What is a DDoS attack?
DDoS means distributed denial of service. In simple words, many computers or devices send traffic to one target at the same time. The goal is to make the target too busy to serve real visitors. A DoS attack is similar, but it usually comes from one source. That is why people search for the cost of DoS attack on business even when they mean DDoS. Both can hurt a company, but DDoS is often harder to stop because the traffic comes from many places.Current DDoS statistics for 2025 and 2026
DDoS attacks grew fast in 2025. In its Q1 2025 DDoS Threat Report, Cloudflare said it blocked 20.5 million DDoS attacks in just one quarter. That was a 358% increase from the year before. By the end of 2025, the numbers were even bigger. Cloudflare's Q4 2025 DDoS Threat Report said it blocked 47.1 million DDoS attacks in 2025. That was a 121% increase over 2024. Cloudflare also reported a record 31.4 Tbps attack that lasted only 35 seconds. Other reports show the same trend. Radware's 2026 Global Threat Analysis Report said DDoS attacks rose 168.2% in 2025 compared with 2024. StormWall also reported that DDoS attacks grew 168% year over year in Q1 2026. The simple lesson is this: attacks are getting faster, larger, and more common.How much can a DDoS attack cost a company?
The cost depends on the company, the website, and how long the outage lasts. Some 2025 and 2026 cost roundups still use about $22,000 per minute as an average DDoS downtime estimate. That equals about $1.32 million per hour. Application-layer DDoS attacks can also be expensive. Security Magazine reported that downtime from a successful application DDoS attack averaged $6,130 per minute. For small businesses, some reports estimate recovery costs around $120,000 per incident. For large companies, losses can pass $1 million when lost sales, recovery work, and customer trust are included. A DDoS attack can cost money through:- Missed sales while the site is down
- Emergency IT and security help
- Extra cloud or bandwidth costs
- Refunds or service credits
- Support tickets from upset customers
- Lost trust after the outage
- Staff time spent fixing the problem
What does DDoS prevention cost?
DDoS prevention can start cheap, especially for small websites. Cloudflare says its DDoS protection is available on all plans and includes standard unmetered protection for layers 3, 4, and 7. Layer 3 - network layer. This is where IP addresses and routing live. It moves raw packets of data between machines across the internet. Layer 3 attacks flood your server with huge volumes of packets to clog the network "pipe" itself. Example: IP and ICMP floods. Layer 4 - transport layer. This manages connections and data delivery between two machines, using protocols like TCP and UDP. Layer 4 attacks abuse how connections are set up. Example: a SYN flood, where the attacker opens millions of half-finished connections so the server runs out of resources waiting for them to complete. Layers 3 and 4 together are often called volumetric or network-layer attacks. They are about sheer size, measured in Tbps (terabits per second) or packets per second. The record attacks above, like 31.4 Tbps and 2.3 Tbps, are layer 3 and 4 attacks. Layer 7 - application layer. This is the top layer, where your actual website, HTTP requests, and APIs live. It is what visitors directly interact with. Layer 7 attacks mimic real visitors and send a flood of normal-looking requests, for example by hammering a search page or login form. They are harder to detect because each request looks legitimate, and they are measured in requests per second (rps), like the 200+ million rps attacks seen in 2025. Cloudflare's website plans include a free tier, with paid plans starting around $20 per month for Pro and around $200 per month for Business on annual billing. If your company uses AWS, AWS Shield Standard is included for AWS customers. AWS Shield Advanced pricing is much higher at $3,000 per month, plus usage fees, with a one-year commitment. This can make sense for bigger companies, but it may be too expensive for many small businesses. Google Cloud Armor is another option. Google says Cloud Armor helps protect apps and websites against DDoS and web attacks. Its pricing page includes pay-as-you-go options and enterprise plans. For many small businesses, the best DDoS protection for small business is a mix of CDN, WAF, rate limits, monitoring, and a clear response plan.Real DDoS attack examples
History shows that even the biggest names on the internet can be hit. These real cases also show that good protection makes a huge difference. 2016 - Dyn (Mirai botnet): Attackers used the Mirai botnet, built from hacked IoT devices like cameras and baby monitors, to flood DNS provider Dyn with traffic. The outage took down or slowed major sites such as Netflix, Reddit, Spotify, Twitter, and PayPal, as covered in the Wikipedia summary of the Dyn attack. The lesson: one provider going down can break many businesses at once. 2018 - GitHub: GitHub was hit by a 1.35 Tbps memcached amplification attack, one of the largest ever at the time. Because GitHub used a DDoS protection service, the system alerted within minutes and the attack was stopped in about 20 minutes, as explained in GitHub's own DDoS incident report. The lesson: preparation turns a disaster into a short hiccup. 2020 - AWS: Amazon Web Services reported that it mitigated a 2.3 Tbps attack, the largest recorded at the time. AWS Shield handled it, as reported by The Verge. 2024 - Microsoft Azure: Microsoft said a July 2024 Azure incident was triggered by a DDoS attack, while a network configuration issue made the impact worse. The official Azure status history is a good reminder that protection and correct setup both matter. 2025 - Record 31.4 Tbps attack: Cloudflare blocked a record 31.4 Tbps attack that lasted only 35 seconds, launched by the Aisuru-Kimwolf botnet of an estimated 1-4 million infected devices. Cloudflare details this in its Q4 2025 DDoS threat report. The lesson: attacks keep getting bigger, so always-on protection is no longer optional. On the prevention side, Google shares a positive example: Monks, the operating brand of S4 Capital, uses Google Cloud Armor for DDoS protection in a Google Cloud case study.What you can do now
So what can you do, starting today? Here is a simple step-by-step plan:- Put a CDN or WAF in front of your site. A service like Cloudflare, AWS Shield, or Google Cloud Armor hides your real server and filters bad traffic. Many plans are free or low cost.
- Turn on always-on DDoS protection. Do not wait for an attack to enable it. Make sure layer 3, 4, and 7 protection is active.
- Add rate limits. Cap how many requests one visitor can make per minute so a single source cannot flood you.
- Set up monitoring and alerts. You want to know about strange traffic spikes within minutes, not hours.
- Keep backups and a way to scale. If one server struggles, you can fail over or add capacity fast.
- Write a simple response plan. One page is enough: who to call, which dashboard to check, and how to switch on extra protection.
- Test it once. Run a quick drill so your team knows the steps before a real attack happens.
