Cloudflare reported blocking a 7.3 Tbps attack in 2025 and later said it mitigated a 31.4 Tbps attack in its Q4 2025 DDoS report — and Microsoft said Azure mitigated a 15.72 Tbps attack in October 2025 attributed to the Aisuru botnet. Those numbers frame a rapidly professionalizing market: Distributed Denial-of-Service (DDoS) capability is now being packaged, priced and sold like a mainstream online service.
Real-world scale and recent incidents
High-volume DDoS activity is not hypothetical. Cloudflare’s two mitigations in 2025 and Microsoft Azure’s October 2025 mitigation tied to the Aisuru botnet are concrete examples researchers cite to show capacity and impact. Flare researchers point to those mitigations as context for a parallel trend on criminal markets: sellers are advertising services that claim botnet-backed capacity, analytics, and long attack durations.
From scattered tools (2023) to packaged products (2026)
Flare researchers compared two snapshots of underground activity — the first five months of 2023 and the first five months of 2026 — and found a structural shift. In 2023, posts more frequently offered scripts, leaked tools, tutorials and generic “botnet service” advertisements. By 2026 those same marketplaces increasingly present polished products: attack panels, API access, monthly plans, reseller programs, customer support, and promotional discount codes.
The researchers emphasize they focused on distributed DoS (DDoS) offerings, excluding single-host DoS tools. Across thousands of dark-web sources Flare monitors, the company says, advertising language grew more uniform and product-focused, suggesting competition among sellers to attract repeat customers rather than one‑off exchanges of code.
Pricing, segmentation and the business model
Price points are strikingly low and structured. Flare’s sampling of 2026 listings included one-hour attacks advertised for $5, single website attacks for $10, and 24-hour “home holder” attacks for $25. Other models showed tiered and premium pricing: SamuraiDD advertised attacks starting at $100 per day; POWERDDOS listed $5 tests, $100 per day for “weak” targets, $200 per day for “medium” targets, and $500 per day for “strong” or protected targets; and at the high end a DDoS botnet attack network was offered for $2,000.
Flare draws a clear line from those offers to market segmentation: ultra‑cheap tests and short attacks for low-skill users, daily pricing for one‑off disruption, private negotiation for longer campaigns, and higher‑value infrastructure or reseller-style offers for more serious customers. Public reporting on the booter economy aligns with this low-cost access model: Akamai has noted some booter services can cost less than $25 per month and may offer limited trials.
Technical claims as sales features: panels, APIs, and “bypass”
Technical language—Layer 4, Layer 7, bot counts, concurrency, bypasses—has migrated from developer shorthand into marketing copy. 2026 advertisements commonly bundle Layer 4 (network-level) and Layer 7 (application-level) claims and emphasize features buyers value: “panel,” “API,” “slots,” “bypass,” “monitoring,” “uptime,” and “support.”
Examples noted by Flare include SatelliteStress marketing itself as an IP stresser with a user panel, API access, game-server support, and monthly plans starting at €20 while claiming to be “100% botnet-powered” rather than reselling another provider’s API. Other posts—Areshun, RebirthStress and one tied to THORCC-related infrastructure—promote thousands of active Layer 4 bots, bandwidth analytics, Cloudflare and DDoS‑Guard bypasses, free Layer 7 hubs, and reseller suitability.
Flare cautions sellers may be exaggerating capabilities. Still, the uniformity of the marketing terms shows what buyers are being sold: ease of use, automation, reselling capacity, and the promise of bypassing protections.
What this means for security teams, policymakers, and end users
- Technologists and security teams: Expect easier-to-launch attacks and a lower barrier for nuisance and disruptive operations. Flare’s analysis suggests defenders should not assume disruptive DDoS activity requires a sophisticated attacker; cheap, panel-driven services put campaign launch within reach of low-skill users.
- Policymakers and regulators: The market’s commercialization — with monthly plans, reseller programs and explicit pricing tiers — creates clearer economic signals about demand and supply that policy and enforcement efforts can target. Flare’s findings imply the market is moving toward more polished service models, which could change the operational footprint investigators must monitor.
- End users and affected enterprises: The segmentation of offers means small organizations may be targeted by low-cost disruptions, while higher-value targets face options for longer or higher-volume campaigns negotiated privately or purchased at premium tiers.
Flare’s central conclusion is straightforward and stark: DDoS-as-a-service is no longer only about raw traffic volume. The market has lowered the barrier to buy and to operate attacks by packaging DDoS as a repeatable product — panels, automation, support, and reseller channels matter as much as terabits-per-second. If the pattern continues, the industry will see clearer pricing tiers, stronger reseller programs, and heavier branding around “bypass” claims, all of which change who can cause disruption and how defenders must prepare.