Jay Coley, Director of Security Architecture at Fastly, explains why the UK is becoming a hotspot for DDoS disruption.

DDoS attacks are an unfortunate fact of life.

They can strike at any point, any business with a public standing is a potential target. 

New data from Fastly’s monthly DDoS weather report shows that attacks almost tripled in February, leaving businesses facing a hailstorm of cyber crime that even the most robust defences can’t keep at bay forever.  

Looking at a breakdown, the UK is becoming a hotspot for attackers.

As an affluent country that is home to a large concentration of notable enterprises, IoT devices and large cloud services, the UK is both a prevalent source and victim of DDoS disruption.  

The sheer volume of interconnected systems, combined with the increasing sophistication of cyber threats, makes the country particularly exposed.

Worryingly, businesses globally are currently being dragged into lengthier recovery processes than they’d hope when cyber incidents strike.

Many organisations are struggling with the fallout of these attacks, while also facing regulatory pressures to improve their cybersecurity resilience and response times. 

DDoS breaches cause long-lasting financial and reputational damage to organisations.

Almost a quarter (23%) of organisations in our latest global security report listed DDoS as a top security concern for this year due to the financial hit, operational difficulties and website outages that these attacks lead to.

Despite the attention on DDoS in cybersecurity, big companies remain vulnerable due to the sheer scale of attempts and the inability to detect an impending attack.

This ever-growing risk is something businesses in the UK have to take seriously.  

Trouble in the UK 

DDoS attack volumes have been growing consistently for many years. 

Fastly observed a 285% surge in these attacks in February, matching a concerning three-month pattern of sizeable growth.

A pretty bleak picture that looks worse for British businesses.

The UK seems to be growing as a hub for those carrying out DDoS attacks, rising into the top five countries globally for attack requests through our network.

This is of course only one month, but Britain appeals to these cyber criminals for a reason.  

Since the advent of cloud services, DDoS attackers have found it far easier to run attacks.

Clouds provide easier management of attack traffic than individually owned devices and Fastly data shows a growing concentration of DDoS attacks originating from the UK.  

Sectors suffering 

Understanding how DDoS attackers operate and who they target is a vital first step to making a business more resilient.

A large proportion of attacks are carried out by bots, but humans are still behind their motivations and timings.

They know when to strike and there are notable spikes and lulls that mirror the wider population’s online habits. 

DDoS is a highly seasonal phenomenon, with predictable peaks around shopping events, sports matches, product launches, the list goes on – if a well-known company is involved and swarms of people will be online, DDoS attacks are a matter of ‘when’ and not ‘if’.  

In the UK, commonalities appear between February’s most common victims that ring true through the rest of the year as well.

Big news means big attacks, so any company engaged with events like the looming global trade conflict, war in Ukraine or any other contentious topic that someone may want to censor are likely targets for DDoS criminals.

This puts organisations in high-tech and the media in the firing line.

User privacy and anti-censorship measures are closely guarded by these industries, and DDoS is a modern-day form of aggressive censorship that can’t be seen coming.  

Businesses losing time 

These attack patterns are coming at a time when businesses around the world are failing to recover from cyber incidents at the usual pace. 

Recent research we carried out found that organisations now take an average of 7.3 months to recover from cyber incidents, 25% longer than they would normally expect.

This extended recovery time places additional strain on already overstretched security teams, contributing to prolonged operational disruptions and increased financial and reputational risks.  

Protections in the UK are generally robust, but attackers are always looking for new ways to generate large amounts of traffic.

Law enforcement can snuff out DDoS rings and force them to start from scratch, but they tend to watch and wait for as long as possible so they can identify the centres of command and control before taking action, in order to take out as much at one time as possible.  

This means prevention is the absolute priority for companies at risk, as waiting for intervention can leave businesses vulnerable for extended periods.

A majority of data processed through media organisations is now estimated to be bot traffic, making DDoS a ticking time bomb for those businesses most likely to be targeted.

These organisations hold a lot of IP data for bad actors to exploit. It’s imperative that preparations match the risk. 

DDoS should really be seen as an availability issue, as fundamental to the smooth running of a business site as a reliable source of power.

Software engineering and cybersecurity teams are accountable for the reliability of their sites, which DDoS attacks directly aim to sabotage.

Attacks of this nature can’t be predicted, but they can be anticipated with practice runs built into planning processes that prepare teams for the worst, particularly in the run-up to predictable news events and weekend peaks in activity.  

Think like a cyber criminal  

DDoS attacks are primarily carried out by bots, but are seasonal, news-driven and originate from real humans with schedules and daily lives.

Looking at trends with this in mind tells you a lot about how to prepare security teams for the inevitable.  

The UK, as a hub for technological innovation and global headlines, is particularly exposed to these risks.

The potential for DDoS attacks to be used not just for disruption, but also as a tool for privacy invasion and censorship, is significant.

Threat actors may leverage these attacks to silence voices, disrupt critical services, or even exert political or financial pressure.

Given this growing threat, now is the time for businesses to double down on investment in tools and thorough proactive preparation around times of peak activity. 

This article was originally published in the April 2025 Edition of Security Journal UK. To read your FREE digital edition, click here.