DDoS escalates alongside India-Pakistan hostilities
When military tensions flared between India and Pakistan in early May, a parallel cyber campaign unfolded at speed. Threat-hunting data show a clear pattern: each round of air- or missile-strikes was mirrored by larger, longer Distributed Denial-of-Service (DDoS) assaults on networks.
What happened?
7 May – India carried out ‘Operation Sindoor’, hitting nine sites it called terrorist infrastructure. Within hours, daily DDoS activity aimed at Indian targets rose nearly ten-fold.
8–10 May – Pakistan launched its “Iron/Solid Wall” response. Botnets and reflection attacks followed, peaking on 10 May with 97 separate incidents – fourteen times the rate seen during late-April border skirmishes.
11 May onwards – After both capitals agreed a cease-fire, volumes fell but did not stop, underlining the lag between physical de-escalation and cyber calm.
Who was most affected by these attacks?
The first wave of traffic hammered telecoms and news portals, but as hostilities intensified attackers turned their fire on higher-value government sites. Between 7 and 8 May the Indian President’s Office was struck twice with DNS-reflection floods, the second barrage lasting almost twenty hours. On 9 May a Mirai-driven ACK flood hit the Jammu & Kashmir government portal. The next day saw three more high-profile targets: the Ministry of Defence suffered a three-hour-plus NTP-amplification assault; the Prime Minister’s Office, the Press Information Bureau and the National Informatics Centre.
Pakistan-based sources claimed cyber operations paralysed “70 % of India’s power grid”, a statement denied by Indian officials. Independent telemetry does confirm repeated attacks on government-linked name servers; whether wider outages followed remains unverified.
The wider hacktivist scene
Commercial and ideological groups quickly joined in. Analysts counted at least 26 outfits – including RipperSec, Keymous+ and Sylhet Gang – claiming 250-plus Indian targets since January. Government websites made up more than half of all DDoS declarations; finance, telecoms and manufacturing followed.
AI-driven tools, turnkey botnets and open-source scripts such as MegaMedusa lower the bar to entry. Many campaigns blend high-bandwidth UDP floods with application-layer hits that mimic genuine users, complicating defence.
What was the purpose of these DDoS attacks?
DDoS is a mainstream instrument of statecraft: capable of silencing public portals, slowing critical services and amplifying battlefield narratives. Even after ceasefires, online pressure can persist, raising the risk of miscalculation or retaliation.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com