The last years have been dominated by massive IoT-botnets. Ever since Mirai had been released 10 years ago, whenever a DDoS attack made it to headlines, it was usually an IoT-Botnet: Bigger, Faster, Harder; leading up to attacks with 2 Mio bots, 31 TB/s attack traffic or 240 million requests per second.

But a shift silently happened. At first, there were only isolated reports that server-based botnets were being used for attacks, such as the attack by Anonymous Sudan on Microsoft in 2023 - which impacted Teams, Office, Outlook, and Azure.
In its report on the attack on Microsoft, Radware explains:


The group leverages public cloud server infrastructure to generate traffic and attack floods while leveraging free and open proxy infrastructures to hide and randomize the source of the attacks. (RW)

Over the past two years, an increasing number of reports from vendors have pointed to a resurgence of server-based botnets, leading to more powerful and sophisticated attacks.

So let's fast-forward to 2026, where Cloudflare reports:

src: https://blog.cloudflare.com/ddos-threat-report-2025-q4/

That’s a pretty bold claim, and it also implies a shift in attackers’ capabilities. But let’s start by explaining:

What are Server-Based DDoS Botnets

Server-based DDoS botnets are attack networks where the bots are compromised servers or cloud services rather than consumer devices. They typically consist of hacked VPS, dedicated servers, web-hosting accounts, or cloud instances infected via exploits, brute-force attacks, or malware. These high-performance bots, controlled by a central C&C, generate massive bandwidth (often 1–10+ Gbps per node) for powerful volumetric and application-layer floods while blending into legitimate data-center traffic.

Server-based botnets are nothing new and were the main source of DDoS attacks prior Mirai, but at that time, the primary purpose of these botnets was spam or ad fraud (BN). They were only supplanted by Mirai and its successors, such as Meris and Aisuru, which dominated the headlines with ever-more-staggering figures in terms of size (2 million devices) or firepower (1 TB/s → 6 TB/s → 30 TB/s).

Why are Server-Based Botnets problematic?

First, we need to look at the capabilities of IoT botnets; then the advantages will become very clear very quickly.


IoT - Bots are very limited in both capabilities and firepower per bot, but generate their impact through sheer size, often in the 100s of thousands. The original Mirai-Botnet is known to have at least 100.000 Bots, and Meris nowadays counts 200.000 Bots, with Aisuro taking the lead with up to 2 million bots. (CV2)

src: https://blog.kybervandals.com/layer-7-bots-explained-iot-vs-pseudobrowser-vs-browser/

The current state-of-the-art mitigation measures are highly effective at detecting and mitigating IoT bots; our experience with all Layer 7-based tests shows that a well-tuned defense system acts as an insurmountable barrier against IoT-attacks.

To overcome this defense, you need more “logic” in the bots - or, better yet, browser bots with cookie storage and the ability to follow click paths and maintain sessions in order to simulate normal user behavior.

Server-based botnets offer these capabilities, which explains why they are now being used more frequently: they provide an effective way to circumvent defenses designed to counter IoT botnets, especially if you combine them with Residential Proxies and Rapid Proxy Rotation, which will make the attack indistinguishable from normal user-traffic. (CV3)

Server Based Botnets provide an effective way to circumvent defenses designed to counter IoT botnets.

References