Attack Analysis
The anatomy of a multi-vector DDoS attack: NTP amplification plus SYN flood
How attackers layer NTP amplification and SYN floods, why each vector alone may stay below detection threshold...
14 min read →Blog
Attack postmortems.
Engineering deep-dives.
Practical guides from engineers who've been DDoS'd and learned from it.
All
Post-Mortem
Attack Analysis
Original Research
Engineering
Forensics
Integrations
Mitigations
Fundamentals
Tools
Comparisons
Attack Analysis
Why 70% of DDoS attacks end before manual response even starts
NETSCOUT data shows 70% of DDoS attacks last fewer than 15 minutes. Manual response takes 15 to 30 minutes minimum. The math means most attacks cause all their damage before a human can push a single upstream rule.
Attack Analysis
The 10 largest DDoS attacks in history (and what we learned)
From the 300 Gbps Spamhaus attack to 5.6 Tbps Mirai variants: the biggest DDoS attacks ever recorded, what mad...
13 min read →Attack Analysis
Mirai botnet: how it infects IoT devices and launches DDoS attacks
The full Mirai lifecycle: scanning, credential brute-force, multi-architecture loaders, C2 registration, and c...
12 min read →Attack Analysis
The anatomy of a SYN flood: packet-by-packet breakdown
A deep technical walkthrough of SYN flood attacks at the packet level. TCP handshake exploitation, kernel beha...
14 min read →Attack Analysis
UDP amplification attacks: DNS, NTP, memcached, CLDAP, and SSDP explained
How attackers exploit connectionless UDP protocols to amplify traffic by 50,000x. Protocol mechanics, amplific...
15 min read →Attack Analysis
The Aisiru botnet: what we know about 2025-2026's biggest DDoS threat
Technical analysis of the Aisiru botnet that generated record-breaking 5.6 Tbps attacks. Infrastructure, capab...
13 min read →Attack Analysis
Carpet bombing attacks: why traditional detection misses them
How carpet bombing distributes attack traffic across entire subnets to stay below per-IP thresholds. Why per-h...
12 min read →Attack Analysis
DDoS-for-hire: inside the booter and stresser ecosystem in 2026
The economics, infrastructure, and law enforcement actions around the DDoS-for-hire industry. How $30 buys a 1...
14 min read →Attack Analysis
Record-breaking DDoS attacks of 2025-2026: what changed
From 3.8 Tbps Mirai variants to 5.6 Tbps Aisiru floods. The attacks that broke records, the infrastructure tha...
13 min read →Attack Analysis
How to detect Mirai C2 traffic on bare metal
Mirai botnet traffic has distinct fingerprints in kernel counters and packet logs. Spot scanning, C2 command t...
9 min read →Attack Analysis
Memcached amplification: detection, evidence & what to tell your upstream
The 50,000x amplification factor explained at the packet level, a ready-to-use NOC email template, and the exa...
10 min read →Attack Analysis
DNS amplification attacks: detection, analysis & mitigation
Complete guide to DNS amplification DDoS attacks. Learn how they work at the protocol level, what the traffic ...
12 min read →Attack Analysis
Detecting memcached amplification before it hits 1Tbps
memcached amplification attacks can reach 50,000x amplification. Here's exactly what the traffic looks like at...
8 min read →Attack Analysis
Multi-vector DDoS: why your single-protocol detection fails
Sophisticated attackers don't use one protocol. They rotate between UDP, TCP, and HTTP to evade simple thresho...
9 min read →Newsletter
Attack analysis in your inbox
One email a month. Real attack postmortems, detection techniques, and engineering insights. No marketing fluff.
No spam. Unsubscribe any time.