# A Survey of Emerging DDoS Threats in New Power Systems

**Authors:** Fan Luo, Siqin Fan, Guolin Shao

PMC · DOI: 10.3390/s26041097 · 2026-02-08

## TL;DR

This paper explores how DDoS attacks are evolving into complex multi-stage operations and how new defenses like AI can help counter them.

## Contribution

The paper introduces a new three-phase DDoS attack chain model and outlines emerging defense strategies leveraging large language models and adaptive systems.

## Key findings

- DDoS attacks are increasingly multi-stage, relying on new hardware and network protocols.
- Current defenses include anycast, scrubbing, and adaptive ML detection, but gaps remain.
- Future research should focus on cross-layer telemetry and cooperative mitigation strategies.

## Abstract

Distributed Denial-of-Service (DDoS) attacks remain the most pervasive and operationally disruptive cyber threat and are routinely weaponized in interstate conflict (e.g., Russia–Ukraine and Stuxnet). Although attack-chain models are standard for Advanced Persistent Threat (APT) analysis, they have seldom been applied to DDoS, which is often framed as a single-step volumetric assault. However, ubiquitous intelligence and ambient connectivity increasingly enable DDoS campaigns to unfold as multi-stage operations rather than isolated floods. In parallel, large language models (LLMs) create new opportunities to strengthen traditional DDoS defenses through richer contextual understanding. Reviewing incidents from 2019 to 2024, we propose a three-phase DDoS attack chain—preparation, development, and execution—that captures contemporary tactics and their dependencies on novel hardware, network architectures, and application protocols. We classify these patterns, contrast them with conventional DDoS, survey current defenses (anycast and scrubbing, BGP Flowspec, programmable data planes, adaptive ML detection, API hardening), and outline research directions in cross-layer telemetry, adversarially robust learning, automated mitigation orchestration, and cooperative takedown.

## Full-text entities

- **Diseases:** MaDIoT (MESH:D009471), flooding (MESH:C565009), DoS (MESH:C537495), FDI (MESH:D017541), infection (MESH:D007239), joint (MESH:D007592), DNS (OMIM:155600), LLM hallucinations (MESH:D006212), LLM anomaly (MESH:D000013), injury to (MESH:D014947), DDoS (MESH:D019575), pain (MESH:D010146)
- **Chemicals:** DDoS (-)
- **Species:** Homo sapiens (human, species) [taxon 9606]

## Figures

4 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12943918/full.md

---
Source: https://tomesphere.com/paper/PMC12943918