In 2025, the technology industry is alive with records of DDoS attacks. We hear of gigantic strikes exceeding 2 terabits per second (Tbps) – numbers that are impressive and make headlines. But this is just loud theatre, a show of force calculated to create panic. The real danger is not the noise at the front, but the quiet sabotage taking place in the back rooms.
Distributed Denial of Service attacks have evolved. They have long since ceased to be simple service blocking, a primitive form of digital vandalism. Today, they are a sophisticated smokescreen. Recent reports, such as Gcore Radar, confirm a worrying trend: the number of complex, multi-layered attacks is growing rapidly. While IT teams and automated defence systems are battling a gigantic flood of worthless traffic, attackers are launching a precise, surgical attack on applications and APIs. Their goal is no longer paralysis. Their goal is to steal data, manipulate business processes and take control.
Anatomy of a modern attack: Playing on two fronts
To understand the scale of the threat, we need to analyse what a typical multi-layered operation looks like. The attack takes place simultaneously on two fronts.
Front one is the noisy volumetric attack (Layer 3/4). This is a classic of the genre: flooding the network with massive, simple traffic, for example via UDP flood. The aim is to ‘clog the pipes’, exhausting the bandwidth and resources of the network equipment. This generates chaos, sets off all the alarms and engages the full attention of the IT team. It is a digital ‘fog of war’ to effectively distract the defenders.
Front two is the silent precision attack (Layer 7). It is here, under the cover of chaos, that the actual attack takes place. Attackers send a series of precise, seemingly legitimate queries targeting the application layer directly. These attacks don’t consume bandwidth – they target server resources such as CPU and memory, or directly at the application’s business logic. These could be attempts to inject code (injection), manipulate a shopping cart in an online shop, or attacks on specific API endpoints that are responsible for authorisation or data retrieval.
API: The hacker’s new favourite target
Why exactly have APIs (Application Programming Interfaces) become such a gluttonous morsel? The answer is simple: **APIs are the lifeblood of modern business.
They are the ones that connect mobile apps to the backend, allow internal systems to communicate, integrate partner services and make data available to customers. At the same time, they are historically often less protected than the public, front-end part of the service. Many companies still live under the misconception that traffic coming from their ‘own’ mobile app is automatically trusted traffic.
The latest data shows that attackers are well aware of this and are targeting ‘internal APIs’ and ‘mobile backends’. The impact of such an attack has a completely different business dimension. It is no longer temporary vandalism that costs us an image loss for a few hours of website unavailability. It is organised robbery or sabotage.
Examples? Theft of an entire customer database via an unsecured endpoint. Manipulation of financial transactions by sending a crafted request to an API. Taking control of an entire business process because the attacker found a vulnerability in the application logic.
Changing tactics: From “hit and run” to “hit and watch”
Gone are the days when DDoS attacks were the work of ‘blunt force’. Today, we are dealing with intelligent, adaptive adversaries. Reports indicate a fundamental change in strategy: from a simple ‘hit and run’ to a ‘hit and observe’ approach.
Attackers monitor the effect of their attack in real time and adjust it to maximise the damage. Moreover, the duration of attacks is also changing. While many are still short, rapid strikes, the number of those lasting up to 30 minutes, for example, is increasing.
This is a very deliberate tactic. Many automatic defence systems are configured to respond to sudden, very short peaks. An attack of moderate strength, but prolonged in time, can confuse such automation and stay under the detection threshold longer. This is further evidence of a targeted, carefully planned action.
Why doesn’t the classic defence work anymore?
Treating DDoS solely as an availability problem is a strategic mistake today. Many companies still focus on investing in ‘thicker pipes’ – more bandwidth and simple volumetric mitigation. This is like reinforcing the front door, while the enemy has long since entered through the kitchen door.
The problem is that traditional DDoS defences focus on the network layer (L3/L4) and are blind to the subtle malicious threats hidden in application traffic (L7).
It is therefore necessary to fundamentally rethink defence strategy. Companies must implement solutions that see both layers of attack simultaneously. Protection must be integrated. WAAP (Web Application and API Protection) platforms, which combine the functions of application firewall (WAF), API protection, bot management and DDoS mitigation, are growing in importance in the market. Only such a holistic system is able to see the whole picture – both the loud smoke screen and the silent attack on business logic.
