Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

DDoS and sustained DNS pressure: what security teams need now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Sustained internet demand, higher DNS noise, and longer, more automated DDoS activity defined the end of 2025, with attackers increasingly using prolonged pressure rather than brief spikes to stress infrastructure, according to DigiCert. That shifts resilience from burst handling to continuous operations across DNS, network, and application layers.

NHIMG editorial — based on content published by DigiCert: Q4 2025 RADAR Threat Intelligence Brief

Questions worth separating out

Q: How should security teams defend against sustained DDoS pressure instead of short spikes?

A: Security teams should design for prolonged saturation, not just burst absorption.

Q: Why do sustained DNS anomalies matter for IAM and trust services?

A: DNS anomalies matter because authentication, certificate validation, and service discovery depend on reliable name resolution.

Q: What do security teams get wrong about low-and-slow application probing?

A: They often focus on volume thresholds and miss the value of repeated, small tests.

Practitioner guidance

What's in the full analysis

DigiCert's full report covers the operational detail this post intentionally leaves for the source:

  • Quarter-by-quarter DNS and application telemetry that shows how sustained load evolved across Q4.
  • The underlying network-event analysis used to distinguish traffic growth from hostile probing.
  • Examples of attack patterns observed across DNS, UltraDDoS Protect, and UltraWAF.
  • The vendor's supporting discussion of Aisuru and Kimwolf botnet pressure.

👉 Read DigiCert's Q4 2025 RADAR brief on sustained DDoS and DNS pressure →

DDoS and sustained DNS pressure: what security teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Continuous pressure is becoming the default operating condition for internet-facing services. The brief’s most important signal is not just that traffic rose, but that the old distinction between peak and off-peak is breaking down. That means control designs based on short recovery windows are increasingly misaligned with how attackers and users now behave. For identity and access teams, the lesson is that availability, detection, and enforcement must be designed for steady-state stress, not exceptional events.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who is accountable when prolonged internet pressure disrupts identity-dependent services?

A: Accountability usually sits across infrastructure, security operations, application owners, and identity teams because the failure crosses control boundaries. If DNS, web protection, or certificate services break under load, the programme failed at coordination as much as configuration. Governance should assign ownership before the next sustained attack, not during it.

👉 Read our full editorial: Q4 traffic and DDoS pressure are reshaping internet resilience



   
ReplyQuote
Share: