From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a-Service Market
A new Flare report reveals the DDoS-as-a-service market has evolved from simple $5 attacks to sophisticated subscription-based platforms with customer support and reseller programs.
A new report from Flare details the evolution of the DDoS-as-a-Service market, which now offers subscription-based attack platforms with pricing tiers, customer support, and reseller programs. The report describes how these services have moved from simple $5 attacks to sophisticated botnet-powered platforms. It highlights the commercialization of DDoS capabilities, making them accessible to a wider range of threat actors.
DDoS attacks have long been one of the simplest ways to disrupt an online service: flooding it with enough traffic, exhausting its infrastructure, and making it unreachable without breaking into the target's systems. Now more than ever DDoS is being packaged, branded, and sold with the language of a mature online service, and the impact is well recorded in the real world. Cloudflare reported blocking a 7.3 Tbps attack in 2025 and later said it mitigated a 31.4 Tbps attack in its Q4 2025 DDoS report. Microsoft also said Azure mitigated a 15.72 Tbps attack in October 2025, attributing the activity to the Aisuru botnet.
Behind those incidents, underground sellers are competing over the same buyers with an increasingly polished pitch. Recent underground activity analyzed by Flare researchers describe attack panels, API access, monthly plans, reseller options, customer support, botnet-backed capacity, game-server methods, and Cloudflare bypass claims. A comparison of two datasets of DDoS-related underground activity from the first five months of 2023 and the first five months of 2026 shows how quickly that offer has changed. What once appeared more frequently as scripts, tutorials, leaked tools, and scattered forum posts is now more often presented as a repeatable product that is easier to buy and operate.
Flare researchers searched for DDoS-related underground activity from two periods in time: the first five months of 2023 and the first five months of 2026. The team cleaned the data, curated it and found some important insights. The volume of records increased slightly from 4,403 to 4,964, but high-signal DDoS service ads surged from 38 to 364 — a roughly 10x increase. Unique ad clusters grew from 31 to 123 (4x), unique actors from 15 to 41 (3x), and sources observed from 22 to 43 (2x).
The topics in the posts from 2023 are more diverse. Many offerings revolved around scripts, leaked tools, tutorials, or generic "botnet service" advertisements. One repeated type of post from 2023 promoted a "Botnet Service L7 - L4" and claimed Layer 3, Layer 4, and Layer 7 capability, optional API access, automatic payments, high attack slots, game-server targeting, and bypasses for Cloudflare-related protections. The same advertising text appeared across multiple sources and actors, suggesting copying, reselling, or recycling marketing.
While the post from 2023 was focused about the services, more recent posts from 2026 are focused around the price and the offering they give. An advertisement of "SatelliteStress" described the service as an IP stresser with a user-friendly panel, API access, game-server support, and monthly plans starting at €20. The same post claimed the service was "100% botnet-powered" and did not rely on downstream APIs, a positioning meant to distinguish it from resellers that depend on another provider's infrastructure. Another post, "Areshun", offers a "Premium DDoS Service" with Layer 4 and Layer 7 attacks, monitoring, API integration, custom plans, 24/7 support, and promotional discount codes. "RebirthStress" is similarly marketed as a botnet-powered IP and web stressing device, a free Layer 7 hub, more than 400 slots, reselling suitability, and plans starting at $15 per month.
If you go over these posts, one-by-one and make the comparison, you see a distinct trend. The post in 2026 is more focused on a product, the sellers are competing one against another on customers. They package everything nicely, offer shiny features: ease of use, fully automated, full support, privacy promised, reselling capacity, and reliability. The technical language became part of the sale pitch. This commercialization of DDoS capabilities lowers the barrier for attackers, making it easier for anyone with a few dollars to launch disruptive attacks against any target. Organizations must be aware that DDoS-for-hire is now a mature, accessible market, and should ensure they have robust mitigation strategies in place.