INCIBE published a detailed technical analysis of DDoS attacks against enterprise infrastructure in July 2025. The starting point is a specific incident: in May 2025, KrebsOnSecurity suffered a massive attack of approximately 6.3 Tbps. It lasted about 40-45 seconds.
The scale was ten times that of the 2016 Mirai attack, already considered a milestone in cybersecurity history. That one reached 623 Gbps. This one: 6,300 Gbps.
KrebsOnSecurity was protected by Google Project Shield. Google confirmed it was the largest attack their infrastructure had ever suffered. The culprit is an IoT botnet called Aisuru.
6.3 Tbps in 45 seconds
KrebsOnSecurity is a cybersecurity journalism site run by Brian Krebs. A one-journalist site. And still, someone decided to launch the most powerful DDoS attack ever recorded against it.
If a site protected by Google's infrastructure receives the largest attack in their history, consider what a mid-sized company without dedicated protection might face.
6.3 Tbps
The attack against KrebsOnSecurity lasted 45 seconds and reached 6.3 Tbps of traffic. It was designed as a demonstration of a new IoT botnet called Aisuru. The attacker was testing the botnet's capacity, not trying to take the site down permanently.
The attack lasted 45 seconds. It was a demonstration, not a sustained assault. The attacker was testing the botnet's capability, not trying to take the site offline permanently. That is what makes it relevant: someone has a new weapon and wants people to know about it.
Aisuru: the IoT botnet that changes the rules
Aisuru is a botnet made up of compromised IoT devices. IP cameras, home routers, smart devices. Things people install and forget. No updates, no changed passwords, no monitoring.
Each of those devices is a soldier in an army its owner does not know they have. Your home router could be participating in an attack against a company without you knowing. Your office router too. The one in your warehouse as well.
The difference from Mirai (2016) is significant. In less than a decade, offensive capacity has multiplied by ten. The speed at which offensive capability grows outpaces the speed at which companies update their defences.
This has a direct implication: what seems like sufficient protection today may fall short within months, not years. DDoS mitigation solutions purchased two years ago may not be ready for what comes next.
Your company in the crosshairs
DDoS attacks do not only target large corporations. They target the network infrastructure of any organisation with an online presence. Online stores, booking platforms, customer portals, service APIs. If your business depends on a server responding, you are a potential target.
Spanish companies have a growing attack surface. More online services, more APIs, more third-party integrations, more IoT devices in offices and warehouses. Every connection point is a door a botnet can push on.
And you do not need to be a direct target. DDoS attacks are used as a distraction while other operations run in parallel: credential theft, lateral movement across the network, data exfiltration. If your security team is busy mitigating a DDoS attack, they are not watching what is happening inside.
The costs of a DDoS attack go well beyond downtime. Direct revenue loss, reputational damage, recovery costs, potential customer claims for SLA breaches. In sectors like e-commerce or financial services, one hour of downtime can mean tens of thousands of euros.
NIS2 and DDoS attacks: what changes
NIS2 classifies sectors as essential and important entities. Among the specific obligations are incident management and service continuity.
A DDoS attack that takes your service offline for hours is not just a technical problem. It is a security incident that must be reported, documented and managed according to protocols. If those protocols are not defined, you are not complying with NIS2.
NIS2 fines for non-compliance reach up to 10 million euros or 2% of global turnover. Not turnover in Spain. Global turnover of the organisation.
10M EUR / 2%
Maximum NIS2 fines for non-compliance: 10 million euros or 2% of annual global turnover, whichever is higher. NIS2 takes effect in Spain in 2026.
NIS2 takes effect in Spain in 2026. Companies classified as essential or important entities will have to demonstrate that they have operational and tested incident management measures in place. A document on a shelf is not enough. You need to be able to execute under pressure.
How to protect your infrastructure
Three concrete measures you should have in place before the end of the quarter:
1. Dedicated DDoS protection. Cloudflare, AWS Shield, Azure DDoS Protection, or equivalents. Do not rely on your hosting's firewall. A traditional firewall is not designed to absorb 6 Tbps of traffic. You need a mitigation layer that absorbs the volume before it reaches your infrastructure.
2. A documented and tested incident response plan. If you get attacked, that is not the moment to figure out who calls whom. The plan needs to be written, distributed and rehearsed. Every person on the infrastructure team needs to know their role when the monitoring dashboard turns red.
3. An attack surface audit. How many exposed services you have. How many IoT devices on your corporate network. How many third-party dependencies. Each of those points is a surface an attacker can use, directly or indirectly.
These three measures are the minimum. If your company falls under NIS2, you also need to document everything, establish notification timelines and designate responsible parties. Infrastructure audits and regular pentesting are how you verify that what you think is protected actually is.
Pentesting + Infrastructure audit
Do you know how many exposed services your company has?
We perform attack surface audits and pentesting to identify entry points before someone else finds them for you. Includes infrastructure analysis, exposed services and IoT devices on your corporate network.
Talk to an expert →Your team needs secure AI training
The EU AI Act requires AI literacy for all staff from August 2026. Our courses cover compliance, AI agents and governance. FUNDAE can subsidise 100% of the cost.
