Hero section background image

Three Emails, Then Silence: What a DDoS Attack Teaches a CEO

Content

It was a perfectly ordinary morning. Roland Hambach, CEO of ene’t GmbH, was sitting at breakfast scrolling through his emails. Then came the first one with the subject line “DDoS Attack.” Then the second. Then the third. His first instinct: spam, delete. But then the IT department sounded the alarm at the same time.  

What followed was a lesson in how cyber resilience is proven not in glossy brochures, but in real-world stress tests—and what other companies can learn from it. 

The Situation: Not a State of Emergency, but the New Normal 

The numbers speak for themselves. According to the Bitkom Business Security Study, numerous companies have experienced cyberattacks over the past twelve months. And the trend is clearly on the rise. At Link11, we are observing annual growth rates in DDoS attacks within our own network. Most recently, the year-over-year increase stood at 75%. In the first quarter of 2026, attacks approaching the terabit threshold were already observed multiple times on the Link11 network. Attacks of this magnitude used to be considered rare exceptions; today, they are a reality. 

What has changed is not only the quantity but also the quality. Attackers automatically switch between protocols, combine Layer 3/4 attacks with application attacks, and use AI for orchestration. The longest attack on the Link11 network in 2025 lasted eight days straight. Eight days during which companies without protection would simply have been unreachable. 

And the barrier to launching an attack yourself is alarmingly low. DDoS-as-a-Service is available online for very little money. In Poland this year, teenagers aged 12 to 16 were caught offering such services. 

What Really Happens When the Attack Comes 

The email Roland Hambach received that morning was not a vague threat demanding Bitcoin. It was precise: The attackers would briefly demonstrate what they were capable of on ten of the 117 available servers. After that, they would demand two more Bitcoins every day if no payment was made. The message also made it clear that countermeasures or negotiations were pointless. 

What followed was an eye-opening experience for an ISO 27001-certified company: The emergency plan kicked in, but reality wrote its own chapters. Since the company relies on Voice-over-IP, the phone system had also gone down. The emergency command center was therefore relocated to the cafeteria, as this was the only room with adequate cell phone reception. And the process of going through the State Criminal Police Office (LKA), the Central Criminal Investigation Department (ZAK), and finally the local district police department resulted, after six weeks, in nothing more than a notice of dismissal. 

The sobering realization: Technically and organizationally, they were on their own. This is not a criticism, but the reality that companies must plan for today. 

Pay or not pay?  

Of course, this question was on everyone’s mind. If you pay, the matter is settled at least until the next time. Because once you pay, you end up on lists. And anyone on those lists becomes a target again. With a more than 70 percent chance of being attacked again after an initial attack, paying isn’t a solution. It’s a subscription. 

Enet GmbH decided against paying. As announced, the attack lasted only half a day. That was a stroke of luck and, at the same time, an invitation to use the week’s reprieve to build up real protection. 

What We Learn in the Calm After the Storm 

The key lessons from the attack on Enet are not groundbreaking technical innovations. They are structural insights that apply to every company. 

Anomalies must be taken seriously at an early stage. Months before the attack, VPN tunnels were crashing for no apparent reason, and there were unexplained spikes in firewall activity. At the time, this was attributed to firmware issues. Today, the response would be different. If you don’t know your normal traffic profile, you can’t detect deviations. If you don’t detect deviations, you miss the reconnaissance phase of an attack. 

DDoS protection isn’t a feature you just pick up on the side. Basic DDoS protection through the service provider was in place, but it simply wasn’t up to the task of handling the attack. Protection on this scale cannot always be handled in-house. It requires infrastructure, capacity, and expertise that dedicated providers possess. 

In a crisis, communication becomes more important than technology. Customers, partners, employees, and shareholders must all be kept transparently informed. No company today loses trust simply because it has been the victim of a cyberattack. It loses trust if it conceals what has happened. 

What this means for your security strategy 

Link11 protects companies like Enet GmbH through a fully cloud-based network, without the need for on-premises hardware or compromises on capacity. With over 40 PoPs worldwide, all incoming traffic is routed through and filtered by the Link11 network before it even reaches the customer’s infrastructure. 

Learn more about an easy-to-implement and highly effective WAAP solution.

Everything from a single source, and available as a fully managed service upon request.

Learn more

Roland Hambach sums it up pragmatically: “It’s like the bouncer at a nightclub. Now there isn’t just one standing there, but rather four.” And those who are visibly protected are simply attacked less often, since attackers know the odds of success. 

In addition to DDoS mitigation, Link11 offers integrated protection with its WAAP platform, which combines DDoS defense, a web application firewall, bot management, and API protection. For companies that already operate existing on-premises solutions, both approaches can be combined into a hybrid protection architecture. 

Three Key Takeaways 

In conclusion, three recommendations can be summarized from the conversation with Roland Hambach. Ones that hardly any management consultant could have phrased better. 

It’s not a question of whether you’ll be attacked, but only when. When it happens, open communication—both internally and externally—is the most important step. Afterward, you should talk to other companies, share experiences, and not remain silent. 

DDoS attacks are not just an issue for the IT department. They are a matter of corporate leadership. Anyone who does not yet have a contingency plan that has actually been tested—and not just documented—has a vulnerability that attackers can exploit, even if their own risk assessment suggests otherwise. 

Would you like to know how well your current security architecture would withstand a real attack? Our experts are available to assist you at any time. 

Author

Link11 press spokesperson Lisa Fröhlich is the hub for all official corporate communications. When Lisa isn't attending one of the numerous IT events held throughout Germany, she works on new content with a focus on analyses and statistics. After graduating from Johannes Gutenberg University Mainz, she worked for almost a decade in public relations as a PR manager and press spokesperson for various companies before finding her way into the complex world of IT security.