The global telecom sector is “a key target for threat actors” as the industry faces ever-increasing and more sustained distributed denial of service (DDoS) attacks, finds new data published by Netscout.

According to the Westford, Massachusetts-based vendor’s latest Threat Intelligence Report, Unmasking the Swarm: The Evolving Tactics of Botnet-Driven DDOS Attacks, there has been “intense acceleration in the DDoS threat landscape”, with more than 8 million attacks recorded globally between July and December of 2025, some as large as 30 Tbit/s.

The attacks were driven by “geopolitical motives and AI-enhanced, multi-vector ‘carpet-bombing’ techniques”, noted the observability and security vendor, which monitors network traffic and provides early warnings of potential disruptions and imminent incursions.

The trend marks the beginning of a new and enormously disruptive era of persistent, hyperscale, co-ordinated threat activities. The report’s authors suggest that such malign capabilities, when taken in combination with the emergence of new “hactivist” groups, such as NoName057(16) and Keymous+ and the damaging “digital aftershocks” that always follow the initial attacks on critical infrastructure, require telcos to immediately move away from their traditional reactive responses to DDoS attacks and adopt proactive, automated defence strategies instead.

Netscout has more than 15 years’ experience in mapping the DDoS landscape and providing evidence of global attack trends based on directly observed, verifiable attack traffic. Its new report confirms that fixed line telcos and ISPs broadband were the most targeted vertical industry in the UK, with mobile operators following behind in close second place. It is now abundantly evident that both outbound and crossbound DDoS traffic has become a critical operational challenge for broadband and mobile operators whose networks are riddled with increasing populations of botnets that pose significant service-availability risks and compromise internet of things (IoT) infrastructure.

Matters are being made considerably worse by the ever-more easy availability of renegade DDoS-for-hire services. The report emphasises that security concerns now extend far beyond “volumetric concerns” and responses should include “reconnaissance and adaptive evasion which challenge traditional defence paradigms”.

It adds: “Organisations must match adversarial innovation with intelligent, autonomous defences, or risk operational disruption at levels previously considered theoretical.”

Richard Hummel, director of Threat Intelligence at Netscout, stated: “Threat actors identify organisations that haven’t invested in the right defences to stay ahead of sophisticated and coordinated DDoS attacks to take down critical infrastructure, Traditional security defences are no longer working, and with attackers hitting new attack size and complexity ceilings, implementing automated and proactive defences has become a business-level risk mandate – not just a technical concern for security professionals.”

Main threat actor focus is on critical infrastructure and high-value services

Netscout identified increasing multivector attacks, identifying that 42% of DDoS attacks were based on two to five distinct attack vectors, with some even so sophisticated that they adapted dynamically throughout the attack to complicate detection and damage mitigation.

Outbound attacks hit broadband and mobile services very hard, with extensive direct-path attacks compromising IoT and customer-premises equipment and capable of generating massive outbound data floods in excess of 1 Tbit/s.

As might be expected, threat actors target critical infrastructure and high-value services: DNS (domain name server) systems that translate domain names into IP addresses, and NTP (network time protocol), which enables clock synchronisation between computer systems including servers, routers and PCs, continue to face sustained attacks.

The intense and growing pressure throws the spotlight on the immediate need for the deployment of resilient, globally distributed architectures if service continuity is to be maintained. The new reality is that telcos must now plan for “extreme-scale events” to maintain service availability, and that requires planning, determination and considerable (but very necessary) expense.

Meanwhile, threat actors are beginning to collaborate and co-operate. In July 2025, an attack by a swarm of more that 20,000 botnets demonstrated that co-ordinated action by different malign groups can quickly overwhelm defences and collapse critical services, including telecoms, finance, government, finance health and transportation. International law enforcement agencies have had some success in bringing down multiple DDoS-for-hire platforms but hacktivist groups and botnets remain resilient and persistent and can quickly regroup to continue their attacks.

And then, of course, there’s AI. The now ubiquitous technology is a gift to outlaws, while large language models (LLMs) on the dark web speed-up the identification and exploitation of network vulnerabilities and the profusion of botnets. The Netscout report says monitoring of the dark web indicates a 219% increase in the use of malicious AI tools during the second half of last year.

