DDoS Attacks Are 70% Larger—And Your Perimeter Defense Wasn’t Built for This

For years, the conventional wisdom around DDoS mitigation was relatively straightforward: upstream providers absorb the bulk of volumetric attacks, and enterprise-side defenses handle the rest. That model is cracking.

According to Zayo’s 2026 Cybersecurity Insights Report,  average DDoS attack size grew 70% in 2025 compared to the previous year. But it’s not just the scale that should concern IT and security leaders—it’s the shift in targeting. Attackers are increasingly routing around telecom-layer defenses and going after enterprises and critical organizations directly, placing pressure on corporate network infrastructure that was never designed to absorb this kind of punishment.

This isn’t a theoretical evolution. It’s already happening, and it demands a rethink of how organizations position their defenses.

The Targeting Shift Matters More Than the Volume

A 70% increase in average attack size is significant on its own. But the more consequential finding in the report is the strategic pivot in who gets hit and how.

Historically, large-scale DDoS campaigns tended to hammer telecom and hosting providers—partly because that’s where traffic concentrates, and partly because taking down infrastructure providers creates the widest blast radius. Enterprises were often collateral damage or secondary targets.

That’s changed. Threat actors are now deliberately targeting enterprises and high-value organizations, crafting attacks designed to bypass the telecom-level scrubbing and mitigation that used to serve as a first line of defense. The implication is stark: organizations that have relied on their ISP or carrier to absorb volumetric attacks are now more exposed than they realize.

Why the shift? A few factors are converging:

• Commoditized attack infrastructure. DDoS-for-hire services have become cheaper and more capable, lowering the barrier to launching massive attacks. Launching a significant attack no longer requires operating your own botnet—substantial capability is now available to anyone willing to pay.
• More valuable enterprise targets. As organizations digitize operations—from customer portals to supply chain systems to AI-driven services—the business impact of downtime has increased, making DDoS a more effective extortion and disruption tool.
• Smarter traffic shaping. Modern attack tooling can generate traffic patterns that blend with legitimate enterprise traffic, making upstream filtering less effective and pushing the detection problem closer to the target.

Why Traditional Perimeter Defenses Struggle

Most enterprise DDoS mitigation strategies were architected for a different threat model. They assume that the heaviest lifting happens upstream—at the ISP, the CDN, or a dedicated scrubbing center—and that what reaches the enterprise perimeter is manageable.

When attackers deliberately route around those upstream defenses, the enterprise is left absorbing traffic volumes its edge infrastructure wasn’t sized for. Stateful firewalls exhaust their connection tables. Load balancers saturate. Application-layer protections, designed for precision rather than volume, get overwhelmed before they can do their job.

There’s also a subtler problem. Many organizations treat DDoS as a network availability issue rather than a security issue. It lives with the network team, not the security team. That organizational divide means DDoS response often isn’t integrated into broader incident response plans, threat intelligence feeds, or security monitoring workflows. When a sophisticated, targeted DDoS campaign hits—potentially as cover for a simultaneous intrusion attempt—the lack of coordination can be devastating.

What Needs to Change

The 70% growth figure is a wake-up call, but it’s the targeting shift that should drive action. Here’s where enterprises need to focus:

• Reassess your mitigation architecture. If your DDoS strategy depends primarily on upstream providers, you need to understand exactly what they will and won’t absorb—and what happens when traffic is engineered to evade their filters. Hybrid approaches that combine upstream scrubbing with on-premise or near-premise mitigation are increasingly necessary.
• Stress-test at realistic scale. Many organizations haven’t tested their DDoS resilience against current attack volumes. A test designed around last year’s threat profile won’t reveal how your infrastructure performs against attacks that are 70% larger and deliberately targeted at your edge.
• Integrate DDoS into security operations. DDoS shouldn’t be siloed as a network operations problem. Your SOC needs visibility into volumetric attack patterns, and your incident response plans need to account for DDoS as both a standalone threat and a potential smokescreen for other attack vectors.
• Understand your exposure surface. Which of your public-facing services are critical? Which can be temporarily sacrificed to protect others? Do you have the ability to rapidly shift traffic, activate failover paths, or shed non-essential load during an attack? These questions need answers before an attack, not during one.
• Monitor for DDoS extortion trends. Ransom DDoS—where attackers threaten an attack unless payment is made—has been a growing concern across the industry,  evolving alongside the attacks themselves. Your team should know what to do when a ransom demand arrives, and the answer shouldn’t involve scrambling to figure out your actual DDoS posture for the first time.

The Broader Context: DDoS as a Component of Larger Campaigns

It’s worth stepping back to consider why this matters beyond simple uptime. DDoS attacks are increasingly used as one element of multi-vector campaigns. While defenders are consumed with keeping services online, attackers may be probing for vulnerabilities elsewhere, exfiltrating data through channels that overwhelmed monitoring systems can’t watch, or staging ransomware deployment.

The growing sophistication of cybercriminal operations—including ransomware-as-a-service ecosystems and increasingly professionalized extortion groups—means that DDoS rarely exists in isolation anymore. It’s a tool in a larger toolkit, and defending against it in isolation misses the point.

Where Plurilock Fits

This is exactly the kind of evolving threat landscape that Plurilock’s Critical Services and Cyber Adversary Simulation and Response teams work with every day. We help organizations stress-test their real-world resilience—not against theoretical benchmarks, but against the tactics and volumes that actual threat actors are deploying right now.

Whether it’s assessing your DDoS posture, integrating mitigation into your broader security operations, modernizing firewall and network infrastructure to handle current threat volumes, or running tabletop exercises that simulate multi-vector campaigns, Plurilock brings the senior expertise and rapid mobilization that complex environments demand.

The attackers have shifted their aim toward the enterprise. The question is whether your defenses have shifted with them. ■