David Rodríguez Rey

Denial-of-Service attacks are the most common threat to service availability, and hybrid protection delivered from the operator’s network combined with a local solution is the most effective way to stay protected. The new DDoS attack landscape Distributed Denial-of-Service (DDoS) attacks aim to cause service disruption through sustained streams of packets sent from distributed locations to a company’s IP address space, with the objective of overwhelming services and creating downtime, resulting in financial impact and reputational damage for the targeted organization. In a recent previous post, we described in detail what DDoS attacks are, the different types of attacks that exist, what a DDoS protection solution must deliver, and the need to acquire a managed service from a company that, from an optimal network position and with highly qualified personnel specialized in this type of threat, will properly protect network traffic against DDoS attacks. However, new attack vectors and multivector attacks are now emerging. DDoS attacks are no longer static or single vector: today they are dynamic, multivector and increasingly sophisticated. Cybercriminals and botmasters continue to exploit vulnerabilities and search for new ways to hijack networks and gain access to corporate data. Every day, media headlines report highly sophisticated DDoS attacks that cause significant impact. All traffic and data circulating across networks are under constant threat from hackers launching highly sophisticated multivector DDoS attacks. The number of DDoS attacks has increased at every level, from single vector attacks to those leveraging up to 25. In particular, there is a growing prevalence of attacks using more than 15. Attackers often combine between 15 and 25 vectors to launch complex, high volume attacks targeting different layers of enterprise and service provider infrastructures. In addition, the use of botnets to launch complex and large scale attacks is now automated. Numerous attacks target critical infrastructures such as routers, firewalls, DNS and VPN concentrators, and many organizations do not have the appropriate infrastructure to mitigate or resolve them effectively. According to Netscout data, the threshold of 10 million attacks in 2025 has already been surpassed, establishing a new normal that reaches one million DDoS attacks per month. More dynamic and harder to detect attacks Cybercriminals are finding new ways to make their attacks more efficient, making them increasingly dynamic and harder to detect. There is a clear trend towards direct to IP attacks instead of amplification and reflection techniques, while DDoS attacks targeting the application layer and those embedded within encrypted HTTPS traffic have grown significantly. This new approach, combined with traditional volumetric attacks, creates an increasingly volatile DDoS landscape where attack frequency continues to rise. As DDoS protection systems have become highly effective, attackers have enhanced their capabilities and increased the frequency of attacks against the application layer and edge devices, combining these techniques with traditional volumetric attacks. Network scans are being launched to identify the most direct attack points, and attacks are no longer static over time. They are now dynamic, with multiple attack vectors, and instead of targeting the same IP continuously, they shift to multiple specific IP addresses that change during the attack. Examples of new attacks Carpet Bombing This is an example of a Carpet Bombing attack, which consists of targeting all IP addresses within a network and continuously rotating between them. Traffic directed at each IP is low, but aggregated across all of them it generates a very high volume, with targeted IPs changing approximately every three minutes. DNS Water Torture Another very common example is DNS Water Torture, a DNS attack that generates queries for non existent domain names, overloading DNS processing as servers attempt to resolve these names by querying higher level DNS servers outside the company. Slow Loris An example of an application layer attack is the so called Slow Loris, which consists of sending packet traces, not necessarily malformed, very slowly, creating multiple connections with the application server that will remain waiting for the completion of a packet that never arrives, eventually exhausting the connection stack. For all the reasons described above, traditional DDoS protection is no longer sufficient. The need for local ‘always-on’ protection The number of purely volumetric attacks is decreasing, while direct to IP attacks, attacks embedded within encrypted HTTPS traffic, Carpet Bombing attacks targeting multiple company IP addresses, DNS Water Torture attacks, and network scans to identify vulnerabilities are increasing. At the same time, due to the traffic they generate, these scans themselves constitute DDoS attacks. To address this growth in sophisticated new attacks with lower volume and focused on overwhelming applications or edge devices, it is necessary to deploy a device that operates inline within the traffic flow, in always-on mode, analyzing all network traffic including encrypted traffic. By deploying a local Anti-DDoS security protection module inline, implemented on-premise at the perimeter of the customer’s Data Center network, that is, between the internet router and the firewall, robust protection can be achieved against this increase in new attack types. The on-premise device acts as both the first and last line of defense, protecting against inbound and outbound threats. This network position, combined with a stateless packet processing engine powered by threat intelligence, enables the solution to automatically detect and stop both inbound threats and outbound communications from compromised internal hosts, effectively acting as the first and last line of defense for organizations. This device does not implement firewall functionality. The main reason is that, if it did, it would need to operate as a stateful device and maintain a session table that could become overwhelmed. Stateful devices such as firewalls are sensitive to DDoS attacks and are, in themselves, targets. The local on-premise protection device must be deployed after the internet router in order to protect the firewall as well as any other edge devices on the network, such as IDS, IPS or load balancers. Benefits of the local Anti-DDoS protection module First line of defense: blocks inbound DDoS attacks to protect network availability, services and stateful security devices. Last line of defense: blocks outbound communications from compromised devices to command and control infrastructures. Protection against all types of DDoS attacks, including volumetric attacks up to link capacity. Continuous traffic inspection, adding protection against attacks within encrypted traffic. Hybrid protection: operator network plus local solution In coordination with a DDoS protection solution provided by the internet service provider, hybrid protection is achieved, ensuring that high capacity volumetric attacks continue to be mitigated upstream, while more sophisticated attacks are handled by the local on-premise equipment. Hybrid protection is the most effective and automated way to defend against Denial-of-Service attacks. On-premise devices can operate independently, detecting and mitigating volumetric and application layer DDoS attacks. When they detect that an attack may exceed link capacity, they send an alert to the ISP’s Anti-DDoS Service, enabling additional automatic mitigation from the network. Traffic diversion to the ISP’s network based service is automated when a volumetric attack exceeding certain configurable intensity thresholds is detected. In this way, a hybrid protection model is achieved that combines a local device with Telefónica’s network based Anti-DDoS Service, enabling defense against sophisticated attacks mitigated on premise as well as large volumetric attacks, without adding latency to legitimate traffic. Key features of hybrid protection Greater effectiveness in detecting volumetric, state exhaustion and sophisticated application layer attacks. Integration of protection layers and automatic synchronization of the mitigation list. Unlimited scalability leveraging Telefónica’s mitigation capacity. Optimization of local resources. Detection and mitigation of outbound attacks originating from the Data Center itself. Ability to incorporate SSL and Malware inspection services. Dedicated DNS protection. Cost reduction and improved resilience. Conclusions Implementing DDoS protection from the operator combined with a local solution integrated with the operator’s network is the best architectural approach to address Denial-of-Service attacks, mitigating volumetric, application layer and multivector attacks alike. The on-premise server operates in always-on mode and detects and mitigates attacks within its scope immediately, both inbound and outbound, with the additional capability to inspect SSL traffic in order to detect and mitigate threats hidden within encrypted traffic. Acquiring a managed service for the fully integrated solution is the most effective way to address DDoS attacks, given the high level of expertise of ISP personnel operating these technologies. ■ Protect your business against advanced DDoS attacks. Deploy a hybrid defence model with automated mitigation and 24×7 expert support to ensure service continuity, even under large-scale and multi-vector attacks. Learn how we can help → Cyber Security We’ve built the SOC of the future with AI, talent and NextDefense XDR October 30, 2025

Distributed denial-of-service (DDoS) attacks are becoming increasingly frequent. Their goal is to cause service unavailability across the assets of companies and organisations in order to generate economic impact or reputational damage for the targeted organisation. To carry them out, organised groups and threat actors—driven by political, ideological, economic or other motives—make use of tools that leverage the power of bot networks (botnets) to launch attacks from multiple locations against specific services until they saturate them, thereby causing a denial of service and preventing access or normal operation. DDoS attacks have become one of the leading causes of digital service outages, directly affecting business continuity and corporate reputation. The global growth of DDoS attacks The cyber threat landscape during the second half of 2025 shows a significant escalation in both the volume and sophistication of DDoS attacks, with more than 8 million attacks recorded, according to Netscout data. Cyber threats continue to evolve, and DDoS attacks have become tools used in digital conflicts and campaigns aimed at destabilising critical infrastructure (communications, transport, energy, defence), often operating through interconnected networks and intensifying especially during high-visibility events. Main types of DDoS attacks Today, DDoS attacks are classified into volumetric attacks, state or resource exhaustion attacks, and application-layer attacks. Volumetric DDoS attacks Volumetric DDoS attacks aim to saturate the available bandwidth, causing overload both on the access network—typically WAN links connected to the internet. For this type of attack, the victim IP address does not need to be assigned to a server or even be in use. It only needs to be routable on the internet. There have been cases of attacks targeting the last IP address in a customer’s range, which has no actual use. For example, a flood of unsolicited packets, typically using the UDP protocol, causes downstream bandwidth saturation. Even if this traffic is dropped at the datacenter ingress firewall, the saturation is still effective and the attacker achieves their objective. Some of the most common examples of volumetric DDoS attacks include UDP Flood and DNS Reflection/Amplification: UDP Flood: consists of generating large volumes of UDP packets against the chosen victim. DNS Reflection/Amplification: uses DNS servers to generate a large volume of traffic and overwhelm the target server. Volumetric attacks do not aim to exploit system vulnerabilities, but to overwhelm network capacity, making services inaccessible even when security systems are working correctly. Resource exhaustion DDoS attacks Resource exhaustion attacks seek to consume the state tables of the TCP/IP stack present in most components of the victim’s security and service infrastructure: firewalls, IPS, load balancers, or the TCP servers themselves. All stateful devices—network and security systems that maintain information about the state of each connection—have a limit on their capacity to process new connections. This type of attack aims to saturate that capacity. Two typical examples of this type of attack are SYN Flood and TCP Connection Flood: SYN Flood: floods the servers’ connection table with SYN packets, overwhelming them so they cannot accept new connections. TCP Connection Flood: floods the firewall with legitimate TCP connections at a rate higher than the number of connections per second it can handle. As a result, all services behind the firewall lose connectivity. Additionally, connectivity between the internal network (LAN) and the DMZ, where internet-facing services reside, will stop working, clearly showing that the saturation occurs at the firewall and not on the internet access link. Application-layer DDoS attacks Application-layer attacks saturate resources such as CPU, memory or concurrent sessions of a specific service. These attacks are more stealthy, as they can be carried out using legitimate traffic and may even be launched from a single attacking machine while generating relatively low traffic volumes. Some examples of this type of DDoS attack include: Slowloris, which aims to open as many HTTP connections as possible to a web server and keep them open for as long as possible, preventing the server from handling legitimate requests. RUDY: very similar to the previous attack, it aims to saturate the number of connections on a web server and keep them open by sending traffic. THC-SSL: an attack that generates numerous SSL renegotiation attempts, saturating the CPU of the HTTPS server. ■ In light of all the above, companies with an online presence need to protect their network assets and ensure business continuity and reputation with a DDoS protection solution tailored to their needs. For each type of network scenario or attack, a specific Anti-DDoS architecture solution must be applied. Anti-DDoS solutions to protect digital services An ISP-based solution deployed from the operator’s network can effectively address any type of attack with proper configuration and deployment, with minimal impact on service delivery and providing clean traffic transparently to the customer over the same contracted communication link, without the need for traffic diversion. A Cloud-based solution is suitable for any type of volumetric attack, delivering clean traffic via a virtual point-to-point link. It is also appropriate when a company has multi-country sites, with different geographic locations and multiple internet providers. These solutions offer on-demand configuration, diverting traffic at the time of the attack to counter it; or always-on mode, where all traffic is continuously analysed to stop a volumetric attack the moment it occurs. Key capabilities of an effective DDoS protection solution The core features that any denial-of-service protection solution should provide include monitoring and detection, mitigation and traffic scrubbing, and mitigation reporting: In the monitoring phase, traffic to or from the customer is continuously analysed to identify attack traffic patterns using DDoS detection mechanisms. The mitigation and malicious traffic scrubbing phase removes all illegitimate traffic destined for the customer. This can be performed in always-on or on-demand mode, depending on the specific configuration, ensuring that only legitimate traffic reaches the company and preventing service collapse by transparently stopping the attack. Finally, any denial-of-service protection solution should provide real-time information throughout an attack—at the start, during, and upon its completion. A managed DDoS protection service delivered by a network operator enables faster and more effective detection, mitigation and traffic scrubbing, minimising the impact on services. The importance of an operator-managed DDoS protection service One might ask whether it is necessary to contract a managed service alongside a denial-of-service protection solution—and if so, from whom. As noted earlier, denial-of-service attacks are becoming increasingly frequent, with millions of attacks each year. Based on internet traffic visibility, those who can observe the largest share of traffic are best positioned to stop this type of service unavailability attack. Therefore, having a managed DDoS protection service supported by the operator’s network and run by specialised teams is key to effective defence. A telecommunications operator, in its role as an internet service provider, offers a privileged view of global traffic and the ability to act directly from the network to mitigate attacks. Building on this infrastructure, Telefónica Tech provides companies with expert teams fully dedicated to DDoS attack detection and mitigation, mitigating more than 1,500 attacks annually in customer environments, applying the most appropriate countermeasures at each stage of the attack and minimising the impact on customer services. ■ Having the experience of a specialist makes it possible to adapt the response and apply the most effective solution for each type of DDoS attack. At the same time, the network operator has a global view of traffic that enables faster and more accurate anticipation and mitigation of attacks. The combination of both factors therefore provides the strongest defence against denial-of-service threats. A telecommunications operator, thanks to its global traffic visibility and network-level response capabilities, is best positioned to mitigate DDoS attacks effectively. In this way, attack detection is performed automatically when certain traffic patterns targeting customer links are identified, generating an alert that is logged in the systems for evaluation by the service operations team. This ensures effective mitigation of all types of attacks and proactive detection of denial-of-service attacks. When a potential attack is detected, detection tools generate the corresponding alerts and action must be taken—either automatically or manually, but always under the supervision of expert hands in this type of solution, provided by the network operator from its position as an ISP. Conclusions Any company with an online presence, regardless of sector or industry, that needs to protect its network assets and ensure service availability, business continuity and reputation, requires a tailored denial-of-service protection solution capable of detecting, mitigating and reporting at all times when an attack occurs. In the case of the public sector, additional requirements apply. A telecommunications operator, due to its global traffic visibility and network response capabilities, combined with an expert team specialised in these solutions, is best positioned to mitigate DDoS attacks effectively. ■ DDoS Protection: At Telefónica Tech, we design and operate managed DDoS protection services that comprehensively cover companies’ security needs, combining solutions tailored to each environment with the expertise of our teams specialised in DDoS attack mitigation. ■ MORE OF THIS SERIES Cyber Security Hybrid DDoS protection: the most effective architecture against multivector attacks February 18, 2026