You have probably experienced the following scenario yourself. A website suddenly stops loading, a login page times out, or an online service becomes unreachable at the worst possible moment. Sometimes the cause is not an internal outage, but a Distributed Denial-of-Service (DDoS) attack designed to overwhelm the service from the outside.
DDoS attacks have long been one of the simplest ways to disrupt an online service:flooding it with enough traffic, exhausting its infrastructure, and making it unreachable without breaking into the target’s systems. Now more than ever DDoS is being packaged, branded, and sold with the language of a mature online service, and the impact is well recorded in the real world.
Cloudflare reported blocking a 7.3 Tbps attack in 2025 and later said it mitigated a 31.4 Tbps attack in its Q4 2025 DDoS report. Microsoft also said Azure mitigated a 15.72 Tbps attack in October 2025, attributing the activity to the Aisuru botnet.
Behind those incidents, underground sellers are competing over the same buyers with an increasingly polished pitch. Recent underground activity analyzed by Flare researchers describe attack panels, API access, monthly plans, reseller options, customer support, botnet-backed capacity, game-server methods, and Cloudflare bypass claims.
A comparison of two datasets of DDoS-related underground activity from the first five months of 2023 and the first five months of 2026, shows how quickly that offer has changed. What once appeared more frequently as scripts, tutorials, leaked tools, and scattered forum posts is now more often presented as a repeatable product that is easier to buy and operate.
A DDoS attack attempts to overwhelm a website, application, network, or server with traffic from many sources at once. Some attacks target network capacity, while others focus on application layer resources such as login pages and APIs. The objective is usually simple: make the service unavailable, unstable, or expensive to operate.
DDoS-as-a-service lowers the barrier further. Instead of building infrastructure, an attacker can pay for access to a web panel, choose a target, select a duration, and rely on someone else’s botnet, proxy network, or third-party attack infrastructure.
Flare Researchers Analysis
Flare researchers searched for DDoS-related underground activity from two periods in time. The first was the fivefirst months of 2023 and the second was the first five months of 2026. The team cleaned the data, curated it and found some important insights.
| Topic | 2023 | 2026 | Change |
|---|---|---|---|
| Volume of records | 4,403 | 4,964 | Slight increase |
| High-signal DDoS service ads | 38 | 364 | ~10x increase |
| Unique ad clusters | 31 | 123 | ~4x increase |
| Unique actors | 15 | 41 | ~3x increase |
| Sources observed | 22 | 43 | ~2x increase |
An important disclaimer, in this research we focused on distributed DoS. There’s another category, which is denial of service.
Technically it is a bit different in the way a server is targeted, but the goal is the same. In this research we only focused on DDoS offerings and did our best to exclude the DoS offerings.
DDoS-as-a-service platforms are openly advertised across dark web forums and cybercrime communities — the same sources Flare monitors continuously.
Flare tracks underground marketplaces, botnet infrastructure chatter, and threat actor activity across thousands of dark web sources, so your security team sees emerging threats before they impact your operations.
From scattered tools to packaged services
The topics in the posts from 2023 are more diverse. Many offerings revolved around scripts, leaked tools, tutorials, or generic “botnet service” advertisements.
One repeated type of post from 2023 (as seen in the screenshot below) promoted a “Botnet Service L7 – L4” and claimed Layer 3, Layer 4, and Layer 7 capability, optional API access, automatic payments, high attack slots, game-server targeting, and bypasses for Cloudflare-related protections. The same advertising text appeared across multiple sources and actors, suggesting copying, reselling, or recycling marketing.
While the post from 2023 was focused about the services, more recent posts from 2026 are focused around the price and the offering they give.
An advertisement of “SatelliteStress” described the service as an IP stresser with a user-friendly panel, API access, game-server support, and monthly plans starting at €20. The same post claimed the service was “100% botnet-powered” and did not rely on downstream APIs, a positioning meant to distinguish it from resellers that depend on another provider’s infrastructure.
As illustrated in the screenshot below, Areshun, which is another post that offers a “Premium DDoS Service” with Layer 4 and Layer 7 attacks, monitoring, API integration, custom plans, 24/7 support, and promotional discount codes is also pinpointed on specific service and its price.
Sign up for the free trial to access if you aren’t already a customer.
Another similar example is of “RebirthStress”, which is similarly marketed as a botnet-powered IP and web stressing device, a free Layer 7 hub, more than 400 slots, reselling suitability, and plans starting at $15 per month.
If you go over these posts, one-by-one and make the comparison, you see a distinct trend. The post in 2026 is more focused on a product, the sellers are competing one against another on customers. They package everything nicely, offer shiny features: ease of use, fully automated, full support, privacy promised, reselling capacity, and reliability.
The technical details have not disappeared, they became part of the sale pitch. In 2026 ads more commonly bundle Layer 4 and Layer 7 claims (means the service support both network-level attacks and application-layer attacks) words such as “panel,” “API,” “slots,” “bypass,” “monitoring,” “uptime,” and “support.”
One THORCC-related advertisement claimed more than 7,000 active Layer 4 bots and promoted bandwidth analytics and attack-vector statistics. Another Russian and English post presented “professional stress testing” while claiming Cloudflare and DDoS-Guard bypasses, high concurrency, and long attack durations.
Sellers are possibly exaggerating about their capabilities. However, the consistency of their marketing language remains important intelligence.
It shows what buyers are being encouraged to value beyond raw traffic volume, including web panels, automation, bypass claims, and the ability to launch or resell attacks with minimal effort.
The pricing of a DDoS attack in 2026 is very cheap. We’ve seen the following offers:
There are some more expensive offerings. An actor named “SamuraiDD” advertised attacks starting at $100 per day (see in the screenshot below).
Sign up for the free trial to access if you aren’t already a customer.
Another actor named “POWERDDOS” used a tiered model of $5 tests, $100 per day for “weak” target, $200 per day for “medium” target, and $500 per day for “strong” or protected targets.
Lastly, we’ve also seen some “premium” offerings which included infrastructure-style targeting, including a DDoS botnet attack network advertised for $2,000.
The pattern shows a market segmented by buyer type. Cheap tests and short attacks for low-skill users, daily pricing for one-off disruption, private negotiation for longer campaigns, and higher-value infrastructure or reseller-style offers for more serious customers.
Public reporting on the booter economy (a paid DDoS-for-hire service that lets users launch attacks through someone else’s infrastructure) also aligns with this low-cost access model, with Akamai noting that some DDoS booter services can cost less than $25 per month and may offer limited trials.
Conclusions
DDoS-as-a-service is no longer only about traffic volume. The market is dropping down the entry bar, enabling easier purchase, easier operation, and easier to resell. What matters is not only how powerful an attack is, but how easy it is to launch an attack through a panel, various plans, full support, API access, and rented infrastructure.
This lowers the barrier for several types of actors. Low-skill users can buy short, cheap attacks. More serious customers can negotiate longer or higher-volume campaigns. Resellers can help expand the reach of the original service. As a result, defenders should not assume that disruptive DDoS activity requires a sophisticated attacker behind the keyboard.
In the near future, this market will likely continue moving toward more polished service models. As clearer pricing tiers, more automation, stronger reseller programs, and heavier branding around “bypass” capabilities and attack reliability.
Learn more by signing up for our free trial.
Sponsored and written by Flare.
