Organizations worldwide faced an alarming rise in Distributed Denial of Service (DDoS) attacks in the second quarter of 2025. New records were set, with Cloudflare’s latest report highlighting June as the most active month.
High-profile incidents, such as targeted attacks against an Eastern European news outlet during Pride Month, underscore the stakes for businesses and civil society alike.
Defining Trends in Q2 2025
- Record-breaking attack sizes: Cloudflare mitigated the largest DDoS events ever recorded, reaching peaks of 7.3 Tbps and 4.8 billion packets per second. Hyper-volumetric attacks, those over 1 Bpps or 1 Tbps, were a daily occurrence, showing how attackers are scaling operations.
- Attack volume remains elevated: While total incidents dipped from Q1’s surge, Q2 still saw 7.3 million blocked DDoS events, a 44% year-over-year increase. Telecommunications and service providers remain particularly vulnerable.
- Changing tactics: Network-level (Layer 3/4) attacks dropped sharply by 81% quarter-over-quarter, but HTTP DDoS attacks rose 9%, indicating a tactical shift by attackers.
Attribution: Who’s Behind the Surge?
Pinpointing attackers remains difficult, with 71% of victims unable to identify the source. Among those who could, 63% implicated industry competitors, especially in sectors like Gaming, Gambling, and Crypto. State actors were suspected in 21% of cases. Ransom-driven DDoS threats also increased, jumping 68% from last quarter.
Targeted Regions and Industries
- Top targeted countries: China now faces the most attacks, followed by Brazil, Germany, India, and South Korea. These rankings reflect where Cloudflare’s clients are billed, not necessarily where attacks originate.
- Industries at risk: Telecommunications, Internet, and IT & Services lead the list of targets. Notably, Agriculture surged 38 places to break into the top ten, reflecting a widening scope of attack.
- Sources of attack traffic: Indonesia, Singapore, and Hong Kong were key origins, often due to botnet nodes or proxy endpoints rather than direct attacker locations.
Modern Botnets and Evolving Attack Vectors
Botnets remain a dominant force, generating 71% of HTTP DDoS attacks. Virtual machine (VM)-based botnets now pose a greater risk than IoT-based variants. The most common Layer 3/4 vectors were DNS floods, SYN floods, and UDP floods, but newer methods, including Teeworlds floods, RIPv1, RDP, DemonBot, and VxWorks-based attacks, are spreading rapidly.
- DNS Flood: Overloads DNS servers, risking outages. Mitigation relies on DNS firewalls and intelligent filtering.
- SYN Flood: Exploits TCP handshake processes. Defenses include SYN cookies and advanced edge protection.
- Emerging methods: Attackers are increasingly exploiting legacy protocols to find unprotected systems.
Attack Magnitude, Duration, and Effects
Most DDoS attacks remain small, 94% under 500 Mbps and 85% under 50,000 packets per second but can still disable unprotected servers.
Hyper-volumetric attacks are rising: 6% of HTTP attacks exceeded 1 million requests per second, while 0.05% of network-level attacks broke 1 Tbps, representing a 1,150% quarterly increase. Attacks are often short-lived, with even the largest typically lasting under a minute, stressing the need for instant, continuous protection.
Proactive Defense and Industry Collaboration
Automated, real-time defenses are now essential. Cloudflare’s network uses live intelligence to block attacks instantly and collaborates with more than 600 global service providers on botnet takedown efforts. The report warns that relying on outdated, reactive security leaves organizations vulnerable to both large and small-scale DDoS threats.
Takeaway: Continuous Security is Non-Negotiable
The escalation in hyper-volumetric and sophisticated DDoS attacks highlights the need for organizations to adopt always-on, automated protection. Staying informed about evolving tactics and collaborating with industry partners is crucial to building a more resilient Internet.
DDoS Attacks Break Records: Insights from the 2025 Q2 Threat Report