A look at the current bot landscape, recent attacks and 2026 botnet trends
Bot attacks have evolved over the past year, increasing in size, speed and sophistication. Fueled by insecure IoT devices, new attack techniques and botnet-style attacks (especially DDoS), we are seeing a move toward highly scalable and globally distributed attack strategies. Botnets in particular are now capable of launching record-breaking DDoS attacks and multi-vector campaigns. Most concerningly, they are quickly evading more traditional defensive and mitigation measures.
The result is a botnet threat landscape that requires even the most prepared organizations to evaluate their existing bot strategies and reassess ways to adapt to the evolving threats.
At Fastly, we are watching bot activity closely - not just attacks, but the sheer scale of bot activity across the web. Our quarterly Threat Insight Reports take frequent looks at bot activity and AI bot trends, showing the scale and scope of bots is exponentially increasing. The following explores recent bot attacks, mitigation efforts and bot trends we’re seeing in 2026.
Recent botnet attacks and mitigation
Record breaking scale
The past year saw the sheer scale of attacks dramatically increase; with security researchers recently observing the largest ever DDoS attack at 31.4 Tbps. This is a scale that seemed impossible only a few years ago. Called the Aisuru/Kimwolf botnet, the attack leveraged millions of compromised devices to launch the attack. At this scale, the attack is less about exploiting a specific weakness and more about overwhelming the fundamental limits of internet infrastructure.
Even large organizations with significant bandwidth can struggle if they are not using globally distributed mitigation systems. The key takeaway is that volumetric attacks are no longer rare - they are becoming part of the normal operating environment.
Law enforcement takedown
In early 2026, global law enforcement dismantled several botnets, including Kimwolf, Aisuru, JackSkid and Mossad. These botnets comprised over 3 millions infected devices and were responsible for launching 316,000 DDoS attacks, globally.
These botnets mainly target IoT devices like routers and cameras, and Android systems, including TVs, and streaming boxes. The sheer volume and impact of this attack scale demonstrates the absolute necessity for organizations to have DDoS and bot mitigation solutions and strategies in place.
Long-standing botnets dismantled
The SocksEscort botnet, which has been active for years (!!) and infected over 369,000 devices was also dismantled. Responsible for enabling DDoS attacks, fraud, ransomware and anonymous proxy abuse, this long-standing botnet “compromised routers and IoT devices in 163 countries, claimed about 369,000 victims and $5.8 million from its cybercriminal customers”. This crackdown shows the recognition of how dangerous botnets can be when left unchecked.
Botnet trends in 2026
The botnet ecosystem is undergoing several major shifts that are shaping the 2026 threat landscape.
A shift toward automation and scale
Recent attacks have highlighted a critical shift in how mitigation works. The largest attacks, despite their scale, were often mitigated successfully by automated, globally distributed systems rather than manual intervention.
This reflects a broader trend: Attacks now occur at machine speed so defense must also operate at machine speed
Modern mitigation relies on:
Real-time traffic analysis
Globally distributed networks
Automated filtering and rate limiting
Traditional approaches, like on-premise appliances or reactive scrubbing, are increasingly insufficient against terabit-scale attacks.
Commoditization of cyberattacks
Attackers are no longer focused on crafting highly sophisticated, one-off exploits. Instead, they prioritize efficiency, scalability, and repeatability.
This means:
More attacks, launched more frequently
Faster execution cycles
Greater reliance on automation and reusable infrastructure
In effect, botnets are becoming part of a larger continuous attack system, rather than standalone tools.
Explosive growth in attack volume
The number of DDoS attacks has surged dramatically. In 2025 alone, global attacks more than doubled to over 47 million incidents, with thousands occurring every hour.
In December 2025, Fastly observed the largest attack of the year, which we called “the Grinch”, scaled to over 10 million requests per second, then hit a sustained max RPS of over 100 million for three minutes shortly after”. This attack was nearly 8X larger than our previously recorded record.
Additionally, overall botnet activity, including command-and-control infrastructure, has increased significantly, with measurable growth in active botnet networks and malware families.
This growth reflects both:
Increased availability of botnet tools
Lower barriers to entry for attackers
Continued abuse of IoT and consumer devices
IoT devices remain a ripe target for modern botnets. This includes devices like:
Home routers
IP cameras
Smart TVs
Android-based streaming boxes
These devices are frequently compromised due to weak security practices like use of default credentials and lack of updates.Recent botnets like Aisuru and Mirai variants explicitly target these devices, exploiting known vulnerabilities and scaling rapidly across global networks.
The result is a constantly growing pool of exploitable devices that attackers can recruit into botnets.
Short, high-intensity attacks
Another notable trend is the shift toward short-duration, high-intensity attacks. Many modern DDoS events last only seconds or minutes, but generate enormous traffic spikes during that time.
For example:
Some record-breaking attacks lasted under a minute
Many attacks now complete before manual response is possible
This makes traditional detection and response workflows ineffective and reinforces the need for automated mitigation systems.
Hiding in plain sight
Attackers are increasingly blending into normal traffic by leveraging legitimate platforms like:
Cloud providers
SaaS applications
Residential proxy networks
This technique, sometimes referred to as “living off the cloud”, makes malicious traffic harder to distinguish from legitimate user activity.
It also allows attackers to scale quickly using existing infrastructure and avoid detection by reputation-based filtering.
Multi-vector botnets
Modern botnets are no longer single-purpose. They are increasingly used for multiple attack types, including:
Volumetric DDoS
Application-layer attacks
Credential stuffing
API abuse
This increases their value to attackers and expands the range of potential impacts on organizations.
What this means for organizations in 2026
The evolution of botnets has significant implications for how organizations approach their 2026 security strategy. Attacks are no longer exceptional events, but instead are a normal part of doing business online.
With millions of attacks occurring annually, organizations must assume that they will be targeted at some point. This changes the mindset from “Can we prevent attacks?” to “How do we operate reliably during attacks?”
Organizations must consider the following when assessing their security strategies:
1. Scale requirements are increasing. Terabit-scale attacks have raised the bar for defensive capacity. Organizations relying on limited bandwidth or localized infrastructure face increasing risk, as modern attacks can easily overwhelm these resources.
This has driven adoption of:
Cloud-based mitigation
2. Automation is no longer optional. Because attacks are faster and more frequent, manual response is no longer viable.
Effective defense now requires:
Automated detection
Real-time mitigation
Continuous monitoring
Security systems must be able to respond instantly, without human intervention
3. The attack surface is expanding. The rise of IoT devices and cloud-based infrastructure means that organizations must consider a broader attack surface than ever before.
This includes:
Public-facing services
APIs
Internal systems exposed via proxies or misconfiguration
Additionally, botnets are increasingly capable of targeting internal or non-traditional assets, not just public websites.
4. Distinguishing malicious from legitimate traffic is harder. With attackers using residential IPs and legitimate platforms, traditional filtering techniques are becoming less effective.
Organizations must invest in:
Behavioral analysis
Advanced traffic classification
Machine learning-based detection
5. Resilience is the primary goal. Ultimately, the goal is shifting from prevention to resilience.
Organizations must design systems that can:
Absorb large-scale attacks
Maintain availability under stress
Recover quickly from disruptions
This represents a fundamental change in security strategy; from blocking attacks to operating through them.
Botnet Mitigation Strategies
It is important to keep security tight in order to prevent DDoS and botnet attacks. Here are some common best practices that can help.
Know the Signs: Understand the top 4 signs of an attack
Top signs typically include unusually slow network performance, unavailability of specific websites or services, a surge in random traffic from a single IP or geographic region, and server crashes or system shutdowns. Let’s take a look at how you can easily recognize a DDoS botnet attack in more detail.
1. Slow network performance
If you suddenly experience unusually slow network speeds both on internal systems and when accessing external websites and services, this could mean a DDoS attack is saturating your bandwidth. Attacks aim to overwhelm available internet pipes, so performance will lag across your entire network footprint.
2. Website unavailability
One of the common goals of a DDoS attack is to force websites offline. If your business's main site or internal tools become inaccessible or respond very slowly, it's a clear sign you may be under assault. Having customers or your workforce unable to load pages is a telltale indicator.
3. Increased traffic from specific IPs
Your network monitoring should be configured to track traffic patterns and volumes. A rise in traffic originating from specific IP addresses, especially short bursts that don't align with normal usage, could indicate an attack in progress.
4. Inexplicable outages
Unexplained frequent or prolonged periods of downtime related to your online presence or internal systems may also suggest that an advanced attacker is overrunning your defenses.
Implement a multi-prong security approach
Defending against DDoS botnet attacks requires a multi-pronged approach combining proactive measures and reactive strategies. While completely preventing DDoS attacks may be challenging, organizations can significantly mitigate their impact by implementing a solid defense plan. DDoS mitigation best practices in your security program should include:
Monitor traffic patterns. Your first line of defense is constant monitoring. Install tools to analyze website traffic 24/7 and alert you to unusual spikes or changes. By spotting anomalies early, your team can investigate and stop bots or potential attacks before serious overload occurs.
Use a Web Application Firewall (WAF). Fastly’s Next-Gen WAF sits in front of your web servers, filtering requests for signs of malicious activity. It can stop bots and detect and block common exploits like SQL injection or cross-site scripting before they reach your applications. By preventing harmful traffic, Fastly’s WAF protects you from dealing with disruptions after the fact.
Implement rate limiting. No system can handle unlimited traffic indefinitely. Set access thresholds using edge rate limiting, so abnormal volumes are automatically managed without impacting normal users. This ensures your digital presence remains responsive for genuine customers during episodes of elevated traffic loads.
Use Content Delivery Networks (CDNs). CDNs make your website’s digital assets available from multiple server locations worldwide. This distributed architecture means that if one region faces elevated traffic, others nearby can handle the extra load to ensure you can continue serving customers.
Employ IP blacklisting. You also have the option of banning specific IP addresses known to cause problems in the past. Keep records of addresses engaged in questionable traffic patterns and automatically reject their future requests. This denies bad actors the ability to disrupt your business's operations.
Conduct Regular Security Audits
Review your defenses periodically. As threats evolve, so too must protections. By scheduling security audits, your business can ensure tools remain up-to-date and appropriately configured to safeguard operations.
Establish an incident response plan. Even the most robust measures may not prevent every attack. Have a detailed plan prepared if issues arise, so your team can respond rapidly and minimize any impact. With a process ready to execute, you can address disruptions efficiently and continue serving customers.To learn more about integrated DDoS protections, check out this resource on why security teams are switching to Fastly's next-gen WAF.
You can read our complete guide to mitigating volumetric DDoS attacks here.
How Fastly can Help
Maintaining comprehensive security against botnet DDoS attacks presents major challenges in terms of cost, complexity, false positives, evolving threats, and resource intensity. However, Fastly's cloud-based DDoS protection solution directly resolves each of these concerns.
The key benefits of Fastly’s DDoS Protection include the following:
Lowers Costs: Fastly offers cost-effective DDoS protection, which is included with its CDN services.
Simplified Complexity: Fastly's solution requires no complex setup or manual tuning on your side. The network automatically absorbs layer 3/4 attacks, while the next-gen WAF seamlessly handles Layer 7 threats.
Reduced False Positives: Fastly's advanced SmartParse detection engine accurately classifies requests while minimizing the false positives that could block real users.
Continuous Evolution: Fastly enhances detection and mitigation based on solid intelligence, letting you stay ahead of evolving global attack trends.
Resource Efficiency: Fastly's massive 336 Tbsp network has a built-in capacity to absorb even extraordinary attacks without performance impacts.
Automated edge mitigation also reduces the origin load.
Sign up for a free trial to learn more about how Fastly can bring you peace of mind and stop bad actors.
You can also read more about available DDoS Mitigation providers here with this detailed guidance.