



Distributed Denial-of-Service (DDoS) attacks have become one of the most disruptive cyber weapons wielded against Indian enterprises in 2026. Once considered a nuisance reserved for large multinationals, volumetric floods and sophisticated application-layer attacks now routinely cripple mid-market banks, logistics companies, hospitals, and manufacturing plants across India. The numbers are stark: India ranked among the top five most-targeted countries for DDoS attacks in the first half of 2026, with the financial services, telecom, and e-commerce sectors absorbing the heaviest blows.
For Indian CISOs and IT leaders, the question is no longer whether a DDoS attack will arrive — it is whether your defences are in place before it does. This guide breaks down the 2026 DDoS threat landscape, explains the multi-layered mitigation architecture that actually works, and offers a practical checklist your team can act on today.
DDoS attacks have evolved far beyond simple bandwidth floods. Modern campaigns layer multiple attack vectors simultaneously, often combining:
AI-powered botnets have accelerated this complexity. Attackers can now dynamically shift source IPs, rotate attack vectors mid-campaign, and mimic legitimate user behaviour well enough to defeat basic rate-limiting. The average DDoS attack duration has shrunk — many campaigns last only 10–20 minutes — but the damage to brand reputation, customer trust, and regulatory standing can last months.
“A 15-minute DDoS against an NBFC’s payment gateway during peak business hours can wipe out crores in transactions and trigger RBI’s incident reporting obligations simultaneously.”
Despite growing awareness, several structural gaps leave Indian organisations exposed:
Many enterprises believe that subscribing to their ISP’s DDoS mitigation service is sufficient. ISP scrubbing centres are valuable for volumetric attacks, but they introduce latency, may not cover application-layer traffic, and are often triggered only after significant downtime has already occurred.
Standard next-generation firewalls perform deep packet inspection on every session. Under a DDoS flood, the connection table fills up, legitimate sessions get dropped, and the firewall itself becomes the bottleneck. Enterprises need firewalls with dedicated DDoS hardware acceleration — FortiGate’s NP (Network Processor) series offloads SYN cookie generation and volumetric filtering to purpose-built ASICs, keeping the CPU free for legitimate traffic even under multi-Gbps floods.
Without a clear picture of what normal traffic looks like, anomaly detection triggers too late or too often. Accurate baselining — by protocol, by time of day, by geography — is the foundation of any effective DDoS response.
A DDoS attack can knock a service offline in under two minutes. Manual escalation paths that depend on a security engineer noticing an alert, calling the ISP, and tuning ACLs can take 30–60 minutes. That gap is the damage window. Automated countermeasures and a 24/7 NOC watching the network in real time close that window dramatically.
Under the CERT-In directions, significant cyber incidents — including DDoS attacks that affect availability — must be reported within six hours of detection. Many enterprises have no documented DDoS incident-response procedure, making compliance reporting chaotic and potentially late.
Effective DDoS defence is not a single product — it is a layered architecture that addresses each attack type at the right point in the traffic path.
Cloud-based scrubbing services sit upstream of your data centre, absorbing volumetric attacks at scale. Traffic is rerouted through a scrubbing centre (via BGP or DNS diversion), malicious packets are stripped out, and clean traffic is tunnelled back to your infrastructure. This layer handles the multi-hundred-Gbps floods that would overwhelm any on-premise equipment. When evaluating cloud scrubbing providers, look for Indian PoPs to minimise latency for your users, and SLAs that specify mitigation-onset time in seconds, not minutes.
At the network perimeter, FortiGate firewalls with NP processors handle the traffic that passes through cloud scrubbing — or the smaller attacks that never triggered cloud diversion in the first place. Key FortiGate DDoS capabilities include:
Layer 7 attacks target your web applications directly and bypass volumetric defences entirely. A Web Application Firewall (WAF) — whether FortiWeb or a cloud-native equivalent — inspects HTTP/S requests against behavioural models, rate limits per URI and session, and challenges suspicious clients with CAPTCHAs or JavaScript puzzles. This layer is where Slowloris, HTTP floods, and API endpoint exhaustion get absorbed.
Automation handles the first 30 seconds; humans handle the hours that follow. A dedicated 24/7 NOC team continuously monitors traffic baselines, tunes detection thresholds, coordinates with cloud scrubbing providers, and manages the CERT-In reporting process. This layer is what converts a DDoS event from a prolonged outage into a managed incident.
Defence is not only about blocking attacks — it is also about staying up when some traffic does get through. Multi-link ISP redundancy with automatic failover, anycast DNS, and geographically distributed application infrastructure ensure that even a partially successful attack cannot cause a complete outage.
If your organisation runs FortiGate NGFWs, the following configuration controls should be reviewed and activated:
Under CERT-In’s April 2022 directions (and their subsequent clarifications), a DDoS attack that causes a significant disruption to IT infrastructure must be reported to CERT-In within six hours of detection. “Significant” is broadly interpreted — if a DDoS attack affects customer-facing services, disrupts internal operations, or requires emergency response, the reporting obligation almost certainly applies.
What your CERT-In DDoS reporting process should include:
Organisations that have a managed security partnership in place — with a provider whose NOC generates time-stamped incident timelines automatically — find CERT-In reporting far less burdensome than those relying on manual reconstruction.
Certain sectors face heightened expectations around availability and DDoS preparedness:
RBI’s IT Risk and Cyber Security framework (RBI/2023-24) explicitly requires banks and NBFCs to have DDoS mitigation capabilities and tested business continuity plans covering cyber-induced outages. Payment gateways are high-value targets — an outage during peak hours directly impacts settlement cycles.
SEBI’s cybersecurity circular mandates availability SLAs and documented DDoS defences for market infrastructure institutions (MIIs) and registered intermediaries. A DDoS-induced trading halt carries regulatory and reputational consequences that far outweigh the cost of prevention.
Internet service providers are both a target and a first line of defence. TRAI’s quality-of-service frameworks and DoT’s cybersecurity guidelines increasingly expect ISPs to provide DDoS scrubbing as a value-added service.
Healthcare systems that are hit by DDoS attacks may inadvertently expose patient records if attackers use the DDoS as a smokescreen for a simultaneous data exfiltration attempt. Under the DPDP Act, any breach of personal health data — even one masked by a DDoS — triggers breach notification obligations.
Your operations team should be alert to these indicators of a DDoS in progress:
A practical roadmap for organisations that do not yet have mature DDoS defences:
PJ Networks provides end-to-end DDoS resilience for Indian enterprises, combining FortiGate NGFW deployment expertise with 24/7 NOC/SOC monitoring and managed threat response:
DDoS attacks in 2026 are faster, smarter, and more persistent than anything Indian enterprises faced three years ago. The good news: the technology to defeat them — FortiGate hardware acceleration, cloud scrubbing, and always-on monitoring — exists and is accessible. The question is whether your organisation has it in place and tested before the next attack begins.
Ready to assess your DDoS resilience? Contact PJ Networks for a complimentary DDoS readiness review. Our team will evaluate your current FortiGate configuration, traffic baselines, and incident-response procedures, and deliver a prioritised action plan — at no cost and with no obligation.