Three Things Companies Still Get Wrong About DDoS in 2026

A recent report by Gcore shows DDoS attacks have more than doubled in just one year, jumping from 512,000 at the end of 2024 to 1.3 million by the end of 2025. Peak attack volume hit 12 Tbps — a sixfold increase from the previous 2.1 Tbps peak.

Network layer attacks (L3 & L4) now account for 82% of all incidents, up 20% from the year before. The technology sector is the target of the majority of those attacks, with financial services and gaming close behind.

HostingAdvice asked Gcore’s head of security, Andrey Slastenov, about what the findings mean for providers. And he told us that companies are still making three key mistakes when it comes to DDoS preparedness.

Most DDoS preparedness still focuses on L3 and L4, which makes sense given they’re the fastest-growing attack vectors, with many volumetric attacks lasting less than 60 seconds.

But Gcore’s report suggests a parallel problem: L7 attacks are longer, with 64% lasting more than 10 minutes.

“Most organizations are unprepared for the dual nature of modern threats,” Slastenov said. “Effective preparedness requires a unified approach that addresses both vectors simultaneously.”

Otherwise you may end up like the German healthcare provider that was targeted by a DDoS attack using a combination of L3, L4, and L7 attacks, ultimately overwhelming the entire system, even though they tried to intervene early in the attack. Their system responded almost immediately, but it didn’t do enough to mitigate across both layers.

At the same time, attacks are splitting across layers, with network-layer (L3 & L4) bursts are often over in less than a minute.

“When attacks were longer and easier to respond to, these models were sufficient,” Slastenov said. “However, now that attacks are shorter and higher-intensity, detection and response often come too late. Always-on protection has become a must-have.”

Less than a minute isn’t enough time to even flip the “on” switch for on-demand systems.

Typical benchmarks say it takes about three minutes to detect and confirm, and an additional three minutes to deploy rapid response, meaning systems are still receiving attack traffic during that window. By the time an alert is triggered or someone responds, the window is already closed.

But for always-on models, Gcore says that on-demand protection can take around a minute to detect and reroute traffic.

With agentic AI, it’s easier than ever to build your own defenses. The problem, Slastenov warned, is that’s not enough to stop modern DDoS attacks.

“Many still believe they can build sufficient protection themselves,” he said. “At today’s scale, that’s rarely realistic. Effective DDoS defense now requires globally distributed infrastructure that most organizations simply can’t replicate in-house.”

That right there is the difference between what customers expect and what most environments can realistically handle. Without the help of hyperscalers, that is.

Microsoft’s own telemetry makes the case for that. A few months ago, Azure automatically detected and mitigated a a multi-vector attack peaking at 15.72 Tbps, well above the 12 Tbps peak highlighted in Gcore’s report.

To be clear, Microsoft didn’t block that attack but essentially absorbed the blow, similar to an airbag in a car accident. Microsoft’s globally distributed systems make this possible by spreading the traffic across its global network so no single region took the full hit.

Gcore’s findings and Slastenov’s advice confirm one thing the hosting industry already knows: it’s going to get a lot more difficult for hosts.

Keeping servers online now comes down to two things: being always on and ready for whatever gets through. Less like a wall — more like something that can take a hit (or a few).

“Attacks are becoming more frequent and more sophisticated because organizing them is now cheaper and easier than ever,” Slastenov said. “Businesses and organizations that previously felt unaffected are now being targeted.”