From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market

Recorded: May 29, 2026, 3 p.m.

Original

News

Featured
Latest

Glassworm botnet disrupted after resilient C2 infrastructure takedown

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Windows 11 KB5089573 update released with performance improvements

Charter confirms data breach after ShinyHunters extortion threat

From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market

Dutch govt disrupts malware botnet with 17 million infected devices

Google Chrome adds session cookie theft protection for all users

Learn to hack, build security tools, and more for $70 in this course deal

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Sponsored by Flare

May 29, 2026
10:32 AM
0

You have probably experienced the following scenario yourself. A website suddenly stops loading, a login page times out, or an online service becomes unreachable at the worst possible moment. Sometimes the cause is not an internal outage, but a Distributed Denial-of-Service (DDoS) attack designed to overwhelm the service from the outside.
DDoS attacks have long been one of the simplest ways to disrupt an online service:flooding it with enough traffic, exhausting its infrastructure, and making it unreachable without breaking into the target’s systems. Now more than ever DDoS is being packaged, branded, and sold with the language of a mature online service, and the impact is well recorded in the real world.
Cloudflare reported blocking a 7.3 Tbps attack in 2025 and later said it mitigated a 31.4 Tbps attack in its Q4 2025 DDoS report. Microsoft also said Azure mitigated a 15.72 Tbps attack in October 2025, attributing the activity to the Aisuru botnet.
Behind those incidents, underground sellers are competing over the same buyers with an increasingly polished pitch. Recent underground activity analyzed by Flare researchers describe attack panels, API access, monthly plans, reseller options, customer support, botnet-backed capacity, game-server methods, and Cloudflare bypass claims.
A comparison of two datasets of DDoS-related underground activity from the first five months of 2023 and the first five months of 2026, shows how quickly that offer has changed. What once appeared more frequently as scripts, tutorials, leaked tools, and scattered forum posts is now more often presented as a repeatable product that is easier to buy and operate.
What is DDoS?
A DDoS attack attempts to overwhelm a website, application, network, or server with traffic from many sources at once. Some attacks target network capacity, while others focus on application layer resources such as login pages and APIs. The objective is usually simple: make the service unavailable, unstable, or expensive to operate.
DDoS-as-a-service lowers the barrier further. Instead of building infrastructure, an attacker can pay for access to a web panel, choose a target, select a duration, and rely on someone else’s botnet, proxy network, or third-party attack infrastructure.

A flow chart that illustrates how DDoS attacks work
Flare Researchers Analysis
Flare researchers searched for DDoS-related underground activity from two periods in time. The first was the fivefirst months of 2023 and the second was the first five months of 2026. The team cleaned the data, curated it and found some important insights.
Topic
2023
2026
Change
Volume of records
4,403
4,964
Slight increase
High-signal DDoS service ads
38
364
~10x increase
Unique ad clusters
31
123
~4x increase
Unique actors
15
41
~3x increase
Sources observed
22
43
~2x increase
An important disclaimer, in this research we focused on distributed DoS. There’s another category, which is denial of service.
Technically it is a bit different in the way a server is targeted, but the goal is the same. In this research we only focused on DDoS offerings and did our best to exclude the DoS offerings.

Is Your Organization a Target for DDoS-for-Hire Actors?
DDoS-as-a-service platforms are openly advertised across dark web forums and cybercrime communities — the same sources Flare monitors continuously.
Flare tracks underground marketplaces, botnet infrastructure chatter, and threat actor activity across thousands of dark web sources, so your security team sees emerging threats before they impact your operations.
Detect your exposure for free

From scattered tools to packaged services
The topics in the posts from 2023 are more diverse. Many offerings revolved around scripts, leaked tools, tutorials, or generic “botnet service” advertisements.
One repeated type of post from 2023 (as seen in the screenshot below) promoted a “Botnet Service L7 - L4” and claimed Layer 3, Layer 4, and Layer 7 capability, optional API access, automatic payments, high attack slots, game-server targeting, and bypasses for Cloudflare-related protections. The same advertising text appeared across multiple sources and actors, suggesting copying, reselling, or recycling marketing.

A post from 2023 offering Botnet services
While the post from 2023 was focused about the services, more recent posts from 2026 are focused around the price and the offering they give.
An advertisement of “SatelliteStress” described the service as an IP stresser with a user-friendly panel, API access, game-server support, and monthly plans starting at €20. The same post claimed the service was “100% botnet-powered” and did not rely on downstream APIs, a positioning meant to distinguish it from resellers that depend on another provider’s infrastructure.
As illustrated in the screenshot below, Areshun, which is another post that offers a “Premium DDoS Service” with Layer 4 and Layer 7 attacks, monitoring, API integration, custom plans, 24/7 support, and promotional discount codes is also pinpointed on specific service and its price.

Screenshot taken from Flare's platform. Sign up for the free trial to access if you aren’t already a customer.
Another similar example is of “RebirthStress”, which is similarly marketed as a botnet-powered IP and web stressing device, a free Layer 7 hub, more than 400 slots, reselling suitability, and plans starting at $15 per month.
If you go over these posts, one-by-one and make the comparison, you see a distinct trend. The post in 2026 is more focused on a product, the sellers are competing one against another on customers. They package everything nicely, offer shiny features: ease of use, fully automated, full support, privacy promised, reselling capacity, and reliability.
The technical language became part of the sale pitch
The technical details have not disappeared, they became part of the sale pitch. In 2026 ads more commonly bundle Layer 4 and Layer 7 claims (means the service support both network-level attacks and application-layer attacks) words such as “panel,” “API,” “slots,” “bypass,” “monitoring,” “uptime,” and “support.”
One THORCC-related advertisement claimed more than 7,000 active Layer 4 bots and promoted bandwidth analytics and attack-vector statistics. Another Russian and English post presented “professional stress testing” while claiming Cloudflare and DDoS-Guard bypasses, high concurrency, and long attack durations.
Sellers are possibly exaggerating about their capabilities. However, the consistency of their marketing language remains important intelligence.
It shows what buyers are being encouraged to value beyond raw traffic volume, including web panels, automation, bypass claims, and the ability to launch or resell attacks with minimal effort.
The business model
The pricing of a DDoS attack in 2026 is very cheap. We’ve seen the following offers:

One-hour attack advertised for $5

Website attack for $10

A 24-hour “home holder” attack for $25

There are some more expensive offerings. An actor named "SamuraiDD" advertised attacks starting at $100 per day (see in the screenshot below).

Screenshot taken from Flare's Platform.Sign up for the free trial to access if you aren’t already a customer.
Another actor named "POWERDDOS" used a tiered model of $5 tests, $100 per day for “weak” target, $200 per day for “medium” target, and $500 per day for “strong” or protected targets.
Lastly, we’ve also seen some “premium” offerings which included infrastructure-style targeting, including a DDoS botnet attack network advertised for $2,000.
The pattern shows a market segmented by buyer type. Cheap tests and short attacks for low-skill users, daily pricing for one-off disruption, private negotiation for longer campaigns, and higher-value infrastructure or reseller-style offers for more serious customers.
Public reporting on the booter economy (a paid DDoS-for-hire service that lets users launch attacks through someone else’s infrastructure) also aligns with this low-cost access model, with Akamai noting that some DDoS booter services can cost less than $25 per month and may offer limited trials.
Conclusions
DDoS-as-a-service is no longer only about traffic volume. The market is dropping down the entry bar, enabling easier purchase, easier operation, and easier to resell. What matters is not only how powerful an attack is, but how easy it is to launch an attack through a panel, various plans, full support, API access, and rented infrastructure.
This lowers the barrier for several types of actors. Low-skill users can buy short, cheap attacks. More serious customers can negotiate longer or higher-volume campaigns. Resellers can help expand the reach of the original service. As a result, defenders should not assume that disruptive DDoS activity requires a sophisticated attacker behind the keyboard.
In the near future, this market will likely continue moving toward more polished service models. As clearer pricing tiers, more automation, stronger reseller programs, and heavier branding around “bypass” capabilities and attack reliability.
Learn more by signing up for our free trial.
Sponsored and written by Flare.

DDoS
Distributed Denial-of-Service
Flare

Comments have been disabled for this article.

Popular Stories

Charter confirms data breach after ShinyHunters extortion threat

Microsoft Defender can now automatically isolate hacked endpoints

Windows 11 KB5089573 update released with performance improvements

Sponsor Posts

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

AI is a data-breach time bomb: Read the new report

33% Rise in Healthcare Credential Theft in 2025: What you need to know

Overdue a password health-check? Audit your Active Directory for free

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Distributed Denial-of-Service attacks have evolved significantly, transitioning from methods focused solely on traffic flooding to a sophisticated market where Distributed Denial-of-Service as a Service (DDoS-as-a-Service) is packaged, branded, and sold like a mature online service. This evolution is evidenced by large-scale mitigation efforts, such as Cloudflare blocking attacks at the terabit scale and Microsoft Azure handling massive events attributed to botnets like Aisuru, demonstrating the real-world impact of these phenomena. Underground sellers are competing in this market by offering comprehensive packages that include attack panels, API access, reseller options, customer support, botnet-backed capacity, and claims of bypassing protections like Cloudflare.

Flare researchers analyzed underground activity from the first five months of 2023 and the first five months of 2026 to track this shifting landscape. In 2023, offerings were more fragmented, revolving around scripts, leaked tools, tutorials, and generic advertisements for "botnet service." By 2026, the focus shifted to repeatable products where sellers compete based on features, pricing, and service quality. Offerings began bundling technical capabilities, commonly claiming Layer 4 and Layer 7 attack capabilities, monitoring tools, API integration, custom plans, and uptime guarantees. This trend indicates that technical terminology has become integrated into the marketing pitch, suggesting that sellers are moving beyond simple traffic volume to emphasize the ease of use, automation, reliability, and the purported ability to bypass security measures.

The pricing structure reflects market segmentation based on the buyer. Very low-skill users can access short, inexpensive attacks, with one-hour attacks advertised for as little as five dollars. More serious customers can negotiate longer campaigns or daily rates starting at $100 per day for targets deemed "weak" or "medium," while higher-value customers can secure infrastructure-style offerings for significantly more. This tiered approach also includes premium options, such as advertised DDoS botnet attack networks priced up to two thousand dollars. Public reporting, such as from Akamai, suggests that some DDoS booter services operate on a monthly basis costing less than twenty-five dollars, further democratizing access to attack infrastructure.

Ultimately, DDoS-as-a-service lowers the barrier to entry for various malicious actors. It enables low-skill users to purchase simple disruptions, allows resellers to expand reach, and provides more serious customers with streamlined, supported campaigns. This development implies that security defenders should not assume that significant disruptions necessitate highly sophisticated attackers. The market trajectory points toward increasingly polished service models in the future, characterized by clearer pricing tiers, greater automation, robust reseller programs, and stronger branding around attack reliability and bypass capabilities.