Attack Analysis
TDoS Attacks Explained: How Telephony Denial of Service Targets VoIP Providers
What TDoS is, how it differs from volumetric DDoS, and how baseline anomaly detection catches automated call f...
9 min read →Blog
Attack postmortems.
Engineering deep-dives.
Practical guides from engineers who've been DDoS'd and learned from it.
All
Post-Mortem
Attack Analysis
Original Research
Engineering
Forensics
Integrations
Mitigations
Fundamentals
Tools
Comparisons
Get attack analysis in your inbox
Monthly postmortems, detection techniques, and original research. No fluff.
Attack Analysis
Ransom DDoS in iGaming: How Sportsbooks Get Hit and How to Respond
How ransom DDoS campaigns target sportsbooks with event-timed extortion, and how sub-second detection changes the economics.
Attack Analysis
Canonical Hit With DDoS and Extortion by 313 Team
Analysis of the 313 Team DDoS extortion campaign against Canonical and what operators can learn from it....
8 min read →Attack Analysis
DDoS Extortion in iGaming: How Operators Are Fighting Back
How iGaming operators are responding to the surge in ransom DDoS campaigns targeting live betting platforms....
10 min read →Attack Analysis
Why Residential Proxy Networks Are Prime DDoS Targets
Why residential proxy infrastructure attracts targeted DDoS attacks and how to defend against them....
9 min read →Attack Analysis
TDoS Attacks Are Surging: How VoIP Providers Can Detect and Stop Them
How telephony denial of service differs from volumetric DDoS and how to detect automated call floods....
10 min read →Attack Analysis
HTTP/2 Bomb: How a Single Machine Can Exhaust 32 GB of Server RAM in Seconds
A new DoS attack combines HPACK compression amplification with flow control stalling to overwhelm NGINX, Apach...
10 min read →Attack Analysis
Detecting IP spoofing with TTL entropy: how Flowtriq spots faked sources
Spoofed source IPs cannot be blocked one by one. Flowtriq detects them by measuring the Shannon entropy of TTL...
12 min read →Attack Analysis
The DDoS threat landscape in Q1 2026: record attacks, hacktivism, and law enforcement
31.4 Tbps Aisiru floods, geopolitical hacktivism surges, 2.45 billion request L7 attacks, Operation PowerOFF, ...
16 min read →Attack Analysis
Operation PowerOFF: 21 countries target 75,000 DDoS-for-hire users
Europol and 21 nations seized 53 booter domains, exposed 3 million accounts, and entered a prevention phase ta...
12 min read →Attack Analysis
API-layer DDoS in 2026: GraphQL abuse, Slowloris, and the L7 shift
API-targeting DDoS attacks increased 200% in 2025. GraphQL recursive queries, Slowloris thread exhaustion, and...
13 min read →Attack Analysis
Emerging amplification vectors: CLDAP, WS-Discovery, CoAP, and beyond
The amplification vectors attackers are using beyond DNS, NTP, and Memcached. Protocol mechanics, amplificatio...
15 min read →Attack Analysis
Ransom DDoS (RDDoS) in 2026: triple extortion, payment trends, and why paying never works
Triple extortion is the 2026 norm. How RDDoS extortion works, why paying encourages repeat attacks, and why au...
14 min read →Attack Analysis
IPv6 DDoS attacks: the growing blind spot in network defense
600% increase in IPv6 DDoS traffic. Extension header floods, NDP exhaustion, and why most detection tools trea...
13 min read →Attack Analysis
IoT botnets in 2026: 3 million devices seized, millions more waiting
DOJ seized 3M+ device botnet infrastructure, but the devices remain vulnerable. The post-takedown state of the...
13 min read →Attack Analysis
Why 70% of DDoS attacks end before manual response even starts
NETSCOUT data shows 70% of DDoS attacks last fewer than 15 minutes. Manual response takes 15 to 30 minutes min...
10 min read →Attack Analysis
The anatomy of a multi-vector DDoS attack: NTP amplification plus SYN flood
How attackers layer NTP amplification and SYN floods, why each vector alone may stay below detection threshold...
14 min read →Attack Analysis
The 10 largest DDoS attacks in history (and what we learned)
From the 300 Gbps Spamhaus attack to 5.6 Tbps Mirai variants: the biggest DDoS attacks ever recorded, what mad...
13 min read →Attack Analysis
Mirai botnet: how it infects IoT devices and launches DDoS attacks
The full Mirai lifecycle: scanning, credential brute-force, multi-architecture loaders, C2 registration, and c...
12 min read →Attack Analysis
The anatomy of a SYN flood: packet-by-packet breakdown
A deep technical walkthrough of SYN flood attacks at the packet level. TCP handshake exploitation, kernel beha...
14 min read →Attack Analysis
UDP amplification attacks: DNS, NTP, memcached, CLDAP, and SSDP explained
How attackers exploit connectionless UDP protocols to amplify traffic by 50,000x. Protocol mechanics, amplific...
15 min read →Attack Analysis
The Aisiru botnet: what we know about 2025-2026's biggest DDoS threat
Technical analysis of the Aisiru botnet that generated record-breaking 5.6 Tbps attacks. Infrastructure, capab...
13 min read →Attack Analysis
Carpet bombing attacks: why traditional detection misses them
How carpet bombing distributes attack traffic across entire subnets to stay below per-IP thresholds. Why per-h...
12 min read →Attack Analysis
DDoS-for-hire: inside the booter and stresser ecosystem in 2026
The economics, infrastructure, and law enforcement actions around the DDoS-for-hire industry. How $30 buys a 1...
14 min read →Attack Analysis
Record-breaking DDoS attacks of 2025-2026: what changed
From 3.8 Tbps Mirai variants to 5.6 Tbps Aisiru floods. The attacks that broke records, the infrastructure tha...
13 min read →Attack Analysis
How to detect Mirai C2 traffic on bare metal
Mirai botnet traffic has distinct fingerprints in kernel counters and packet logs. Spot scanning, C2 command t...
9 min read →Attack Analysis
Memcached amplification: detection, evidence & what to tell your upstream
The 50,000x amplification factor explained at the packet level, a ready-to-use NOC email template, and the exa...
10 min read →Attack Analysis
DNS amplification attacks: detection, analysis & mitigation
Complete guide to DNS amplification DDoS attacks. Learn how they work at the protocol level, what the traffic ...
12 min read →Attack Analysis
Detecting memcached amplification before it hits 1Tbps
memcached amplification attacks can reach 50,000x amplification. Here's exactly what the traffic looks like at...
8 min read →Attack Analysis
Multi-vector DDoS: why your single-protocol detection fails
Sophisticated attackers don't use one protocol. They rotate between UDP, TCP, and HTTP to evade simple thresho...
9 min read →