DDoS Attacks Now a Permanent Threat, Link11 Report Finds

DDoS attacks against European organizations reached unprecedented levels in 2025, with attacks active 88% of the year—322 days when systems were under fire. Link11's European Cyber Report 2026 paints a stark picture: distributed denial of service is no longer a disruptive one-off event but a permanent operational burden.

The numbers tell the story. Documented attacks increased 75% across Link11's network. Three attacks exceeded 1 terabit per second—up from just one exceptional attack the previous year. The strongest measured assault hit 1.33 Tbit/s with over 120 million packets per second. One coordinated series of attacks pushed 509 terabytes of data, equivalent to the daily internet traffic of a city of 120,000 people.

The Persistence Problem

What's changed isn't just attack volume—it's attacker behavior. The report found a greater than 70% probability that an initial attack triggers follow-up assaults. On average, victims experienced 2.8 additional attacks after the first hit, an 80% increase from 2024.

The longest continuous attack lasted 12,388 minutes. That's over eight days of sustained assault on a single target.

This shift from hit-and-run to persistent harassment changes the defensive calculus. Organizations can no longer treat DDoS mitigation as an emergency response capability. It needs to be always-on, always ready.

Tactical Evolution

Attackers are combining multiple techniques simultaneously: high-volume floods alongside low-and-slow application layer attacks. They test defensive mechanisms in real-time, varying patterns to probe for weaknesses.

Layer 7 attacks targeting web applications and APIs are seeing particular growth. These attacks are harder to distinguish from legitimate traffic because they use valid HTTP requests—just overwhelming numbers of them. Traditional volumetric detection that looks for bandwidth spikes misses attacks that stay under rate limits while slowly exhausting backend resources.

The report suggests this tactical sophistication points toward professionalization. Someone is learning what works against modern defenses and iterating.

DDoS as Distraction

Link11 predicts a marked rise in DDoS attacks throughout 2026, but with a twist: many won't aim primarily to disrupt services. Instead, they'll serve as cover for more damaging activities happening simultaneously.

While security teams scramble to restore availability during a volumetric attack, threat actors may be quietly exfiltrating data or deploying ransomware elsewhere in the network. The DDoS becomes a distraction—attention theft masquerading as denial of service.

We've seen hints of this pattern already. Several recent ransomware incidents began with DDoS attacks that diverted security resources before encryption payloads deployed. The connection between DDoS activity and subsequent intrusions deserves more attention from defenders.

What This Means for Defenders

The report's findings carry practical implications:

Always-on protection is mandatory. The 322-days-per-year attack frequency means DDoS mitigation can't be reactive. By the time you detect an attack and spin up defenses, damage is already done. Scrubbing services and CDN-based protection need to be perpetually active.

Monitor for what happens during attacks. When under DDoS assault, don't let all attention focus on restoring availability. Keep eyes on authentication logs, data access patterns, and lateral movement indicators. The attack you see may not be the attack that matters.

Plan for persistence. An eight-day attack requires different resources than an eight-minute one. Do your incident response plans account for sustained operations? What happens when the third shift gets tired?

Budget accordingly. DDoS mitigation costs scale with attack duration and volume. The cumulative bandwidth of these attacks (509 TB in one series) has real cost implications for organizations that pay by the gigabyte mitigated.

The European Context

While Link11's data focuses on European infrastructure, the trends apply broadly. DDoS-for-hire services operate globally, and attack infrastructure crosses borders freely. What starts targeting German hosting providers can shift to American retailers overnight.

European organizations face additional complexity from GDPR incident notification requirements. A sustained DDoS that impacts data availability may trigger regulatory obligations beyond just the operational disruption.

The report arrives as European regulators increase scrutiny of operational resilience. Organizations subject to DORA (Digital Operational Resilience Act) requirements should treat these findings as relevant input for their risk assessments.

DDoS evolved from nuisance to permanent threat. The organizations that adapt their defenses to this reality will weather 2026 better than those still treating it as occasional disruption.