Executive Summary

On April 28, 2025, a large-scale power outage disrupted Spain, Portugal, and parts of France, disconnecting millions from the grid and interrupting critical infrastructure and the national internet at large. Triggered by a rapid imbalance in electricity generation, the blackout began at 10:33 UTC (12:33 local time) and took down a majority of Spain’s power supply. Power was gradually restored over the course of the day, with full recovery reported by officials in the early hours of April 29, as further detailed on Wikipedia.

Following the April 2025 power outage in Spain, Portugal, and parts of France, NETSCOUT leveraged ATLAS telemetry to assess its impact on regional internet traffic and distributed denial-of-service (DDoS)-related host activity. We also examined the wider implications of a developed nation losing connectivity, particularly in the context of DDoS activity. Although overall traffic dropped sharply, core communication recovered quickly. Malicious infrastructure rebounded even faster. This post presents traffic patterns, recovery timelines, and what they reveal about the resilience of internet and DDoS ecosystems.

Key Findings:

•    Regional traffic dropped by 75 percent during the blackout, reflecting the immediate impact on internet connectivity.
•    Traffic recovery lagged until April 29, highlighting the systemic disruption across Spain and Portugal.
•    Malicious infrastructure rebounded quickly, resuming activity as soon as services were restored.
•    As observed by ATLAS, DDoS targeting remained constant, with no observed reduction in attacks despite the outage.

Internet Traffic Levels

Internet traffic rates for both Spain and Portugal dropped sharply by approximately 75 percent during the blackout period. A time-series forecasting model establishes a baseline of traffic based on NETSCOUT ATLAS telemetry. We trained the model on reference traffic for the full month of April, excluding the outage period and April 27, allowing analysts to compare expected normal conditions to the deviations observed. Figure 1 illustrates these trends, with traffic levels normalized to each country’s respective maximum observed in April.
Although traffic began to rise again shortly after the blackout, it did not return to expected levels until the early hours of April 29. This delayed recovery highlights the importance of evaluating traffic in a relative context rather than relying solely on raw volumes. Spain and Portugal exhibited similar patterns throughout, underlining the systemic impact of the power disruption on regional internet activity.

Impact on DDoS Landscape

NETSCOUT alert data shows that malicious infrastructure in Spain and Portugal was rapidly reactivated following the blackout, underscoring the role of automation in DDoS operations. Because NETSCOUT not only observes overall traffic volumes but also tracks traffic specifically linked to DDoS activity, we can quantify the number of unique malicious hosts originating from the affected countries. As expected, this number dropped sharply during the outage due to the loss of connectivity. However, malicious activity resumed quickly once the first services appeared to be restored. Figure 2 illustrates this rebound for both Spain and Portugal. The fast rebound highlights the resiliency and persistence of attacker-controlled infrastructure, making a reliable and current DDoS feed indisputably important.

Spain and Portugal as Targets

Even though Spain and Portugal were widely offline during the April 2025 power outage, our ATLAS telemetry indicates that the large-scale disruption neither drew additional attention from DDoS adversaries nor resulted in a measurable reduction in attack targets during the affected period (see Figure 3). 

This may seem counterintuitive, but traffic anomalies persisted, driven in part by protocol-specific dynamics: While ICMP and UDP attack traffic dipped, likely reflecting reduced network debugging stress, TCP traffic remained largely stable, suggesting that some TCP-based attacks may now appear to increasingly stem from protocol recovery mechanisms and likely sympathetic DDoS effects. This underscores the persistent and disruption-resistant nature of DDoS activity, where even a nationwide, hours-long outage fails to interrupt the continuous pressure on a nation's digital perimeter, highlighting the systemic presence of DDoS as an enduring threat across the internet.

NETSCOUT During the Outage

The Iberian blackout was a critical stress event that demonstrated the fragility of physical infrastructure and the resilience of both adversarial systems and global monitoring networks. Internet traffic and connectivity collapsed within minutes, yet malicious infrastructure and targeting pipelines resumed quickly, underscoring the persistence of DDoS operations. Events of this scale highlight the importance of resilient, globally distributed visibility, rapid recovery capability, and continuous DDoS monitoring. They reveal not only where systems break, but also which ones endure.