From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market

Summary

The DDoS-as-a-Service market has matured significantly from 2023 to 2026, transforming from scattered scripts and tutorials into professionally packaged attack platforms with subscription models, API access, reseller programs, and customer support. Flare research reveals a ~10x increase in high-signal DDoS service advertisements and a ~3x increase in unique threat actors, with services now offering botnet-backed capacity and Cloudflare bypass claims. Recent major incidents include Cloudflare blocking a 7.3 Tbps attack (2025) and Azure mitigating a 15.72 Tbps attack attributed to the Aisuru botnet (October 2025).

Full text

From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market Sponsored by Flare May 29, 2026 10:32 AM 0 You have probably experienced the following scenario yourself. A website suddenly stops loading, a login page times out, or an online service becomes unreachable at the worst possible moment. Sometimes the cause is not an internal outage, but a Distributed Denial-of-Service (DDoS) attack designed to overwhelm the service from the outside. DDoS attacks have long been one of the simplest ways to disrupt an online service:flooding it with enough traffic, exhausting its infrastructure, and making it unreachable without breaking into the target’s systems. Now more than ever DDoS is being packaged, branded, and sold with the language of a mature online service, and the impact is well recorded in the real world. Cloudflare reported blocking a 7.3 Tbps attack in 2025 and later said it mitigated a 31.4 Tbps attack in its Q4 2025 DDoS report. Microsoft also said Azure mitigated a 15.72 Tbps attack in October 2025, attributing the activity to the Aisuru botnet. Behind those incidents, underground sellers are competing over the same buyers with an increasingly polished pitch. Recent underground activity analyzed by Flare researchers describe attack panels, API access, monthly plans, reseller options, customer support, botnet-backed capacity, game-server methods, and Cloudflare bypass claims. A comparison of two datasets of DDoS-related underground activity from the first five months of 2023 and the first five months of 2026, shows how quickly that offer has changed. What once appeared more frequently as scripts, tutorials, leaked tools, and scattered forum posts is now more often presented as a repeatable product that is easier to buy and operate. What is DDoS? A DDoS attack attempts to overwhelm a website, application, network, or server with traffic from many sources at once. Some attacks target network capacity, while others focus on application layer resources such as login pages and APIs. The objective is usually simple: make the service unavailable, unstable, or expensive to operate. DDoS-as-a-service lowers the barrier further. Instead of building infrastructure, an attacker can pay for access to a web panel, choose a target, select a duration, and rely on someone else’s botnet, proxy network, or third-party attack infrastructure. A flow chart that illustrates how DDoS attacks work Flare Researchers Analysis Flare researchers searched for DDoS-related underground activity from two periods in time. The first was the fivefirst months of 2023 and the second was the first five months of 2026. The team cleaned the data, curated it and found some important insights. Topic 2023 2026 Change Volume of records 4,403 4,964 Slight increase High-signal DDoS service ads 38 364 ~10x increase Unique ad clusters 31 123 ~4x increase Unique actors 15 41 ~3x increase Sources observed 22 43 ~2x increase An important disclaimer, in this research we focused on distributed DoS. There’s another category, which is denial of service. Technically it is a bit different in the way a server is targeted, but the goal is the same. In this research we only focused on DDoS offerings and did our best to exclude the DoS offerings. Is Your Organization a Target for DDoS-for-Hire Actors? DDoS-as-a-service platforms are openly advertised across dark web forums and cybercrime communities — the same sources Flare monitors continuously. Flare tracks underground marketplaces, botnet infrastructure chatter, and threat actor activity across thousands of dark web sources, so your security team sees emerging threats before they impact your operations. Detect your exposure for free From scattered tools to packaged services The topics in the posts from 2023 are more diverse. Many offerings revolved around scripts, leaked tools, tutorials, or generic “botnet service” advertisements. One repeated type of post from 2023 (as seen in the screenshot below) promoted a “Botnet Service L7 - L4” and claimed Layer 3, Layer 4, and Layer 7 capability, optional API access, automatic payments, high attack slots, game-server targeting, and bypasses for Cloudflare-related protections. The same advertising text appeared across multiple sources and actors, suggesting copying, reselling, or recycling marketing. A post from 2023 offering Botnet services While the post from 2023 was focused about the services, more recent posts from 2026 are focused around the price and the offering they give. An advertisement of “SatelliteStress” described the service as an IP stresser with a user-friendly panel, API access, game-server support, and monthly plans starting at €20. The same post claimed the service was “100% botnet-powered” and did not rely on downstream APIs, a positioning meant to distinguish it from resellers that depend on another provider’s infrastructure. As illustrated in the screenshot below, Areshun, which is another post that offers a “Premium DDoS Service” with Layer 4 and Layer 7 attacks, monitoring, API integration, custom plans, 24/7 support, and promotional discount codes is also pinpointed on specific service and its price. Screenshot taken from Flare's platform. Sign up for the free trial to access if you aren’t already a customer. Another similar example is of “RebirthStress”, which is similarly marketed as a botnet-powered IP and web stressing device, a free Layer 7 hub, more than 400 slots, reselling suitability, and plans starting at $15 per month. If you go over these posts, one-by-one and make the comparison, you see a distinct trend. The post in 2026 is more focused on a product, the sellers are competing one against another on customers. They package everything nicely, offer shiny features: ease of use, fully automated, full support, privacy promised, reselling capacity, and reliability. The technical language became part of the sale pitch The technical details have not disappeared, they became part of the sale pitch. In 2026 ads more commonly bundle Layer 4 and Layer 7 claims (means the service support both network-level attacks and application-layer attacks) words such as “panel,” “API,” “slots,” “bypass,” “monitoring,” “uptime,” and “support.” One THORCC-related advertisement claimed more than 7,000 active Layer 4 bots and promoted bandwidth analytics and attack-vector statistics. Another Russian and English post presented “professional stress testing” while claiming Cloudflare and DDoS-Guard bypasses, high concurrency, and long attack durations. Sellers are possibly exaggerating about their capabilities. However, the consistency of their marketing language remains important intelligence. It shows what buyers are being encouraged to value beyond raw traffic volume, including web panels, automation, bypass claims, and the ability to launch or resell attacks with minimal effort. The business model The pricing of a DDoS attack in 2026 is very cheap. We’ve seen the following offers: One-hour attack advertised for $5 Website attack for $10 A 24-hour “home holder” attack for $25 There are some more expensive offerings. An actor named "SamuraiDD" advertised attacks starting at $100 per day (see in the screenshot below). Screenshot taken from Flare's Platform.Sign up for the free trial to access if you aren’t already a customer. Another actor named "POWERDDOS" used a tiered model of $5 tests, $100 per day for “weak” target, $200 per day for “medium” target, and $500 per day for “strong” or protected targets. Lastly, we’ve also seen some “premium” offerings which included infrastructure-style targeting, including a DDoS botnet attack network advertised for $2,000. The pattern shows a market segmented by buyer type. Cheap tests and short attacks for low-skill users, daily pricing for one-off disruption, private negotiation for longer campaigns, and higher-value infrastructure or reseller-style offers for more serious customers. Public reporting on the booter economy (a paid DDoS-for-h

Indicators of Compromise

• malware — Aisuru

Entities