Q4 traffic and DDoS pressure are reshaping internet resilience

At a glance

What this is: This is DigiCert’s Q4 2025 RADAR brief on sustained internet demand, longer DDoS campaigns, and persistent application-layer probing.

Why it matters: It matters because prolonged pressure on DNS, WAF, and network controls changes how identity-adjacent infrastructure must be monitored, absorbed, and defended across NHI, autonomous, and human-facing services.

👉 Read DigiCert's Q4 2025 RADAR brief on sustained DDoS and DNS pressure

Context

Q4 internet pressure is no longer defined by isolated surges. The more important pattern is sustained load, where DNS, network, and application services stay under elevated demand long enough for reactive operations to lose effectiveness.

For identity and access programmes, that matters because availability and trust are linked. When lookup failures, automated probing, and prolonged DDoS activity become routine background conditions, resilience depends on controls that keep working under continuous strain, not just during short incidents.

Key questions

Q: How should security teams defend against sustained DDoS pressure instead of short spikes?

A: Security teams should design for prolonged saturation, not just burst absorption. That means validating scrubbing, rate limiting, failover, and staffing for attacks that last hours or days. It also means testing whether mitigation still works once operators are fatigued and traffic patterns remain noisy long after the initial alert.

Q: Why do sustained DNS anomalies matter for IAM and trust services?

A: DNS anomalies matter because authentication, certificate validation, and service discovery depend on reliable name resolution. When failed lookups and automated requests stay elevated, they can mask malicious activity, slow dependent services, and weaken the control signals that identity and access teams use to separate normal behaviour from abuse.

Q: What do security teams get wrong about low-and-slow application probing?

A: They often focus on volume thresholds and miss the value of repeated, small tests. Low-and-slow probing is designed to learn how an application handles sessions, cookies, and edge cases without triggering obvious alarms. Detection has to watch for patterns across time, not only for a sudden surge.

Q: Who is accountable when prolonged internet pressure disrupts identity-dependent services?

A: Accountability usually sits across infrastructure, security operations, application owners, and identity teams because the failure crosses control boundaries. If DNS, web protection, or certificate services break under load, the programme failed at coordination as much as configuration. Governance should assign ownership before the next sustained attack, not during it.

Technical breakdown

Sustained DNS load changes the security baseline

DNS traffic is a foundational signal because it sits in front of almost every digital service. When failed lookups, automated scans, and repeated malformed requests remain elevated for weeks, infrastructure teams lose the gap they normally use to distinguish normal business demand from abuse. That is not just a capacity issue. It alters the operational baseline that DDoS mitigation, WAF tuning, and incident triage depend on, especially when application and DNS controls must absorb the same pressure at once.

Practical implication: tune DNS monitoring and mitigation for persistent load, not only for bursty anomalies.

Why longer DDoS campaigns defeat spike-based defence models

Traditional DDoS planning often assumes a fast attack, a peak, then recovery. Q4’s pattern is different: attacks lasted longer, scaled up over time, and were used to wear down defenses rather than simply knock services offline. That shifts the problem from momentary saturation to sustained exhaustion of infrastructure, teams, and automation thresholds. In practice, resilience now depends on whether controls can hold steady over hours or days without operator fatigue becoming the real failure mode.

Practical implication: validate that mitigation playbooks and staffing plans can sustain long-duration attacks.

Automated application probing is a control-testing problem

Application-layer activity in the brief was less about noisy exploitation and more about repeated, automated testing of application behaviour. Techniques such as cookie manipulation and repeated request variation are useful because they probe how a service handles state, sessions, and input without immediately triggering obvious alarms. That makes this a governance problem as much as a technical one: if controls only look for large spikes or known signatures, they miss the slower probing that turns small misconfigurations into exposure.

Practical implication: instrument application controls to detect repeated low-and-slow probing patterns, not just volume spikes.

Threat narrative

Attacker objective: The attacker’s objective is to exhaust resilience capacity, degrade service availability, and create openings for follow-on exploitation under sustained pressure.

1. Entry occurs through automated probing against DNS, network, and web application surfaces, with attackers using sustained traffic and malformed requests to test how services respond.
2. Escalation comes from prolonged DDoS and repeated application testing, which increase operational strain and can expose weak configuration or tuning gaps.
3. Impact is degraded availability, slower response, and higher risk that background probing turns into exploitation or service disruption.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Continuous pressure is becoming the default operating condition for internet-facing services. The brief’s most important signal is not just that traffic rose, but that the old distinction between peak and off-peak is breaking down. That means control designs based on short recovery windows are increasingly misaligned with how attackers and users now behave. For identity and access teams, the lesson is that availability, detection, and enforcement must be designed for steady-state stress, not exceptional events.

Identity-adjacent infrastructure now needs resilience thinking, not just control tuning. DNS, WAF, and certificate-dependent services sit close to authentication and trust flows, so prolonged disruption can ripple into human login paths, service-to-service access, and automated workload behaviour. A control that works in a lab or during a brief test may still fail under hours of pressure. Practitioners should treat sustained demand as a governance condition, not only an infrastructure metric.

Automation is changing the economics of probing, not only the volume. The article shows that attackers increasingly use repeated low-noise requests to learn how systems behave over time. That pattern matters because it turns the environment itself into a test harness, where misconfigurations, weak session handling, or brittle rate limits reveal themselves gradually. Security teams need to assume that background traffic may already be an adversarial measurement channel.

Persistent abuse is widening the gap between telemetry and action. When noise becomes constant, teams struggle to tell whether they are seeing ordinary demand or hostile reconnaissance. That is especially risky for programmes that rely on human review cycles or manual escalation thresholds. The practical conclusion is straightforward: resilience programmes need a clearer distinction between sustained load, attack pressure, and genuine service degradation before the environment decides that for them.

Long-duration attacks validate layered defense, but they also expose orchestration gaps. The brief supports a familiar truth with current evidence: no single control can absorb a sustained campaign across DNS, network, and application layers. What changes is the need to coordinate those layers continuously, because attackers are now willing to stay in the fight longer than the staffing model assumes. Practitioners should re-check how quickly protection moves from detection to containment under extended load.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For a broader governance view, the 52 NHI breaches Report shows how exposed credentials repeatedly turn background pressure into real compromise.

What this signals

Sustained traffic pressure is now a governance issue as much as an availability issue. Teams that still separate network resilience from identity and access governance will miss where outages become trust failures. The practical shift is to treat DNS, certificate services, and application controls as part of the same operational trust fabric, because attackers increasingly stress them together.

Persistent probing creates a new kind of operational noise floor. Once that floor is high enough, manual review cycles and threshold-based alerts become less useful. Practitioners should expect more false normalisation, where hostile behaviour blends into busy production traffic unless detection logic is tuned for duration, not just intensity.

Identity programmes should absorb the lesson from our Ultimate Guide to NHIs , Key Challenges and Risks: exposure grows when visibility is partial and remediation is slow. In a sustained-pressure environment, those weaknesses stop being theoretical. They become the reason a temporary disturbance turns into a longer service and governance incident.

For practitioners

• Harden DNS monitoring for persistent abuse Track NXDOMAIN spikes, automated lookup failures, and repeated scanning as steady-state indicators, not just incident spikes. Use those signals to separate demand growth from hostile reconnaissance before the environment becomes noisy enough to hide the attack.
• Test long-duration DDoS playbooks Run exercises that last long enough to stress staffing, escalation, and mitigation handoffs. The goal is to verify that protection still works after the first hour, not only during the first surge.
• Tune application-layer detection for low-and-slow probing Look for repeated cookie manipulation, small request variations, and sustained request patterns that test application behaviour over time. Pair those detections with WAF rules that can adapt without waiting for a large-volume threshold breach.
• Map internet-facing dependencies to identity and trust flows Identify where DNS, certificate services, and web gateways influence authentication, service access, and automated workloads. That mapping helps you prioritise protection where outage pressure would also interrupt identity-dependent operations.

Key takeaways

• The brief shows that internet pressure is becoming sustained rather than episodic, which changes how teams should think about resilience.
• Longer DDoS activity and persistent automated probing increase operational strain, detection difficulty, and the chance that small misconfigurations become real incidents.
• Practitioners should validate DNS, WAF, and mitigation controls for long-duration pressure and ensure identity-dependent services remain protected under continuous load.

Key terms

• Sustained load: Sustained load is traffic or request pressure that remains elevated for long periods instead of peaking briefly and returning to normal. In security operations, it matters because it erodes the usefulness of spike-based alerts, recovery windows, and manual triage assumptions.
• Low-and-slow probing: Low-and-slow probing is repeated testing of an application or service with small, varied requests intended to learn how it behaves without causing obvious disruption. It is effective because it blends into ordinary traffic patterns and reveals weak configuration over time.
• Identity-dependent infrastructure: Identity-dependent infrastructure is the set of services that support authentication, trust, and access decisions, including DNS, certificate services, gateways, and related control points. When these systems degrade, identity operations often fail even if the identity platform itself is healthy.
• Operational noise floor: Operational noise floor is the background level of traffic, alerts, and errors that teams must tolerate before something stands out as unusual. When the noise floor rises, detection becomes harder and security controls need stronger duration-based and context-aware logic.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: Q4 2025 RADAR Threat Intelligence Brief. Read the original.