In April 2026, authorities in the UAE reported cyberattacks had tripled to around 600,000 per day. Cyberattacks have targeted government platforms, energy systems, and ecommerce infrastructure. The volume is notable. What matters more is the relative ease at which these attacks can be launched by a such a broad array of bad actors.
Across the region, distributed denial-of-service (DDoS) incidents have increased in frequency and spread. In several recent cases, attacks affecting more than 100 organisations unfolded over a matter of days.
For a long time, the discussion around DDoS focused on scale. Higher bandwidth, larger floods, new records. Now, this framing is no longer sufficient. The defining factor today is not how large an attack can become, but how easily it can be launched and how often it can be repeated. Many attacks now use tools and infrastructure that would have been out of reach for most actors only a few years ago. This change signals a broader shift in how DDoS risk should be understood.
When barriers fall
Two developments reached operational maturity in 2025 and together reshaped the threat landscape.
The first is the widespread use of everyday connected devices as sources of attack traffic. Home routers, Wi-Fi equipment and internet-connected cameras are routinely compromised and controlled at scale. Individually, they generate limited traffic. In aggregate, they create volumes previously associated only with well-resourced groups. Direct-path attacks exceeding one terabit per second are now part of normal activity.
This has placed sustained pressure on telecommunications infrastructure. In the UAE, data from H2 2025 shows that wired telecommunications carriers were the most targeted sector, recording 6,368 DDoS attacks. The average duration exceeded 1,000 minutes. This is not sporadic disruption. It is continuous operational strain.
What makes this significant is the source of capacity. It is not built on specialised infrastructure. It comes from devices already deployed across residential, enterprise and cloud environments. The attack surface is persistent and difficult to predict.
The second development is the use of artificial intelligence (AI). Conversational tools now guide users through attack configuration using plain language. This does not make attacks more complex, it removes friction in the execution. The deciding factor is no longer expertise, but intent.
These two trends reinforce each other. Compromised devices provide scale. AI reduces the barrier to entry. Together, they compress the gap between deciding to disrupt a service and being able to do so.
From technical issue to governance question
When attack traffic originates from millions of distributed devices, responsibility becomes harder to define. Compromised routers, unsecured cameras and misconfigured cloud instances can all generate outbound traffic without the owner’s awareness. The distinction between victim and participant is no longer clear.
This creates practical consequences. Regulatory expectations, contractual exposure and reputational risk do not depend on technical attribution alone. Organisations that manage infrastructure or provide connectivity are finding that inbound protection is not enough. Outbound abuse originating from their networks introduces a different category of risk.
Data from the UAE illustrates this. Hundreds of attacks recorded against computing and hosting providers in late 2025 often lasted several hours. When a provider is disrupted, the impact cascades across every organisation that depends on it. And, when compromised assets within a provider’s network are used to attack others, accountability shifts upward. Different bad outcomes that are equally troubling.
DDoS resilience is no longer a narrow operational issue. It requires executive ownership, continuous visibility and a clear understanding of how network assets behave.
Why the region feels this pressure
Across the Gulf, digital infrastructure supports national economic programmes. Cloud services, public platforms, payment systems and connected industries depend on constant availability. Even short disruptions carry consequences.
Recent figures reflect the scale of pressure. The UAE recorded more than 10,000 disruption attempts in H2 2025. This creates a continuous burden on monitoring and response functions. Models that focus only on downtime or peak bandwidth fail to capture the cumulative effect of persistent activity.
At the same time, the range of targets is expanding. In the UAE, attack activity has been recorded in sectors such as retail and publishing. These are not traditionally high-risk industries. The implication is simple. Any organisation that depends on online availability is now part of the threat landscape.
Attack behaviour is also changing. Incidents combining multiple attack types within a single event are increasingly common. Sudden spikes reaching multi-terabit levels are designed to overwhelm systems before response mechanisms can react. Metrics based on averages do not capture this dynamic.
What needs to change in practice
The response to this environment does not lie in building ever larger capacity or preparing only for rare events. It lies in treating persistent network abuse as a normal operating condition.
Visibility must extend beyond inbound traffic. Organisations need continuous insight into how their assets behave, including outbound activity. When compromised devices generate attack traffic, the issue is no longer purely technical.
Resilience must also be continuous. Periodic testing and static controls are not sufficient in an environment defined by constant pressure and sudden spikes. Effective response depends on real-time awareness and the ability to adapt.
Clear ownership is critical for successful mitigation. Fragmented responsibility across teams slows response and increases exposure. Planning models must reflect persistence, not just peak events.
Rethinking assumptions
The activity seen across the Gulf in early 2026 shows that this new environment is now a permanent reality. Yet many organisations still treat DDoS resilience as a technical capability to be reviewed periodically rather than an operational condition to be managed continuously. That assumption no longer fits.
The sources of attack traffic are already embedded in networks, data centres and cloud environments. The difference between being targeted and contributing to disruption is narrower than many leaders suspect. The question is not whether infrastructure will face this pressure, but whether governance and response models reflect the reality that now exists.
Accessibility has overtaken scale as the defining risk. Organisations that recognise this shift will be better positioned to protect not only their networks, but the continuity and trust on which digital services depend.
Gaurav Mohan is SVP Sales, APAC, India & Middle East, Netscout
Sign up for the Daily Briefing
Get the latest news and updates straight to your inbox
Network Links
GN StoreDownload our app
© Al Nisr Publishing LLC 2026. All rights reserved.