January 2026 saw a significant increase in DDoS activity against DigiCert protected services compared to the prior month, driven primarily by concentrated targeting rather than a broad, even rise across all days. Most events remained low intensity, but the overall mix showed more attacks with the potential to create noticeable disruption, including an increase in mega scale activity. The largest DDoS attack observed during the month exceeded 350 Gbps, reinforcing that malicious actors continue to maintain access to capable infrastructure and will apply it when disruption or leverage is the objective.
Operationally, three surge days accounted for a disproportionate share of the month’s activity and were each dominated by attacks against single providers. Two of these surges were back to back and focused on an IT/Technical Services provider, while the third targeted an Education provider. This pattern is consistent with campaign style targeting, where repeated attempts over a short window are used to sustain pressure, test defenses, or amplify coercive messaging.
Attack methods remained largely consistent with high volume flooding, with activity dominated by UDP and Total Traffic, followed by ICMP. Most attacks used a single observed vector, which suggests a preference for simple, repeatable execution rather than complex multi vector coordination. Targeting also concentrated in sectors where disruption can create downstream impact, led by IT/Technical Services and Communication Service Providers, with Manufacturing emerging in the top three for the first time.
A key shift this month was the strong increase in carpet bombing behavior, which is operationally important because it can increase mitigation effort by dispersing traffic across many destinations and forcing broader defensive actions. Despite the higher activity level, the surge driven targeting, and the increase in dispersion tactics, DigiCert mitigated all observed attacks without customer facing service degradation.
Overall, January’s results underscore a threat environment shaped less by constant background volume and more by short, high concentration campaigns and tactics designed to increase operational friction. Continued focus on rapid detection, automated mitigation, and operational readiness for surge driven targeting, particularly against IT/Technical Services and Communication Service Providers, will remain important to sustaining availability as malicious actor activity continues to evolve.
Stats at a Glance
- Total Number of Attacks: 3,293 (a 49.68% increase compared to December 2025)
- Total number of hours of downtime avoided: ~ 2,067.38 Hours
- Number of Mega Attacks (100+ Gbps): 41 (a 78.26% increase compared to December 2025)
- Largest DDoS Attack (Gbps): 354.27 Gbps
- Largest DDoS Attack (million packets-per-second): 137.48 Mpps
- Longest DDoS Attack: 3.80 Gbps
- Average DDoS Attack (Gbps): 3.80 Gbps
- Median DDoS Attacks (Gbps): 0.10 (a 25% increase compared to December 2025)
- Average DDoS Attack (packets-per-second): 979.58 Kpps
- Median DDoS Attack (packets –per second): 25.61 Kpps
- Average Duration: 37.67 Minutes
- Median Duration: 9.42 Minutes (a 21.55% increase compared to December 2025)
- Unique vs Carpet Bombing: 58.31% Unique / 41.69% Carpet Bombing
- Top Three Industry Targeted: IT/Technical Services (61.73%), Communication Services Providers (29.29%), Manufacturing (4.63%)
