21 June 2026·9 min read·technology

DDoS Attacks and Mitigation for Indian Businesses: 2025

DDoS attacks on Indian businesses are rising fast. Learn how volumetric, protocol, and L7 attacks work — then build a layered CDN, WAF, and incident playbook.

Bachao.AI Research Team

Cybersecurity Research

Find out if you're exposed to this class of threat

Free scan · No credit card required

Scan Your Attack Surface

Security exposure this creates

Unpatched vulnerabilities in your tech stack are the #1 entry point for breaches targeting Indian businesses. Here's what to watch.

Bachao.AI Research Team

Cybersecurity Research

AI-powered security research and threat intelligence from the Bachao.AI team. Covering the latest vulnerabilities, CVEs, and cybersecurity developments affecting Indian businesses.

Get cybersecurity insights for Indian SMBs

Weekly vulnerability alerts, DPDP compliance tips, and security guides. No spam — unsubscribe anytime.

We respect your privacy. Your email is never shared.

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.

Run a free VAPT scan and get your risk score in minutes — no credit card required.

Book Your Free Scan

A Distributed Denial of Service (DDoS) attack floods your infrastructure with malicious traffic until legitimate users cannot reach you. For Indian businesses — especially in BFSI, e-commerce, and government-adjacent sectors — DDoS attacks are not hypothetical: CERT-In reported a significant rise in volumetric attacks targeting Indian IP ranges through 2024 and 2025. The practical question is not whether you will face one but whether your defenses can absorb it without taking your business offline. This guide gives you a layered defense framework you can implement today.

46%Rise in DDoS attacks targeting Asia-Pacific in H1 2025 (Cloudflare DDoS Threat Report Q2 2025)

73%Indian SMBs with no formal security assessment (DSCI India Cybersecurity Report 2024)

ℹ️

INFO

Industry reports from Cloudflare and Akamai consistently show that a large and growing share of DDoS campaigns now combine volumetric and application-layer vectors simultaneously — making single-layer defenses insufficient.

What Is a DDoS Attack

A DDoS attack uses hundreds or thousands of compromised machines — collectively called a botnet — to direct traffic at a single target simultaneously. Unlike a DoS (Denial of Service) attack from a single source, DDoS traffic is geographically distributed, making simple IP blocks ineffective. Attackers rent botnets through underground "booter" or "stresser" services for as little as a few dollars per hour, placing DDoS capability within reach of even low-skill adversaries targeting Indian SMBs.

The goal is always the same: exhaust a resource — bandwidth, CPU cycles, connection state tables, application thread pools — until the service fails for real users.

The Three Attack Types You Must Understand

Volumetric Attacks

These attacks aim to saturate your upstream bandwidth. Common methods include UDP floods, ICMP floods, and DNS amplification — where the attacker spoofs your IP and sends small DNS queries to open resolvers that reply with large responses, amplifying traffic by 50× or more. A 100 Gbps volumetric attack can overwhelm an unprotected datacenter uplink within seconds. Indian ISPs and datacenters frequently absorb collateral damage from such attacks when a targeted tenant shares infrastructure.

Protocol Attacks

Protocol attacks consume stateful resources on firewalls, load balancers, and servers rather than raw bandwidth. The classic example is a SYN flood: the attacker sends thousands of TCP SYN packets (connection requests) but never completes the handshake, filling the server's connection table and refusing legitimate connections. Smurf attacks and fragmented-packet floods fall in this category. A mid-tier firewall under SYN flood will drop legitimate traffic at relatively low packet-per-second rates.

Application-Layer (L7) Attacks

L7 attacks are the hardest to block because they look like legitimate HTTP/S requests. A slow HTTP POST attack (Slowloris variant) opens many connections and sends request bodies one byte at a time, holding threads open indefinitely. HTTP floods send thousands of GET or POST requests per second to resource-intensive endpoints — search pages, login forms, payment confirmation endpoints. These attacks need far less bandwidth than volumetric attacks to take down an unprotected application server.

🚨

DANGER

L7 attacks are the fastest-growing vector against Indian e-commerce and fintech. Because they mimic real users, traditional firewalls pass them through. You need a WAF with behavioral analysis, not just a packet filter.

The Business Impact for Indian Companies

DDoS attacks against Indian businesses have evolved from nuisance to extortion tool. Ransom DDoS (RDDoS) campaigns — where attackers threaten or launch a demonstration attack and demand payment to stop — have hit payment gateways, logistics platforms, and BFSI institutions. Even a 30-minute outage on a payment gateway during business hours represents material revenue loss plus settlement reconciliation effort and, increasingly, RBI-mandated incident reporting obligations.

For e-commerce platforms running peak sales, a DDoS attack during a sale window is catastrophic. For SaaS businesses with SLA commitments, unplanned downtime can trigger contractual penalties. For any Indian company processing personal data under the DPDP Act 2023, an availability breach may also constitute a reportable data incident depending on context.

⚠️

WARNING

CERT-In's 2023 directive (ref: CERT-In/MoC&IT/2022-01) requires critical sector entities to report incidents within 6 hours of detection. DDoS that causes service disruption qualifies. Non-reporting carries compliance risk independent of the attack itself. Full directive details: cert-in.org.in.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

The Layered Mitigation Architecture

No single control stops DDoS. Defense is a stack — each layer handles what the layer above could not.

graph TD
    A[Botnet / Attack Traffic] --> B[Upstream ISP / Transit]
    B --> C{CDN Anycast Scrubbing}
    C -->|Clean traffic| D[WAF and Rate Limiting]
    C -->|Flood traffic blocked| E[Blackhole / Null Route]
    D -->|Clean HTTP/S only| F[Load Balancer Origin Shield]
    D -->|L7 anomaly blocked| G[Drop at Edge]
    F --> H[Application Servers]
    H --> I[Legitimate User Response]
    A --> J[Protocol SYN Flood]
    J --> K{SYN Cookies Stateful Firewall}
    K -->|Clean SYN| F
    K -->|Malformed/incomplete| E

    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style I fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style J fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style K fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0

Layer 1 — Upstream and ISP-Level Mitigation

Your ISP or transit provider is the first place volumetric traffic can be absorbed — before it reaches your datacenter uplink. Request that your hosting provider or ISP confirm they support BGP Blackhole Routing (RTBH) and have scrubbing capacity. Major Indian cloud providers (NxtGen, Tata Communications, Reliance Jio) and global providers with Indian PoPs offer upstream mitigation SLAs. If you are hosted on AWS, Azure, or GCP India regions, platform-level DDoS protection (AWS Shield Standard, Azure DDoS Basic) is on by default at no extra cost and handles most volumetric attacks.

Layer 2 — CDN and Anycast Scrubbing

A Content Delivery Network with Anycast routing is the most cost-effective DDoS control for most Indian SMBs. When traffic comes in, it hits the nearest CDN PoP (Cloudflare, Akamai, and AWS CloudFront all have Mumbai, Chennai, and Hyderabad PoPs). The CDN's global network absorbs volumetric floods locally without forwarding them to your origin. Traffic scrubbing centers perform deep-packet inspection on suspicious flows and drop them before the clean stream reaches your servers.

For static assets, CDN caching also means that even if the origin is under attack, cached responses keep serving users. Enable "Under Attack Mode" (Cloudflare's name for it) as an emergency control — it adds a browser challenge before any page load, blocking most bots.

Layer 3 — WAF and Rate Limiting

A Web Application Firewall operating at Layer 7 inspects HTTP/S requests. Configure it with:

Rate limiting rules: maximum requests per second per IP or ASN for sensitive endpoints (login, checkout, search)
Geo-blocking: if your user base is domestic, block traffic from countries you never serve
Bot management rules: distinguish automated traffic from browsers using fingerprinting and challenge-response
Threshold alerts: spike detection triggering automatic rule escalation

WAF rules should be tuned — overly strict rules block legitimate users. Run in detection mode first, review logs, then switch to blocking.

Layer 4 — Origin Hardening

Even with upstream mitigation, your origin server should be hardened:

Enable SYN cookies on the OS to handle SYN floods without filling connection tables
Set tight TCP connection timeouts — drop half-open connections faster
Use a load balancer to distribute traffic and decouple your origin IP from the public internet (origin IPs should never be publicly discoverable)
Limit application thread pools and set hard timeouts on slow requests (reject anything that has not sent a full request header within 5 seconds)

DDoS Attack Type Distribution

Industry reports from Cloudflare and Akamai consistently show volumetric attacks as the largest single category, followed by application-layer (L7) floods and protocol-level attacks such as SYN floods. DNS amplification and mixed multi-vector campaigns make up the remainder. The approximate breakdown below reflects the broad consensus across public threat intelligence; exact percentages vary by report and quarter.

pie title DDoS Attack Category Mix - Approximate Industry Consensus
    "Volumetric UDP/DNS Floods" : 30
    "HTTP / L7 Floods" : 25
    "SYN / Protocol Attacks" : 20
    "DNS Amplification" : 15
    "Mixed Multi-vector" : 10

DDoS Mitigation Control Comparison

Control	Attack Type Covered	Cost Tier	Complexity	Best For
Upstream ISP scrubbing	Volumetric	Low–Medium	Low	All businesses
CDN + Anycast (e.g. Cloudflare Free/Pro)	Volumetric + L7 cached	Low	Low	SMBs, static-heavy sites
WAF with rate limiting	L7, HTTP floods	Medium	Medium	API-heavy and SaaS apps
Cloud DDoS protection (AWS Shield Advanced)	All vectors	High	Low	High-revenue platforms
SYN cookies + OS hardening	Protocol / SYN flood	None	Low	All origins
BGP RTBH (null route)	Volumetric only	Low	Medium	Datacenter-hosted
Ransom DDoS response plan	Operational	None	Low	All businesses

The Incident Playbook: What to Do When You Are Under Attack

Most businesses lose the most time in the first 30 minutes because nobody knows whose job it is. Define this before an attack happens.

Step 1 — Detect and confirm (minutes 0–5) Alert thresholds in your monitoring should fire automatically. Confirm via: ISP uplink utilization spike, error rate spike on your load balancer, or CDN traffic dashboard showing abnormal request volume. Do not wait for users to report it.

Step 2 — Classify the attack (minutes 5–10) Is it volumetric (bandwidth saturated), protocol (connection table full), or L7 (application 503s with normal bandwidth)? The classification determines the response. Check your CDN dashboard for top attacking IPs, ASNs, and countries. Check your WAF for the offending URI patterns.

Step 3 — Activate controls (minutes 10–20)

Enable CDN "Under Attack" mode immediately
Apply geo-blocking for regions not in your user base
Rate-limit the offending endpoint at WAF layer
Call your ISP/cloud provider's DDoS response line if the attack is volumetric and saturating your uplink — this is a paid support escalation path

Step 4 — Notify stakeholders and log (minutes 20–60) Notify your CTO/security lead, customer success (for SLA tracking), and legal if you are in a regulated sector (BFSI, health). Start a timestamped incident log — this is the evidence trail for CERT-In reporting if required within 6 hours. Do not turn off logging during an attack.

Step 5 — Recover and post-incident Once traffic normalizes, do not immediately disable mitigations — attackers often pause and resume. Hold defensive posture for 24 hours. After 48 hours, conduct a post-mortem: what did detection miss, what was the total impact, what control gaps need to close?

💡

TIP

The single highest-return investment for an Indian SMB against DDoS is putting all public-facing traffic behind a CDN with automatic attack mode. It takes under an hour to configure and removes the majority of volumetric and L7 risk at low cost.

India Context: Why DDoS Risk Is Rising Here

Indian digital infrastructure is a fast-growing target. CERT-In advisories through 2024–2025 highlighted coordinated campaigns against Indian payment systems, government portals, and telecom providers. Several factors are driving this:

BFSI digitization: The UPI ecosystem processes over 13 billion monthly transactions (NPCI data, 2024), making payment gateways high-value targets for disruption and ransom
E-commerce peak events: Sale events (Diwali, Republic Day) are known attack windows because downtime costs are maximized
Hacktivism: Geopolitically motivated groups have targeted Indian government and energy sector infrastructure with DDoS as a statement
Cheap booter services: Stresser-as-a-service lowers the barrier; even disgruntled former employees or small competitors can rent an attack

For Indian SMBs, the exposure gap is widest between e-commerce platforms and B2B SaaS companies that have not yet placed their origin behind a proper CDN and WAF stack. Running a free VAPT scan will surface exposure of your public-facing endpoints, including open ports and services that amplify DDoS blast radius.

Bachao.AI, built by Dhisattva AI Pvt Ltd, automates the identification of attack-surface risks so your team can prioritize hardening before the next incident. For detailed coverage of your compliance posture under India's data protection regime, see /dpdp-compliance.

For ongoing coverage of cybersecurity threats affecting Indian businesses, follow the Bachao.AI blog. For current global DDoS threat intelligence, Cloudflare publishes quarterly reports at cloudflare.com/learning/ddos and CERT-In advisories are available at cert-in.org.in.

🎯Key Takeaway

DDoS defense for Indian businesses is a three-layer problem: absorb volumetric attacks at the network edge (CDN/ISP), block protocol attacks with SYN cookies and stateful controls, and detect L7 floods with a WAF. No single product solves all three. The businesses that survive DDoS are the ones with a written incident playbook and mitigations already configured — not scrambling to sign up for CDN services while the attack is in progress.

Frequently Asked Questions

What is the difference between a DoS and a DDoS attack?

A DoS (Denial of Service) attack originates from a single machine and can usually be blocked with a single IP ban. A DDoS (Distributed Denial of Service) attack uses thousands of compromised machines (a botnet) simultaneously, making simple IP blocking ineffective. DDoS is the dominant form used in practice because its distributed nature overwhelms defenses that rely on source-based filtering.

Can an Indian SMB afford meaningful DDoS protection?

Yes. Cloudflare's free and Pro tiers provide Anycast-based volumetric protection and a basic WAF with rate limiting at low monthly cost. AWS Shield Standard is included free on AWS-hosted workloads. OS-level SYN cookie hardening costs nothing. Meaningful DDoS protection for most SMBs does not require enterprise scrubbing center contracts — the CDN layer alone handles the majority of attack volume.

Does CERT-In require reporting DDoS attacks?

Yes, if you are an entity in scope of CERT-In's April 2022 directive (CERT-In/MoC&IT/2022-01) — which covers critical sectors including BFSI, IT/ITeS, e-commerce, and cloud providers — you must report DDoS attacks causing service disruption within 6 hours of detection. You must retain relevant logs for 180 days. Entities outside the directive's scope are encouraged but not mandated to report.

What is a ransom DDoS (RDDoS) attack?

Ransom DDoS is when attackers launch or threaten a DDoS attack and demand payment to stop or not to proceed. The playbook is: send a threatening email, launch a short demonstration attack to prove capability, then demand a ransom (often in cryptocurrency). The standard security advice is not to pay — payment does not guarantee cessation and marks you as a target willing to pay. Instead, activate your DDoS mitigation stack immediately and report to CERT-In.

What makes L7 DDoS attacks harder to stop than volumetric attacks?

L7 attacks send requests that are individually valid HTTP/S traffic — they look identical to a real user's browser request at the network level. Volumetric attacks can be identified by packet characteristics and dropped upstream. L7 attacks pass through network-level filters and only expose themselves through behavioral patterns — too many requests per second from one ASN, requests hitting unusual endpoints, or slow-read patterns that hold server threads open. Stopping them requires a WAF with behavioral rules and JavaScript-based browser challenges, not just packet filtering.

Should we pay a ransom to stop a DDoS attack?

No. Security authorities including CERT-In and international CERTs advise against payment. Paying confirms you are willing to pay, potentially triggering repeat attacks or referrals to other criminal groups. Activate your defensive controls, document everything for your incident report, and coordinate with your hosting provider and law enforcement. If the attack is causing catastrophic revenue loss and you have no mitigation in place, the priority is getting CDN protection live — not negotiating with attackers.