From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a-Service Market

You have probably experienced the following scenario yourself. A website suddenly stops loading, a login page times out, or an online service becomes unreachable at the worst possible moment. Sometimes the cause is not an internal outage, but a Distributed Denial-of-Service (DDoS) attack designed to overwhelm the service from the outside.

DDoS attacks have long been one of the simplest ways to disrupt an online service: flooding it with enough traffic, exhausting its infrastructure, and making it unreachable without breaking into the target's systems. Now more than ever DDoS is being packaged, branded, and sold with the language of a mature online service, and the impact is well recorded in the real world.

Cloudflare reported blocking a 7.3 Tbps attack in 2025 and later said it mitigated a 31.4 Tbps attack in its Q4 2025 DDoS report. Microsoft also said Azure mitigated a 15.72 Tbps attack in October 2025, attributing the activity to the Aisuru botnet.

Behind those incidents, underground sellers are competing over the same buyers with an increasingly polished pitch. Recent underground activity analyzed by Flare researchers describe attack panels, API access, monthly plans, reseller options, customer support, botnet-backed capacity, game-server methods, and Cloudflare bypass claims.

A comparison of two datasets of DDoS-related underground activity from the first five months of 2023 and the first five months of 2026, shows how quickly that offer has changed. What once appeared more frequently as scripts, tutorials, leaked tools, and scattered forum posts is now more often presented as a repeatable product that is easier to buy and operate.

What is DDoS?

A DDoS attack attempts to overwhelm a website, application, network, or server with traffic from many sources at once. Some attacks target network capacity, while others focus on application layer resources such as login pages and APIs. The objective is usually simple: make the service unavailable, unstable, or expensive to operate.

DDoS-as-a-service lowers the barrier further. Instead of building infrastructure, an attacker can pay for access to a web panel, choose a target, select a duration, and rely on someone else's botnet, proxy network, or third-party attack infrastructure.

Flare Researchers Analysis

Flare researchers searched for DDoS-related underground activity from two periods in time. The first was the first five months of 2023 and the second was the first five months of 2026. The team cleaned the data, curated it and found some important insights.

Topic	2023	2026	Change
Volume of records	4,403	4,964	Slight increase
High-signal DDoS service ads	38	364	~10x increase
Unique ad clusters	31	123	~4x increase
Unique actors	15	41	~3x increase
Sources observed	22	43	~2x increase

An important disclaimer: in this research we focused on distributed DoS. There's another category, which is denial of service. Technically it is a bit different in the way a server is targeted, but the goal is the same. In this research we only focused on DDoS offerings and did our best to exclude the DoS offerings.

From scattered tools to packaged services

The topics in the posts from 2023 are more diverse. Many offerings revolved around scripts, leaked tools, tutorials, or generic "botnet service" advertisements.

One repeated type of post from 2023 promoted a "Botnet Service L7 - L4" and claimed Layer 3, Layer 4, and Layer 7 capability, optional API access, automatic payments, high attack slots, game-server targeting, and bypasses for Cloudflare-related protections. The same advertising text appeared across multiple sources and actors, suggesting copying, reselling, or recycling marketing.

While the post from 2023 was focused on the services, more recent posts from 2026 are focused around the price and the offering they give.

An advertisement of "SatelliteStress" described the service as an IP stresser with a user-friendly panel, API access, game-server support, and monthly plans starting at €20. The same post claimed the service was "100% botnet-powered" and did not rely on downstream APIs, a positioning meant to distinguish it from resellers that depend on another provider's infrastructure.

Areshun, which offers a "Premium DDoS Service" with Layer 4 and Layer 7 attacks, monitoring, API integration, custom plans, 24/7 support, and promotional discount codes is also pinpointed on specific service and its price.

Another similar example is "RebirthStress", which is similarly marketed as a botnet-powered IP and web stressing device, a free Layer 7 hub, more than 400 slots, reselling suitability, and plans starting at $15 per month.

If you compare these posts one-by-one, you see a distinct trend. The 2026 posts are more focused on a product, with sellers competing against one another for customers. They package everything nicely, offer shiny features: ease of use, fully automated, full support, privacy promised, reselling capacity, and reliability.

The technical language became part of the sale pitch

The technical details have not disappeared; they became part of the sale pitch. In 2026 ads, terms such as "panel," "API," "slots," "bypass," "monitoring," "uptime," and "support" are more commonly bundled with Layer 4 and Layer 7 capability claims.

One THORCC-related advertisement claimed more than 7,000 active Layer 4 bots and promoted bandwidth analytics and attack-vector statistics. Another Russian and English post presented "professional stress testing" while claiming Cloudflare and DDoS-Guard bypasses, high concurrency, and long attack durations.

Sellers are possibly exaggerating about their capabilities. However, the consistency of their marketing language remains important intelligence.

It shows what buyers are being encouraged to value beyond raw traffic volume, including web panels, automation, bypass claims, and the ability to launch or resell attacks with minimal effort.

The business model

The pricing of a DDoS attack in 2026 is very cheap. We've seen the following offers:

• One-hour attack advertised for $5
• Website attack for $10
• A 24-hour "home holder" attack for $25

There are some more expensive offerings. An actor named "SamuraiDD" advertised attacks starting at $100 per day.

Another actor named "POWERDDOS" used a tiered model of $5 tests, $100 per day for "weak" target, $200 per day for "medium" target, and $500 per day for "strong" or protected targets.

Lastly, there are also some "premium" offerings which include infrastructure-style targeting, including a DDoS botnet attack network advertised for $2,000.

The pattern shows a market segmented by buyer type. Cheap tests and short attacks for low-skill users, daily pricing for one-off disruption, private negotiation for longer campaigns, and higher-value infrastructure or reseller-style offers for more serious customers.

Public reporting on the booter economy (a paid DDoS-for-hire service that lets users launch attacks through someone else's infrastructure) also aligns with this low-cost access model, with some DDoS booter services costing less than $25 per month and offering limited trials.

Conclusions

DDoS-as-a-service is no longer only about traffic volume. The market is dropping down the entry bar, enabling easier purchase, easier operation, and easier resale. What matters is not only how powerful an attack is, but how easy it is to launch an attack through a panel, various plans, full support, API access, and rented infrastructure.

This lowers the barrier for several types of actors. Low-skill users can buy short, cheap attacks. More serious customers can negotiate longer or higher-volume campaigns. Resellers can help expand the reach of the original service. As a result, defenders should not assume that disruptive DDoS activity requires a sophisticated attacker behind the keyboard.

In the near future, this market will likely continue moving toward more polished service models, with clearer pricing tiers, more automation, stronger reseller programs, and heavier branding around "bypass" capabilities and attack reliability.