Writer: Jordan Sprogis
Editor: Lillian Castro
Reviewer: Cristian Lopez
Key Takeaways
More than 50% of all network-layer DDoS attacks apparently now come from just two countries.
According to Gcore’s latest report, Mexico and Brazil are the leading sources of DDoS traffic, with Mexico making up 31%, Brazil 24%, followed by the U.S. at 20%.
The technology sector (34%), financial services (20%), and gaming (19%) are the among the most targeted.
One theory for the heavy saturation is the infamous AISURU botnet, which has been recently busy infecting millions of IoT devices across Mexico and Brazil.
For those looking for a word of advice, Andrey Slastenov — who’s the head of security at Gcore — told us that traditional “detect, reroute, then react” strategies are nowhere near good enough to do the job anymore.
Why Latin America?
While the report doesn’t name a single cause, it does bring up a pattern: Attack traffic is concentrated where there’s an abundance of insecure, always-on devices. In countries like Mexico and Brazil, that’s millions of connected devices — from routers to cameras — are being deployed without updates or oversight.
That’s the kind of environment botnets like AISURU thrive in. And once those devices are infected, they’ll be coordinated into partaking in a much larger attack.
To be clear, this isn’t necessarily unique to Mexico or Brazil. Not that long ago, we were seeing similar traffic spikes tied to bot activity coming out of China and Singapore. Next month it’s going to be somewhere else — the test is whether providers are going to be prepared at each corner.
What Happens When You Can’t Stop the Attack?
The only way to stay ahead of DDoS is to catch the traffic early on, long before it builds up. But realistically, most hosting providers aren’t in a position to stop attacks near the source. That’s the job of upstream providers, like CDNs and hyperscalers.
Does that mean hosts should take filtering into their own hands? Sort of. But specifically watching traffic from Mexico or Brazil more closely? No. When more than half of attack traffic is originating from identifiable places, tightening filters too strictly can mean blocking actual users from those regions. The opposite, being too lenient, risks dangerous traffic.
It’s a careful balance… It’s also why rate limiting/filtering is your friend.
Behavioral indicators are more informative than location, like sudden traffic spikes and request patterns. In fact, Gcore’s report notes that most network-layer attacks (L3 & L4) are short, high-volume bursts, often lasting less than a minute.
“Today’s volumetric traffic bursts can even overwhelm regional capacity of smaller providers before mitigation mechanisms are even triggered,” he said.
So no, hosts likely can’t stop DDoS attacks completely, but Slastenov encourages them to be prepared for what will inevitably seep through. That can mean slower performance during attacks as filtering and rate limiting kick in; maybe some temporary traffic controls.
There’s no perfect formula; just different types of damage control. But that’s kind of the point that Gcore’s report makes, right? DDoS attacks are happening within a second — much faster than systems can even react to. So all the downstream providers can do is prepare and brace.
