DDoS-as-a-service slips from scripts to storefronts

DDoS-as-a-service – Underground DDoS offerings are being sold less like shady toolboxes and more like ready-to-run products—complete with panels, API access, support, and “bypass” claims. A Flare analysis comparing early 2023 and early 2026 data shows the shift toward higher-volu

The moment a website stops loading can feel personal. A login page times out. A service suddenly becomes unreachable. And just like that, the outage isn’t “something we can fix on our end” — it’s traffic engineered to overwhelm.

Now the market selling those disruptions is maturing fast.

Cloudflare reported blocking a 7.3 Tbps attack in 2025. In the same year, it said it mitigated a 31.4 Tbps attack in its Q4 2025 DDoS report. Microsoft also said Azure mitigated a 15.72 Tbps attack in October 2025, attributing the activity to the Aisuru botnet.

Those are the headline-grabbing numbers. But what makes the problem harder for defenders to ignore is what’s happening underneath them: underground vendors are packaging DDoS like a service you can buy. operate. and resell — with marketing language that looks less like forum chatter and more like a product catalog.

Flare researchers analyzed underground DDoS-related activity from two periods: the first five months of 2023 and the first five months of 2026. They cleaned and curated the data, then pulled out the changes.

Across both periods, the volume of records rose from 4,403 in 2023 to 4,964 in 2026, a slight increase. High-signal DDoS service ads jumped from 38 to 364, roughly a 10x increase. Unique ad clusters rose from 31 to 123, roughly a 4x increase. Unique actors increased from 15 to 41, roughly a 3x increase. And the number of sources observed went from 22 to 43, roughly a 2x increase.

Flare’s research also comes with a boundary line: it focused on distributed denial-of-service. It explicitly notes there’s another category, denial of service, and while the targeting differs technically, the goal is the same. The study aimed to exclude DoS offerings and concentrate on DDoS.

Even with that disclaimer, the trend is difficult to miss. In 2023, offerings often looked scattered and improvised — scripts, leaked tools, tutorials, and generic “botnet service” advertisements.

One repeated 2023 post promoted “Botnet Service L7 – L4.” The pitch claimed Layer 3, Layer 4, and Layer 7 capability. It also included optional API access, automatic payments, high attack slots, game-server targeting, and bypasses for Cloudflare-related protections. Flare says the same advertising text appeared across multiple sources and actors, suggesting copying, reselling, or recycled marketing.

By 2026, the selling moved toward something that reads like a dashboard you can click through. Posts were more concentrated on price and the product you were getting.

An advertisement for “SatelliteStress” described an IP stresser with a user-friendly panel. API access. and game-server support. with monthly plans starting at €20. The post claimed the service was “100% botnet-powered” and said it did not rely on downstream APIs—positioning meant to separate it from resellers that depend on another provider’s infrastructure.

Areshun. another “Premium DDoS Service. ” was marketed as offering Layer 4 and Layer 7 attacks. with monitoring. API integration. custom plans. and 24/7 support. plus promotional discount codes. Flare also points to “RebirthStress. ” which was marketed as a botnet-powered IP and web stressing device. with a free Layer 7 hub. more than 400 slots. reselling suitability. and plans starting at $15 per month.

When those posts are compared side by side, the shift becomes clearer: the 2026 advertisements are more focused on a product, with sellers competing for customers using features, pricing, and promises.

Flare says the technical details didn’t disappear — they became part of the sales pitch. In 2026 ads, Layer 4 and Layer 7 claims were more commonly bundled together, and vocabulary expanded around the tools a buyer would need: “panel,” “API,” “slots,” “bypass,” “monitoring,” “uptime,” and “support.”

Some of the claims are specific enough to feel engineered for decision-makers. One THORCC-related advertisement claimed more than 7,000 active Layer 4 bots and promoted bandwidth analytics and attack-vector statistics. Another Russian and English post marketed “professional stress testing” and claimed Cloudflare and DDoS-Guard bypasses. high concurrency. and long attack durations.

Flare notes sellers may be exaggerating capabilities. Still, it says the consistency of the marketing language matters. It shows what buyers are being encouraged to value beyond raw traffic volume—web panels, automation, bypass claims, and the ability to launch or resell attacks with minimal effort.

The pricing tells the same story.

Flare says the DDoS-as-a-service market in 2026 can be extremely cheap. It lists “POWERDDOS. ” which used a tiered model: $5 tests. $100 per day for a “weak” target. $200 per day for a “medium” target. and $500 per day for “strong” or protected targets. It also describes an actor named “SamuraiDD” advertising attacks starting at $100 per day.

At the higher end, Flare says it saw “premium” offerings that included infrastructure-style targeting, including a DDoS botnet attack network advertised for $2,000.

Public reporting on the booter economy — paid DDoS-for-hire services that let users launch attacks through someone else’s infrastructure — aligns with this low-cost access model. Flare says Akamai has noted some DDoS booter services can cost less than $25 per month and may offer limited trials.

Putting those numbers together paints a market segmented by buyer type: cheap tests and short attacks for low-skill users, daily pricing for one-off disruption, private negotiation for longer campaigns, and higher-value infrastructure or reseller-style offers for more serious customers.

The impact for defenders isn’t only about bigger traffic. It’s about easier entry.

DDoS attacks attempt to overwhelm a website, application, network, or server with traffic from many sources at once. Some attacks target network capacity; others focus on application-layer resources such as login pages and APIs. The objective is usually to make the service unavailable, unstable, or expensive to operate.

DDoS-as-a-service lowers that barrier further. Instead of building infrastructure, an attacker can pay for access to a web panel, choose a target, select a duration, and rely on someone else’s botnet, proxy network, or third-party attack infrastructure.

So the market isn’t just selling traffic. It’s selling the mechanisms that make traffic easier to generate on demand.

As Flare describes it, the market “is dropping down the entry bar,” enabling easier purchase, easier operation, and easier resale. That lowers the barrier for low-skill users buying short, cheap attacks. It also supports more serious customers who can negotiate longer or higher-volume campaigns. Resellers can expand the reach of the original service. And the practical consequence is stark: defenders shouldn’t assume disruptive DDoS activity requires a sophisticated attacker sitting behind the keyboard.

Flare expects the market to keep moving toward more polished service models—clearer pricing tiers, more automation, stronger reseller programs, and heavier branding around “bypass” capabilities and attack reliability.

For anyone tasked with keeping online services reachable, the lesson isn’t just that DDoS remains dangerous. It’s that the path to launching it is getting shorter, and the storefront language is making it look that way.

DDoS-as-a-service botnet cybersecurity Flare researchers Cloudflare Microsoft Azure Aisuru botnet booter economy dark web marketplaces API access attack panels