The 3 Trends Reshaping the DDoS Threat Landscape in 2023

The past year has seen an unparalleled rise in DDoS attack activity. DDoS attacks have grown in frequency, size, and sophistication, and the audacity of attackers seems only to be growing. This rise is driven by a number of key factors, which converged to reshape the DDoS attack space.

An Unprecedented Rise in Attacks

DDoS attack activity has reached unprecedented heights over the course of 2023. According to Radware’s 2023 Threat Analysis Report, which tracks attack activity across its global network, 2023 has seen a year-over-year (YoY) increase of 94% in the number of blocked DDoS events compared to 2022. Similarly, the total blocked volume of DDoS attacks rose by 48% YoY between 2023 and 2022. This demonstrates an increase both in frequency and size of DDoS attacks.

Moreover, attackers have grown in audacity and scale of the targets attacked. Over the course of the past 18 months, attackers have launched targeted DDoS attacked against public sector and healthcare organizations, civilian airports and air traffic controls, educational institutions, cloud and service providers, and more. This has led to a far greater impact of DDoS attacks than ever before.

This rise in DDoS attack size, frequency and sophistication indicates a fundamental shift in the threat landscape of DDoS attacks. This change has been governed by a convergence of three main factors. Although each of these factors stands on its own, they are also heavily intermingled, and together coalesced to represent a paradigm shift in DDoS attacks – and consequently, in DDoS defense.

Factor #1: Rise of the State Actors

Perhaps the single biggest change in the attack landscape is that political motivation has superseded financial motivation as the primary driver for DDoS attacks.

This shift began on February 24, 2022: the day that Russia invaded Ukraine.

Unlike previous conflicts, where cyber activity was limited to the periphery of the conflict, for the first time cyberattack activity was lock-in-step with the ground action. In fact, the first wave of cyberattacks began even before the main invasion, as part of a series of preliminary attacks and special operations.

Since then, not only have cyberattacks been an essential part of Russian war plans. Such attacks are executed either directly by the Russian military, or through a myriad of independent state-supported groups such as Killnet, Passion, Zarya, NoName057(16), and others. These groups operate independently, and continuously form, re-form, merge and splinter with each other.

As the war has drawn-out, the activities of these groups have extended to target not only Ukraine, but also Ukraine’s key allies in Europe and North America.

The shift from criminally-motivated hacker rings to state-sponsored hacktivist groups – even if in some cases they are the same – is significant in three respects:

  1. First and foremost, it affects the resources and capabilities at the disposal of such groups, which bears a direct correlation to the size and complexity of attacks they launch.
  2. Second, it affects the profile of targeted organizations, and the reasons they are targeted. Organizations and networks which previously may not have been targeted, could be targets as a result of political motivation.
  1. Finally, regarding remedies against such groups, backing by the state effectively provides them with immunity. They will not be arrested, prosecuted or extradited for their activities.

This trend, however, has not been confined to Russia. Over time, the rise of Russian state-sponsored hacktivist groups has given rise to a new wave of similar ‘hacktivist’ groups, unrelated to Russia or the war in Ukraine, such as Anonymous Sudan, Team Insane PK, Eagle Cyber, Mysterious Team and others. As a result, targets in the US, Israel, India, Australia, Sweden, and other countries have been targeted by political and religious hacktivist groups.

Factor #2: Attacks Grow in Size and Complexity

Another key factor has been the growth in attack size and complexity.

Typically, DDoS attacks are based on globally distributed botnets, which use known attack tools, and are re-used by different groups across botnets. One of the effects of the rise in state-sponsored hacking groups mentioned above, is the development of new attack tools, which not only lead to larger attacks, but also to more sophisticated ones.

One of the ways in which this sophistication manifests itself is in the development of new attack vectors, and usage of multiple attack vectors within a single attack. Instead of prolonged barrages by a single attack vector, attackers increasingly mix-it-up with short, small bursts by one vector, before switching to a different one.

While such attacks have been known for several years, they have now become commonplace. According to Radware data, attacks between 1-10 Gbps, on average, leveraged two dissimilar attack vectors per attack, attacks between 10-100 Gbps leveraged, on average, four attack vectors, and attacks over 100 Gbps utilized on average more than nine different vectors.

Factor #3: Attacks Shift to the Application Layer

The third significant change is the shift of DDoS attacks to the application layer, and in particular to HTTP/S. While this trend has been ongoing for several years, recent attack waves have brought it to new heights.

The previous year saw an increase of 171% in the number of malicious web requests compared to 2022, and a 394% increase in the number of DNS DDoS attacks. This indicates a shift from network-layer (L3/4) pipe-saturation attacks to application-layer (L7) resource exhaustion attacks.

The first major botnet to make extensive use of application-layer HTTP/S attacks was the Mirai botnet in 2017. However, new botnets developed in aftermath of the conflict in Ukraine have greatly enhanced those capabilities.

Moreover, they also use make use of newer web DDoS attack tools such as Blood, MHDDoS, Saphyra, and others, which not only offer multiple web DDoS attack vectors, but also provide mitigation bypass techniques such as header randomization, CAPTCHA solving, IP spoofing, cookie harvesting, and more. This is making web DDoS attack particularly difficult to mitigate for traditional DDoS mitigation tools.

As more internet services shift to web applications, and application-layer attacks are getting more sophisticated, web DDoS attacks are quickly becoming the prime approach for DDoS attacks.


The past 24 months have seen unprecedented growth in DDoS attack activity, which has increased in size, frequency, and sophistication. This growth has been driven by a combination of factors. While each of these factors stands on its own, they coalesced into a fundamental shift in the threat landscape, which is more dangerous than ever before.

Eyal Arazi

Eyal is a Product Marketing Manager in Radware’s security group, responsible for the company’s line of cloud security products, including Cloud WAF, Cloud DDoS, and Cloud Workload Protection Service. Eyal has extensive background in security, having served in the Israel Defense Force (IDF) at an elite technological unit. Prior to joining Radware, Eyal worked in Product Management and Marketing roles at a number of companies in the enterprise computing and security space, both on the small scale startup side, as well as large-scale corporate end, affording him a wide view of the industry. Eyal holds a BA in Management from the Interdisciplinary Center (IDC) Herzliya and a MBA from the UCLA Anderson School of Management.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center