DDoS attacks are still one of the most dangerous types of cyber threats, and they are getting bigger and more complicated. In 2024, there were more than 15 million DDoS attacks reported around the world. Our most recent study estimates application-layer DDoS attacks are up 74% compared to last year. But many businesses still don't know how to keep themselves safe from these kinds of threats. In this article, we'll talk about seven of the most common myths about protecting against DDoS attacks.
Some people believe that DDoS attacks are no longer a threat and that today’s networks don’t need protection. But this belief is simply not true. DDoS attacks are not only still happening; they are becoming more frequent and more severe. Businesses of all sizes deal with DDoS traffic every day, proving that the threat is very real. Our recent data shows a 53% increase in DDoS attacks in 2024 compared to 2023. The problem isn’t going away. It is getting worse.
Attackers are creating larger botnets and using more bandwidth for their attacks. For instance, in 2024 we observed a botnet with over 227,000 hijacked devices, compared to about 136,000 in 2023. This means attacks are becoming more powerful and lasting longer. The trend is only accelerating: in March 2025, we recorded a DDoS botnet consisting of 1.33 million hijacked devices, the largest we’d seen to that date. Then, in May 2025, the same DDoS botnet was back with a new attack, this time comprising 4.6 million devices. These facts make it incredibly clear that the idea of DDoS attacks being a thing of the past is false. In reality, the threat is more widespread and dangerous than ever.
Another common misconception is that small or medium businesses won’t be targets of DDoS attacks. This myth assumes attackers only go after huge corporations or high-profile targets, so smaller organizations can safely ignore DDoS protection. But in truth, DDoS attacks don’t discriminate by size or fame. Any online service can be a target. Cybercriminals may actually prefer easier prey, and smaller businesses with limited defenses make attractive victims. Organizations of all sizes, from startups and SMBs to large enterprises, can benefit from DDoS protection, as the cost of being unprepared far outweighs the cost of prevention.
As SMBs are often less resilient financially and operationally, even a brief downtime can cause serious financial and reputational damage — potentially more devastating than for a large firm with diversified revenue and significant recovery resources. Unfortunately, attackers know this. Extortion-motivated DDoS campaigns (ransom DDoS) often target smaller companies, betting that an unprotected business will be desperate enough to pay up to get their website back online. Likewise, ideologically motivated attacks (hacktivism) or grudges can strike anyone — even local businesses or niche websites — if they draw an attacker’s ire.
When people think of DDoS attacks, they often picture massive floods of unwanted traffic overwhelming a network. This leads to the assumption that only large, high-bandwidth attacks are a real concern, and that smaller ones can be ignored or easily absorbed. In reality, DDoS attacks come in many forms, and their impact depends on what part of the system they target. Many are low-volume and focus on the application layer, aiming to exhaust server or service resources rather than fill up the network pipe. For example, an HTTP flood that sends a high rate of seemingly legitimate requests can overwhelm a web server’s ability to respond. Repeatedly accessing a database-heavy page can drain back-end resources long before bandwidth becomes an issue.
There are also connection-based attacks like Slowloris, which hold many sessions open and consume memory or sockets without generating significant traffic. These attacks can quietly degrade performance or take a service offline without triggering typical volumetric alarms. Even with traditional bandwidth-focused attacks, scale is relative. A smaller organization or cloud instance with a 100 or 200 Mbps uplink does not need to face terabits of traffic to go down. A modest flood can still saturate the connection and disrupt availability. Small attacks can be just as effective as large ones when they hit the right bottleneck. Whether the pressure point is bandwidth, CPU, memory, or application logic, the result is the same: downtime.
Many organizations assume their existing security infrastructure, such as firewalls, intrusion prevention systems, or ISP default protections, can adequately handle DDoS attacks. However, this assumption is often misguided. Traditional security appliances, including next-generation firewalls and IPS devices, are stateful and track active connections, making them inherently vulnerable to certain DDoS attack methods. Attackers can exploit this by flooding these devices with fake connection requests (such as SYN floods or TCP state-exhaustion attacks), overwhelming their state tables and causing them to fail or become unresponsive. Even the most advanced firewall has limitations regarding how many connections it can simultaneously manage. Once overwhelmed, legitimate traffic suffers along with malicious traffic. However, the issue isn't always the firewall's capability to process malicious traffic, it often involves the network bandwidth itself. Firewalls typically operate at the last mile of a network, which might have limited bandwidth (e.g., 1 Gbps).
Even if a firewall is strong enough to handle a 1 Gbps DDoS attack, if the attack completely saturates that last mile link, legitimate traffic won't reach the firewall at all. This means the firewall isn't necessarily at fault, it's simply being starved of legitimate traffic by upstream network saturation. Thus, while firewalls can effectively mitigate certain attacks, they can't protect against upstream bandwidth exhaustion that prevents traffic from reaching them in the first place. ISPs (Internet Service Providers) also play a big role during DDoS attacks. However, they have little incentive to absorb and filter large volumes of malicious traffic. Instead, ISPs are more likely to protect the rest of their network by sacrificing a single customer. In practice, this means that during a DDoS attack, an ISP may choose to isolate the targeted customer’s IP address to prevent the attack from affecting other clients. While this decision helps shield the larger network, it leaves the targeted organization without the ability to handle the incoming malicious traffic, and legitimate will be blocked in the process.
A common misconception is that you can stop DDoS traffic by blocking certain IP addresses or entire countries. For instance, if attack traffic appears to come from overseas, it may seem logical to block all traffic from that region. Or if some malicious IPs are identified, you might add them to a firewall or ACL blacklist. While this tactic can reduce some unwanted traffic, relying on it alone is rarely sufficient to stop a DDoS attack. DDoS campaigns are typically distributed across global botnets - thousands of compromised devices spread across networks and regions. Attackers often use spoofed IP addresses or shift traffic through different IP pools, which allows them to evade static IP or country level filters easily.
Geoblocking can also create unintended consequences. IP geolocation is imperfect. IP addresses can be reassigned, misrouted, or inaccurately mapped in commercial databases. Even more noteworthy, ISPs often use carrier-grade NAT, meaning a single public IP may be shared by many users. As a result, blocking an IP forever might inadvertently deny access to legitimate users if that IP is later reassigned. Modern systems stopped relying on static IP pools or autonomous system numbers (ASNs) a long time ago. Instead, they dynamically build temporary blocklists to filter unwanted traffic only for the duration of an attack, and automatically remove those addresses from the ACLs once the attack is over.
Some organizations acknowledge DDoS as a risk but decide to deal with it later. They assume if an attack happens, they can react in the moment — enable a service, change DNS, or call a mitigation provider on the fly, and all will be fine. In essence, this myth is procrastination: “Why pay for always-on protection? We’ll just handle a DDoS if and when it strikes.” The problem is that waiting until an attack is already in progress is extremely risky. Trying to bolt on DDoS protection mid-attack is like trying to install sprinklers while your building is on fire.
For one, the very nature of DDoS is to overwhelm your resources, if you only start mitigation once you’re flooded, your systems may already be saturated or failing by the time defenses kick in. This makes it hard to discern legitimate traffic from malicious traffic in the chaos. If a mitigation system hasn’t been monitoring your normal traffic before the attack, it’s hard to distinguish the real user from a bot when everything is on fire. Without a baseline of what your legitimate traffic looks like, the emergency filters might end up blocking real customers who are desperately retrying to access your site, thinking they are part of the attack noise.
Lastly, some worry that putting traffic through a DDoS mitigation service will introduce latency, inconvenience users, or accidentally block real customers. This myth assumes that you have to trade off performance or user experience to get protection. Essentially, that the cure might be as bad as the disease. However, something important to know is that DDoS protection in 2025 is engineered to minimize impact on legitimate traffic.
Providers achieve this through advanced network architecture and filtering techniques. At Qrator Labs, for example, we use a geo-distributed filtering network with BGP Anycast. This means we have scrubbing centers in 18 locations worldwide, all advertising the same IP routes. Malicious traffic is absorbed and cleaned near its source by the closest scrubbing node, while clean traffic is forwarded to the customer's site. This distributed Anycast approach ensures low latency, as traffic doesn't have to stray far from its usual path to get scrubbed. Moreover, Qrator's scrubbing centers have immense capacity, with over 4 Tbps of total filtering bandwidth, and are connected to Tier-1 providers, allowing us to handle large volumes without bottlenecks.
DDoS attacks aren’t going away, but the good news is that you can defend against them, and Qrator Labs is here to help. We at Qrator Labs specialize in providing no-compromise DDoS protection for organizations of all sizes. Our platform is designed to cover every angle of DDoS defense: from gigantic volumetric L3-L4 floods to cunning L7 bot attacks, we’ve got you covered.
We support all protocols (not just web HTTP traffic), so whether you need to protect a website, a voice-over-IP server, VPN, or game service, our network-level integration has you covered. We operate in an always-on mitigation mode — there’s no waiting for a response after you’re hit. Malicious traffic is identified and scrubbed in real time, before it ever reaches your servers, while legitimate users continue as normal.
Contact Qrator Labs or start a free trial today to fortify your network, and ensure that no matter what cyberattackers throw at you, your online services remain fast, reliable, and secure.
Are DDoS attacks still a real threat in 2025?
Yes. DDoS attacks are not only still happening in 2025 — they are becoming more frequent, more powerful, and more complex. Application-layer attacks alone rose by 74% year-over-year, and botnets have grown to millions of hijacked devices, giving attackers the resources to launch longer and more destructive campaigns. The data clearly shows the threat is not fading; it is accelerating.
Do only large enterprises need DDoS protection?
No. DDoS attacks can target any online service, and smaller organizations are actually often more attractive to attackers due to weaker defenses and limited recovery resources. For SMBs, even brief downtime can cause serious financial and reputational damage, making them more vulnerable to ransom or ideologically motivated campaigns. In 2025, effective DDoS protection is essential for businesses of all sizes.
Can small-scale DDoS attacks really hurt my business?
Yes. Small-scale DDoS attacks can be just as disruptive as large ones when they target specific bottlenecks, such as application logic, CPU, or memory. Low-volume techniques like HTTP floods or Slowloris can quietly exhaust resources and degrade performance without triggering volumetric alarms. Even a modest application layer attack can overwhelm an unprotected web server, causing downtime and service disruption.
Is my firewall or ISP enough to stop a DDoS attack?
Not necessarily. Firewalls and intrusion prevention systems can mitigate certain attacks, but they are vulnerable to techniques that overwhelm their state tables or saturate the bandwidth of the last mile before traffic reaches them. As for the ISPs, they often prioritize protecting their wider network over a single customer, and do so by isolating the targeted IP and blocking both malicious and legitimate traffic.
Can I stop DDoS attacks by blocking certain countries or IPs?
Not reliably. While blocking specific IP addresses or regions may reduce some unwanted traffic, modern DDoS attacks are launched from globally distributed botnets that often use spoofed IPs or rapidly change address pools. Geoblocking can also affect legitimate users due to inaccurate IP geolocation or shared IP addresses, making it an unreliable standalone defense against DDoS attacks.
Can I wait to deploy DDoS protection until I’m attacked?
No. Deploying DDoS protection only after an attack starts makes it more difficult to respond effectively. By the time defenses are activated, systems may already be saturated, and without a baseline of normal traffic, it becomes harder to separate real users from bots. Preparing in advance ensures malicious traffic is filtered immediately while legitimate users remain unaffected.
Will DDoS protection slow down my legitimate traffic?
No. Modern DDoS protection minimizes impact on legitimate users through distributed filtering and smart traffic routing. Qrator Labs, for example, uses a geo-distributed Anycast network to scrub malicious traffic close to its source, keeping clean traffic fast and responsive even during attacks
Share your experience and expectations regarding DDoS protection. Your answers will help us tailor solutions to meet your cybersecurity needs.
Tell us about your company’s infrastructure and critical systems. This will help us understand the scope of protection you require.
Help us learn about how decisions are made in your company. This information will guide us in offering the most relevant solutions.
Let us know what drives your choices when it comes to DDoS protection. Your input will help us focus on what matters most to you.
