Predicting DDoS attacks: How deep learning could give defenders an early warning
Distributed denial-of-service (DDoS) attacks remain one of the most common and disruptive forms of cybercrime. Defenders have traditionally focused on detecting these attacks once they are underway. New research suggests that predicting DDoS attacks in advance may be possible, giving security teams a head start in planning their defenses.
A new study outlines an approach to forecasting DDoS activity using deep learning. The researchers from Universiti Malaya and Universiti Teknikal Malaysia Melaka analyzed 192,525 DDoS attacks that took place between 2019 and 2021. Their goal was to determine whether patterns in past activity could be used to forecast upcoming surges.
The team focused on the COVID-19 period, when many organizations were forced to shift operations online. During this time, DDoS activity grew sharply, with attack sizes and durations reaching unprecedented levels. In one example, the researchers found a 94 percent increase in attacks that exceeded 1 terabit per second between 2019 and 2020.
Moving from detection to prediction
Most cybersecurity tools are designed to detect attacks in real time. By the time an anomaly is flagged, damage may already be done. The researchers propose a different approach that focuses on predicting DDoS attacks rather than just detecting them.
Their model uses long short-term memory (LSTM), a type of deep learning algorithm designed to recognize patterns in sequential data. In this case, the sequence is time-series data of DDoS activity. By training the model on historical attack data, the system attempts to predict what will happen next, such as a spike in traffic volume or a sudden increase in attack duration.
While the predictions were not exact, the model showed promising results. It successfully identified when significant spikes in attack activity were likely to occur, even if it did not always predict the exact size of the surge. For security teams, even this partial foresight could be valuable. A warning of an upcoming increase in DDoS traffic could help organizations allocate resources, adjust network configurations, or prepare mitigation services before the attack peaks.
A global dataset with local impact
The dataset used in this research was scraped from the Digital Attack Map, a project that visualizes DDoS activity worldwide. The data came from more than 330 internet service providers, making it one of the more comprehensive public sources available for predicting DDoS attacks on a global scale.
By analyzing this global data, the researchers identified key trends in how attackers operate. Total Traffic, UDP Misuse, and IP Fragmentation attacks were the most common types throughout the study period. The research also found that while some attack methods have been around for years, they are not going away. Instead, attackers are combining older techniques with new tactics, creating complex, multi-vector campaigns that are harder to defend against.
These findings match what many security teams are seeing on the ground. The rise of IoT botnets and “DDoS-for-hire” services has made it easier for attackers to launch varied and unpredictable campaigns. This diversity of tactics is a major reason why static defenses often fail.
Why prediction matters for security teams
The study highlights an important shift in how defenders think about DDoS threats. Detection and mitigation will always be necessary, but they are reactive steps. Predicting DDoS attacks offers a chance to move upstream, anticipating threats before they materialize.
The technology is not ready for production use yet. The researchers acknowledge that their model has a high margin of error and needs further refinement. However, the concept itself is gaining traction. As machine learning models improve and datasets become more detailed, prediction could become a standard part of DDoS defense.
The research also underscores the value of good data. Accurate forecasting depends on large, up-to-date datasets. Many existing public datasets are outdated or incomplete, which limits the accuracy of current models. Security teams may need to work closely with service providers and threat intelligence partners to ensure they have access to relevant, high-quality data.
The future of DDoS forecasting
While this study is still early stage, it offers a glimpse of where DDoS defense might be heading. In the future, organizations could have dashboards that show current attack traffic and likely activity hours or even days ahead. That shift from reacting to predicting DDoS attacks could make a difference in how defenders prepare for large-scale disruptions.
For now, the research provides a foundation for future development. It also gives CISOs a reason to begin conversations with their teams about how predictive analytics might help them get ahead of one of the most persistent threats in cybersecurity.
Download: Cyber defense guide for the financial sector