Welcome to the twenty fourth version of Cloudflare’s Quarterly DDoS Menace Report. On this report, Cloudforce One gives a complete evaluation of the evolving menace panorama of Distributed Denial of Service (DDoS) assaults based mostly on knowledge from the Cloudflare community. On this version, we concentrate on the fourth quarter of 2025, in addition to share general 2025 knowledge.
The fourth quarter of 2025 was characterised by an unprecedented bombardment launched by the Aisuru-Kimwolf botnet, dubbed “The Night time Earlier than Christmas” DDoS assault marketing campaign. The marketing campaign focused Cloudflare clients in addition to Cloudflare’s dashboard and infrastructure with hyper-volumetric HTTP DDoS assaults exceeding charges of 200 million requests per second (rps), simply weeks after a record-breaking 31.4 Terabits per second (Tbps) assault.
DDoS assaults surged by 121% in 2025, reaching a median of 5,376 assaults robotically mitigated each hour.
Within the closing quarter of 2025, Hong Kong jumped 12 locations, making it the second most DDoS’d place on earth. The UK additionally leapt by an astonishing 36 locations, making it the sixth most-attacked place.
Contaminated Android TVs — a part of the Aisuru-Kimwolf botnet — bombarded Cloudflare’s community with hyper-volumetric HTTP DDoS assaults, whereas Telcos emerged because the most-attacked business.
2025 noticed an enormous spike in DDoS assaults
In 2025, the overall variety of DDoS assaults greater than doubled to an unbelievable 47.1 million. Such assaults have soared lately: The variety of DDoS assaults spiked 236% between 2023 and 2025.
In 2025, Cloudflare mitigated a median of 5,376 DDoS assaults each hour — of those, 3,925 have been network-layer DDoS assaults and 1,451 have been HTTP DDoS assaults.
Community-layer DDoS assaults greater than tripled in 2025
Essentially the most substantial progress was in network-layer DDoS assaults, which greater than tripled 12 months over 12 months. Cloudflare mitigated 34.4 million network-layer DDoS assaults in 2025, in comparison with 11.4 million in 2024.
A considerable portion of the network-layer assaults — roughly 13.5 million — focused international Web infrastructure protected by Cloudflare Magic Transit and Cloudflare’s infrastructure immediately, as a part of an 18-day DDoS marketing campaign within the first quarter of 2025. Of those assaults, 6.9 million focused Magic Transit clients whereas the remaining 6.6 million focused Cloudflare immediately.
This assault was a multi-vector DDoS marketing campaign comprising SYN flood assaults, Mirai-generated DDoS assaults, and SSDP amplification assaults to call a couple of. Our techniques detected and mitigated these assaults robotically. The truth is, we solely found the marketing campaign whereas making ready our DDoS menace report for 2025 Q1 — an instance of how efficient Cloudflare’s DDoS mitigation is!
Within the closing quarter of 2025, the variety of DDoS assaults grew by 31% over the earlier quarter and 58% over 2024. Community-layer DDoS assaults fueled that progress. In 2025 This autumn, network-layer DDoS assaults accounted for 78% of all DDoS assaults. The quantity of HTTP DDoS assaults remained the identical, however surged of their measurement to charges that we haven’t seen for the reason that HTTP/2 Speedy Reset DDoS marketing campaign in 2023. These current surges have been launched by the Aisuru-Kimwolf botnet, which we’ll cowl within the subsequent part.
“The Night Before Christmas” DDoS marketing campaign
On Friday, December 19, 2025, the Aisuru-Kimwolf botnet started bombarding Cloudflare infrastructure and Cloudflare clients with hyper-volumetric DDoS assaults. What was new on this marketing campaign was its measurement: The botnet used hyper-volumetric HTTP DDoS assaults exceeding charges of 20 million requests per second (Mrps).
The Aisuru-Kimwolf botnet is an enormous assortment of malware-infected gadgets, primarily Android TVs. The botnet contains an estimated 1-4 million contaminated hosts. It’s able to launching DDoS assaults that may cripple crucial infrastructure, crash most legacy cloud-based DDoS safety options, and even disrupt the connectivity of complete nations.
All through the marketing campaign, Cloudflare’s autonomous DDoS protection techniques detected and mitigated all the assaults: 384 packet-intensive assaults, 329 bit-intensive assaults, and 189 request-intensive assaults, for a complete of 902 hyper-volumetric DDoS assaults, averaging 53 assaults a day.
The common measurement of the hyper-volumetric DDoS assaults throughout the marketing campaign have been 3 Bpps, 4 Tbps, and 54 Mrps. The utmost charges recorded throughout the marketing campaign have been 9 Bpps, 24 Tbps, and 205 Mrps.
To place that in context, the dimensions of a 205 Mrps DDoS assault is akin to the mixed populations of the UK, Germany, and Spain all concurrently typing a web site handle after which hitting ‘enter’ on the similar second.
Whereas extremely dramatic, The Night time Earlier than Christmas marketing campaign accounted for less than a small portion of the hyper-volumetric DDoS assaults we noticed all year long.
Hyper-volumetric DDoS assaults
All through 2025, Cloudflare noticed a steady improve in hyper-volumetric DDoS assaults. In 2025 This autumn, hyper-volumetric assaults elevated by 40% in comparison with the earlier quarter.
Because the variety of assaults elevated over the course of 2025, the dimensions of the assaults elevated as properly, rising by over 700% in comparison with the big assaults seen in late 2024, with one reaching 31.4 Tbps in a DDoS assault that lasted simply 35 seconds. The graph beneath portrays the speedy progress in DDoS assault sizes as seen and blocked by Cloudflare — every one a world file, i.e. the biggest ever disclosed publicly by any firm on the time.
Like all the different assaults, the 31.4 Tbps DDoS assault was detected and mitigated robotically by Cloudflare’s autonomous DDoS protection, which was in a position to adapt and rapidly lock on to botnets equivalent to Aisuru-Kimwolf.
Many of the hyper-volumetric DDoS assaults focused Cloudflare clients within the Telecommunications, Service Suppliers and Carriers business. Cloudflare clients within the Gaming business and clients offering Generative AI companies have been additionally closely focused. Lastly, Cloudflare’s personal infrastructure itself was focused by a number of assault vectors equivalent to HTTP floods, DNS assaults and UDP flood.
When analyzing DDoS assaults of all sizes, the Telecommunications, Service Suppliers and Carriers business was additionally probably the most focused. Beforehand, the Info Know-how & Providers business held that unfortunate title.
The Playing & Casinos and Gaming industries ranked third and fourth, respectively. The quarter’s greatest adjustments within the high 10 have been the Pc Software program and Enterprise Providers industries, which each climbed a number of spots.
Essentially the most-attacked industries are outlined by their function as crucial infrastructure, a central spine for different companies, or their fast, high-stakes monetary sensitivity to service interruption and latency.
The DDoS panorama noticed each predictable stability and dramatic shifts among the many world’s most-attacked places. Targets like China, Germany, Brazil, and america have been the highest 5, demonstrating persistent attraction for attackers.
Hong Kong made a major transfer, leaping twelve spots to land at quantity two. Nonetheless, the larger story was the meteoric rise of the UK, which surged an astonishing 36 locations this quarter, making it the sixth most-attacked location.
Vietnam held its place because the seventh most-attacked location, adopted by Azerbaijan in eighth, India in ninth, and Singapore as quantity ten.
Bangladesh dethroned Indonesia as the biggest supply of DDoS assaults within the fourth quarter of 2025. Indonesia dropped to the third spot, after spending a 12 months as the highest supply of DDoS assaults. Ecuador additionally jumped two spots, making it the second-largest supply.
Notably, Argentina soared an unbelievable twenty locations, making it the fourth-largest supply of DDoS assaults. Hong Kong rose three locations, taking fifth place. Ukraine got here in sixth place, adopted by Vietnam, Taiwan, Singapore, and Peru.
The highest 10 listing of assault supply networks reads like an inventory of Web giants, revealing an interesting story in regards to the anatomy of contemporary DDoS assaults. The widespread thread is obvious: Menace actors are leveraging the world’s most accessible and highly effective community infrastructure — primarily massive, public-facing companies.
We see most DDoS assaults coming from IP addresses related to Cloud Computing Platforms and Cloud Infrastructure Suppliers, together with DigitalOcean (AS 14061), Microsoft (AS 8075), Tencent (AS 132203), Oracle (AS 31898), and Hetzner (AS 24940). This demonstrates the sturdy hyperlink between easily-provisioned digital machines and high-volume assaults. These cloud sources, closely concentrated in america, are intently adopted by a major presence of assaults coming from IP addresses related to conventional Telecommunications Suppliers (Telcos). These Telcos, primarily from the Asia-Pacific area (together with Vietnam, China, Malaysia, and Taiwan), spherical out the remainder of the highest 10.
This geographic and organizational variety confirms a two-pronged assault actuality: Whereas the sheer scale of the highest-ranking sources usually originates from international cloud hubs, the issue is actually worldwide, routed via the Web’s most important pathways from throughout the globe. In lots of DDoS assaults, we see hundreds of varied supply ASNs, highlighting the actually international distribution of botnet nodes.
To assist internet hosting suppliers, cloud computing platforms and Web service suppliers establish and take down the abusive IP addresses/accounts that launch these assaults, we leverage Cloudflare’s distinctive vantage level on DDoS assaults to supply a free DDoS Botnet Menace Feed for Service Suppliers.
Over 800 networks worldwide have signed up for this feed, and we’ve already seen nice collaboration throughout the group to take down botnet nodes.
Serving to defend the Web
DDoS assaults are quickly rising in sophistication and measurement, surpassing what was beforehand conceivable. This evolving menace panorama presents a major problem for a lot of organizations to maintain tempo. Organizations presently counting on on-premise mitigation home equipment or on-demand scrubbing facilities might profit from re-evaluating their protection technique.
Cloudflare is devoted to providing free, unmetered DDoS safety to all its clients, whatever the measurement, length, or quantity of assaults, leveraging its huge international community and autonomous DDoS mitigation techniques.
Pushed by a mission to assist defend the Web, Cloudforce One leverages telemetry from Cloudflare’s international community — which protects roughly 20% of the online — to drive menace analysis and operational response, defending crucial techniques for hundreds of thousands of organizations worldwide.
