DDoS attacks doubled in 2025 as assault sizes spiral to record levels

Written By The Source Code Editorial

Distributed denial-of-service attacks are no longer a background nuisance of the internet. They are becoming a structural stress test.

That is the central message of Cloudflare’s fourth-quarter 2025 DDoS Threat Report, which documents a sharp acceleration in both the volume and intensity of attacks over the past year. According to Cloudflare’s data, global DDoS incidents rose 121% in 2025 to a total of 47.1 million attacks, with mitigation systems blocking an average of 5,376 attacks every hour.

The headline figure is dramatic: a single DDoS attack peaking at 31.4 terabits per second, lasting just 35 seconds, the largest Cloudflare says it has ever observed. But the deeper story is not one record-breaking spike. It is the normalisation of extreme behaviour.

Bigger, faster, more frequent

Cloudflare’s network data shows that network-layer attacks — designed to overwhelm infrastructure rather than applications — more than tripled year on year, rising from 11.4 million in 2024 to 34.4 million in 2025. By the final quarter, these attacks accounted for 78% of all DDoS activity recorded on the platform.

This shift matters because network-layer attacks are harder to absorb and easier to scale. They target the plumbing of the internet: routers, bandwidth, and transit capacity. As attack sizes increase, the margin for error shrinks, particularly for telecoms operators and service providers.

Unsurprisingly, telecommunications firms emerged as the most targeted industry globally, followed by IT services. Gambling, gaming, and software companies rounded out the top five sectors where uptime directly translates into revenue.

The Christmas attack — and why it was not the main problem

One episode captured attention inside the security community. On 19 December 2025, a botnet known as Aisuru-Kimwolf launched a series of hyper-volumetric HTTP attacks exceeding 20 million requests per second. The malware-infected devices involved were largely Android televisions, with Cloudflare estimating between one and four million compromised hosts.

The campaign, dubbed internally “The Night Before Christmas”, demonstrated how consumer electronics continue to expand the attack surface of the internet. Smart TVs, cheap routers and poorly maintained IoT devices remain easy to hijack at scale.

Yet Cloudflare is careful to note that this attack, while spectacular, represented only a small fraction of the year’s most severe incidents. The broader trend is a steady rise in high-volume attacks throughout 2025, with hyper-volumetric events increasing 40% quarter on quarter in Q4 alone. In other words, this was not an anomaly, it was a preview.

Geography is shifting — fast

The report also points to sharp changes in where attacks are landing.

Hong Kong jumped 12 places in the global rankings to become the second most targeted location worldwide. The UK rose 36 places in a single quarter, making it the sixth most-attacked country — a striking change for a market more often associated with financial fraud than raw network assaults.

China, Germany, Brazil and the United States remained consistently targeted, reflecting their central role in global data flows rather than any single political trigger.

On the source side, Bangladesh emerged as the largest origin of DDoS traffic in Q4, overtaking Indonesia, which had held the top spot for more than a year. Ecuador rose to second place. Cloudflare stresses that these “sources” usually reflect compromised infrastructure or cloud-hosted resources, not coordinated national activity.

Indeed, many of the largest attack volumes were traced back to IP ranges associated with major cloud providers, including DigitalOcean, Microsoft, Tencent, Oracle and Hetzner. The pattern highlights how easily rented compute power can be weaponised when controls are weak or credentials are abused.

Defence is becoming automated — because it has to be

For Cloudflare, the report doubles as a warning and a justification. The company argues that human-led responses are no longer viable at this scale.

“The scale and frequency of DDoS activity we observed in 2025 underscore how quickly threat actors are evolving their tactics,” said Ercan Aydin, the firm’s AVP for the Middle East, Türkiye and Africa.

“From hyper-volumetric attacks that set new records in bandwidth to complex, multi-vector campaigns, our data shows that safeguarding digital services requires adaptive, autonomous defences,” he added, pointing to the rapid digitisation of critical infrastructure across emerging markets.

The subtext is clear. As more countries push services online — from payments to public administration — the internet’s attack surface grows faster than its governance.

A system under pressure

What Cloudflare’s data ultimately reveals is not just criminal ingenuity, but structural imbalance. Cheap devices, abundant bandwidth and on-demand cloud infrastructure have lowered the cost of disruption. Meanwhile, the economic and social cost of downtime continues to rise.

DDoS attacks are no longer simply a tool of vandalism or protest. They are becoming a way to exert pressure on markets, services and states — often anonymously, often briefly, but increasingly at scale.

The record numbers from 2025 suggest the industry is still in a reactive phase. The question for 2026 is not whether attacks will grow larger, but whether the internet’s underlying defences can keep pace without centralising power even further in the hands of a few global network operators.

That is a trade-off governments, companies and users may soon be forced to confront.

The Source Code Editorial
Previous

Infoblox Research: How DNS Hijacking Turns Home Routers Into Attack Infrastructure
Next

Alphabet earnings: Google’s $185 B Spend is the Real Story