical developments and proactively tighten detection thresholds and pre-stage mitigation resources when tensions escalate. This is not about predicting specific attacks. It is about recognizing that the probability of DDoS activity increases measurably during periods of geopolitical conflict.
Rate Limiting Alone Cannot Stop Modern L7 Attacks
The 2.45 billion request attack using 1.2 million IPs demonstrates that per-IP rate limiting is insufficient against the current generation of L7 threats. Defenders need layered L7 defenses that include behavioral analysis, TLS fingerprinting, JavaScript challenge mechanisms, and anomaly detection based on request patterns rather than simple volume thresholds. WAF rules that only fire on per-source rate limits will miss distributed L7 attacks entirely.
Law Enforcement Actions Create Windows, Not Permanent Solutions
The DOJ botnet takedowns and Operation PowerOFF are significant achievements that will reduce DDoS activity in the short term. But defenders should not plan on a permanently reduced threat level. Botnet infrastructure reconstitutes. DDoS-for-hire services relaunch under new domains. The underlying economics that make DDoS attacks cheap and profitable have not changed. Treat the post-takedown period as an opportunity to strengthen defenses, not as evidence that the threat is diminishing.
Built for the 35-second attack era. Flowtriq detects DDoS attacks in seconds, not minutes, with per-second monitoring on every node, automatic baseline analysis, and auto-mitigation that triggers BGP FlowSpec or RTBH before a human could even open a dashboard. When the record-breaking attack lasts 35 seconds, sub-second detection is not a luxury. Start your free 7-day trial at $9.99/node/month. No credit card required.