DDoS attacks up 358%: Early 2025 breakdown

Over the past few years, since the war between Ukraine and Russia, then in the Middle East, and the tensions between Taiwan and China and so on and so forth, we've seen unlikely organizations or industries become the target of attacks just because they're on one side of the conflict or another. So one myth is that, you know, if that, I won't be attacked. Hello, everyone, and welcome to This Week in NET. It's the May the 9th, 2025 edition. I'm João Tomé, coming to you from Lisbon, Portugal. This week, there's a new pope and the Internet noticed. This episode, on the other hand, is not about the new pope, it's about DDoS attacks. That said, yesterday, when the new pope was announced, so yesterday it was Thursday, May the 8th, if you're seeing this in a different day. So when the new pope was announced, DNS traffic to Vatican websites spiked globally by 400% compared with the previous week, and that's nearly double the traffic jump that we saw when Pope Francis died on April the 21st. So these are DNS trends from our 1.1.1 resolver. In a more general note, in the US, in the United States, Internet traffic ticked up slightly when the new pope was announced, like 1%, a small blip, at around 4pm UTC time on this Thursday, but it rose more. There was a bigger, a small bump in traffic in the US when it was revealed that the new pope was actually US -born Cardinal Robert Francis Priebus. So now it's the new pope, Pope Lion XIV. But at that moment, when it was announced, one hour after the initial pope announcement, traffic jumped in the US 3% compared with the previous week. So you can see the small blimp in traffic. But as mentioned in the beginning, we're here to talk about the different kind of traffic spike, DDoS attacks, and for that, talk about distributed denial of service attacks that are increasing, definitely. We have with me are my colleague and DDoS expert, Omer Yorchimik. To break it all down, we publish our Q1 2025 DDoS Threat Report in a blog post and also on Radar. And here's my conversation with Omer. Hello, Omer. How are you? Thank you. How are you? I'm good. And you're returning to the show. So you've been here several times to speak only about DDoS, sometimes other stuff, but mostly DDoS. We had this Q1 DDoS report. And in this case, it spilled a bit to Q2 as well because of the hyper volumetric DDoS attacks that we've been seeing in the past few weeks. For those who don't know, let's start simple. What is really a DDoS attack and how does it affect people, businesses trying to access a site? DDoS attack, short for distributed denial of service attack, it's a type of cyber attack, one of the oldest types of cyber attacks. And the goal of the threat actor is to overwhelm the Internet property with more traffic than it can handle, ultimately causing disruptions or downtime. And that can lead to impact on revenue, on reputation for the victim organization if they don't have proper protections in place. I would also just add that it's one of the most low cost, high impact attack methods because all you really need is the victim's IP address or their website address. So the barrier of entry is very low to launch an attack. And for many organizations, even a few months of downtime, that can mean significant loss of revenue, not to mention regulated industries where they might also be fined for not being able to provide citizens certain services like in the financial services industry. It's quite interesting. We've been doing the DDoS threat report for several years now. It's the 21st edition, if I'm not mistaken, every quarter. One of the things that always surprised me is that it's an old method, but as you were saying, it's not very expensive, so attackers continue to use it. But also the fact that there's a general growth every year, mostly. And in this Q1 2025 DDoS report, you mentioned in the blog that there was a 358% year over year increase and a 198% quarter over quarter increase. So it's quite interesting to see even on the AI age, as many are saying, DDoS attacks are still a thing, are still happening. Attackers are still using it a lot, right? Yeah, and it's become even easier because you can use those technologies to launch or to create smarter attack scripts, which then can be used to launch more sophisticated attacks. And yeah, as you mentioned, 2025 started off with a really, like a massive surge of attacks. In just one quarter, we mitigated 96% of everything that we mitigated in 2024. 20.5 million DDoS attacks, and that was mainly fueled by the 16.8 million network layer attacks. So these are the layer 3, 4 DDoS attacks. What is driving really the increase? You already spoke about AI tools are actually helping attackers. Do we know specifically what is driving that increase? If it's those AI tools making a few of their processes more efficient on their end or other things? Yeah, so when we look at the attacks in Q1, specifically on the network layer attacks, where we saw the largest increase, the majority of the attacks were actually targeting, well, they were part of an 18-day campaign that targeted Cloudflare's infrastructure directly. So these were 6.6 million DDoS attacks targeting Cloudflare's IP ranges. And simultaneously to that, they were also attacking other Internet infrastructure, such as hosting providers, service providers, cloud computing providers, and so on, that are protected by Cloudflare. So in total, it was around 6.6 million attacks targeting Cloudflare, and another 6.9 targeting the other hosting providers and service providers protected by Cloudflare. This was during the month of January, kind of slipping into, or like mid-January into the beginning of February. These attacks were highly randomized, and we attribute the randomization nature of the attack to, well, a more sophisticated attack is an attack that's more randomized, that hides better in traffic. And so we've seen an increase in sophistication of attack that coincides with the rise in generative AI for two plus years now. It's a trend that we've been seeing across multiple protocols ranging from HTTP, UDP, and DNS, to name a few. It's quite interesting to see the method there in terms of, and in this situation that you're mentioning, the target of the Cloudflare network in general and Internet infrastructure, it was like an 18-day multi-vector DDoS campaign, right? So it was focused on a specific moment in time, potentially to be more successful, to try to get into the news or to create havoc and problems for those. But it's quite interesting to see also, to your point, how we're publishing this because it's quite interesting, but all of these were unsuccessful. They didn't create havoc. They didn't create the problems the attackers were intending. And they were, and this is always, for me, is always really interesting to see. It was all mitigated by autonomous systems. So machine learning that we have, how is that process specific? Yeah. So our autonomous defenses, what we call them, well, we call them autonomous because basically our software-defined system runs in each one of our servers around the world. And each one of our servers is able to detect and mitigate attacks by itself, autonomously, without requiring any centralized regulation. These systems work really fast. They detect attacks, they mitigate them, but they also share threat intelligence between different instances of the system or between different servers and also globally. So we have that threat intel. And we combine a few techniques to be able to mitigate attacks so efficiently. One is a dynamic fingerprinting. So our systems will identify the malicious pattern in the attacks and generate an ephemeral rule that matches the attack properties mitigated. We also leverage behavioral DDoS detection, which is based on traffic profiling. We also leverage various machine learning models, both models that we've developed in the DDoS team, but also because Cloudflare is highly integrated, all of our products are highly integrated. We can also infuse our fingerprinting process with from other products like the bot management solution. So we actually use the bot management scores as an additional signal into our traffic profiling capabilities. And on top of that, we also have a real-time distributed threat intelligence system that is able to pick up on botnet attacks, incriminate botnets in real time, and mitigate them across the entire Cloudflare network. It's quite interesting to see, especially that it's all automatic in a sense. But to your point, there's many layers. And you mentioned the help of the bots team as well. So in what way, and I was hearing yesterday our investors call with Matthew Prince, actually explaining a bit of DDoS attacks to investor, which is quite interesting to see. But I was really interested to show, and you spoke about this, the servers, individual servers that can deal with the DDoS, this distinguished Cloudflare in a sense, the method of the architecture of the network. It's also embedded in the mitigating DDoS attacks, right? Without a lot of cost, even for us in terms of bandwidth. How can we explain a bit of how we distinguish ourselves from others in terms of dealing with these type of attacks? Well, most of the legacy vendors started as appliance vendors and they would sell boxes with, you know, you have to pay a fee for it. CapEx put up capital in advance to pay for the appliance. You'd have to then also invest in the OpEx operational expenses for licensing, for subscription updates and stuff like that. And the problem is that these systems are expensive. They're hard to manage and they are limited by the bandwidth that you have. And when, when the demand for a cloud DDoS protection service started to grow, these organizations had a difficult time and still do moving away from appliance, from selling appliances to offering a cloud service. It's the classical innovators dilemma, where you have a new technology that you can't really spend on because your main revenue stream that you're committed to for the appliance is what keeps the lights on. So they, this is the classic example of the innovators dilemma, where a company that does everything right, you know, they build the appliances, they listen to customer feedback, they improve the appliances and everything, but they just didn't have the know-how and the resources to invest in building a cloud that would be able to sustain all of their customers always on traffic and the largest attacks simultaneously. So they came up with this kind of on-demand approach, which is a historical mistake, which basically means buy the appliance, also buy a subscription service for the cloud, and only for very large attacks, divert to the cloud. That's a flawed approach in today's landscape, because even the largest attacks, like the 6.5 terabit per second attack or the 4.8 billion packet per second attacks that we mitigated just like that, you know, we found out about that in hindsight, that we mitigated it when reviewing logs. They were 35 to 45 seconds long, so you can't really rely on activating an on-demand service or even any human intervention. And those were record-breaking attacks, right? Yeah. And DDoS attacks, specifically. Yeah, exactly. These were the largest on record, and so what you have with the legacy providers is a flawed approach, and even the companies that tried to kind of overcome the innovators dilemma kind of locked themselves in by having to use their existing technology, existing appliances, which weren't cloud -ready. Cloudflare, on the other hand, was and is a cloud-first company, and we don't have any third-party dependencies on, you know, we don't use DDoS appliances from another vendor. We don't have to route traffic to a different scrubbing center or a set of data centers or even an appliance. Each one of our servers is able to detect and mitigate attacks, and this is one of the core benefits of the Cloudflare network, the resilience of it and the fast time to detect and mitigate, which can only be possible in a cloud -first service. Especially without costs and with resilience and dealing with those, right? Exactly. Our assumptions are, when we built these systems, that ranging from disaster recovery to technical means or difficulties, our assumptions were that colos will go down, servers will go down, and we have to untangle dependencies. And so, you know, even if our entire network goes down and there's one server left operating, that server will continue serving all of Cloudflare's or offering all of Cloudflare's services, including detecting and mitigating DDoS attacks. Makes sense. Let me share my screen. You were mentioning specifically the hypervolumetric DDoS attacks. Actually, why not mention the DDoS reports are also on this site, ddosreport.com, and also on Cloudflare Radar specifically. One of the things regarding the hypervolumetric attacks you were mentioning, those are the ones that exceed one terabit per second or one billion packet per second, right? An average of around eight attacks per day in Q1 specifically of this year. So, that was 700 hypervolumetric DDoS attacks. In those numbers, there's a whole section here specifically of those attacks and the record-breaking one as well. Specifically, it's this section here. For those who don't understand too much about hypervolumetric DDoS attacks, what can we say in terms of why they continue to occur? How are they potentially put together specifically? And in this case, that was the already Q2 record-breaking ones that you mentioned. What can we say here specifically on what still drives these to be record-breaking every once in a while? There's a new record being... So, I would say that the motivation is probably mainly... So, we have botnet operators or the botnet authors that build these botnets and then they sell their services. So, it's a botnet for hire and if you have the strongest botnet and if you can launch very large attacks, then you can charge a lot of money for it. And this is kind of one of the main angles or reasons why these threat actors invest in these botnets. A lot of, by the way, are based on or are built on hosting providers and cloud computing providers. So, they're abusing that infrastructure in order to generate massive amounts of traffic. And it's quite wide because, as it's mentioned here, those attacks in this situation originated from 147 countries targeted multiple IP addresses and ports. So, those are almost global, some of those attacks in terms of the methods they use there to do it, right? Yeah, at those scales, it's almost always a highly distributed attack just because if you want to generate that amount of traffic, you're going to need a lot of botnet nodes that are distributed around the world. There's a session here for about threat actors who attacked you specifically. Also, a good perspective in terms of what are the main trends here. Yeah. So, well, first of all, it's important to kind of explain how we collect this data. So, we have an automated survey that pops up to customers in the dashboard when we detect and mitigate an attack for them. And we ask them a bunch of questions to understand if we're doing well, if we did our job well, if they had any impact. And we ask them also about ransom attacks, ransom DDoS attacks specifically to differentiate from ransomware attacks, and also who they think attacked them. And the majority don't know. But of those that do know, or that claim that they know, you can see that the majority said that this was a competitor. And this is very, very common in the gaming and gambling industry, where just by attacking a competitor or a server, a gaming server, you can disrupt a game to your advantage, get user churn and have users switch to a different gaming server or to a different game all entirely. And then what's, I think, also interesting is that we have in second place a state-level or state -sponsored attack, which is a growing concern. An interesting one also is number four here, the self-DDoS, where we actually help customers protect against, protect their infrastructure by mistakes that they made. One example that I have for that is a major IoT vendor that everyone knows. Of course, can't name them. They had an incident where they released a firmware update to their IoT devices. These are wearable devices. And that caused all of the devices to kind of phone home at the same time. And that caused an avalanche or a flood of pings to their servers. So we, working with these vendors, even though it's not like a classic type of DDoS attack, we implemented methods that are based on the origin health to identify and mitigate these types of self-inflicted DDoS attacks. Makes sense. There's some specifics here on an anatomy of a DDoS attack, in this case on the network level. There's many things to explore in the blog, but I was also curious on this section, which is more of the merging threats that are coming around. Any trend here that we should mention? Yeah, I think the main takeaway, because every quarter we see kind of the usual suspects, like an increase in Mirai attacks, the infamous botnet, or Mirai variations. But every quarter what we see is some kind of a known attack vector, like the CLDAP, the Connectionless Lightweight Directory Access Protocol, which is a variant, a lightweight variant of the Directory Access Protocol, used basically for querying and modifying directories running over IP networks. But it's over UDP, so it can be used for amplification, and that's the common theme. So every quarter we see threat actors recycling amplification and reflection types of attacks with the hope of causing some impact. It can be CLDAP, it can be NTP amplification, SSDP, and so on. And what this kind of means for organizations is that even if there was a vulnerability, like a zero-day vulnerability, and some server back then, and a patch was shipped, we're still seeing unpatched servers from various protocols, or that serve various protocols that have not been patched on the Internet for very old vulnerabilities. A legacy approach to that and the appliances is just to have a very long list of signatures, for every kind of known type of attack vector. And those can be in the thousands, right? And that's kind of the wrong way to think about this in today's world, because that just is overpruning, overfitting, and also can cause latency. And instead we have that dynamic fingerprinting method which looks for patterns and then is able to detect attacks in a much more agnostic way. And then we bucket this by the type of traffic that was mitigated to highlight the top vectors and the emerging vectors as well. Makes sense. Another thing that typically people want to learn and understand, there's some talk here on the DDoS attack size and duration, but I was curious on the industry level. You mentioned gaming as one that typically has a lot of DDoS attacks, there's others. Is there a trend on certain industries or countries being hit more often that we saw in the first quarter of this year that we potentially could give as an example? Yeah, so we talked about the gaming and gambling for example, they're always in the top 10. And in the past quarter, in Q1, they jumped up four spaces to the first place, displacing telecommunication service providers and carriers, critical infrastructure, the banking and financial services is also always in the top 10 as well. And then regarding the most attacked countries, so what we're seeing is China is usually in the top three and the top five, I would say, is usually in for both source and target is usually Asia. But this quarter, we also saw some leaps for countries outside of Asia, like Turkey that jumped 11 places, making it the second most attacked country in the world in Q1. Germany also popped up four spaces, making it the number one most attacked country in the world. But then we still have those regular targets like China, Taiwan, Hong Kong, Indonesia, and so on. We have a perspective on why this happens, why these countries, even as the source of attacks or the target of those attacks. Yeah, so thus, when we look at the source of attacks, it's usually and I think this is important clarification before I move on, when we say that a country is being attacked, like Germany here, for example, this doesn't mean that Germany as a country is being attacked, but rather that Cloudflare customers with a building country of Germany were being attacked the most. And so we bucket our customers or the attack traffic based on our customers billing address in order to identify the top attack locations. And this ranking algorithm that we use takes into consideration layer seven attacks, layer three, four attacks, total volume, and also normalized attack activity. And then for the sources, we look at the client IPs for the source of HTTP attacks. We resolve that with MaxMind to a country. And for layer three, four attacks, we actually use the location of the Cloudflare data center where we ingested the attack traffic because in layer three, four, the source IPs can be spoofed. And so if we were to derive the source country based on the source IP that is spoofed, then we would just have spoofed countries as well. And because we have points of presence in over 335, I think, locations around the world, we're able to gain that geographical accuracy. And here we use the same ranking mechanism. And when we say that a country is a source of attack, we don't mean that the country is attacking, but rather it indicates that there are botnet nodes operating from within that country that can be infected IoT devices, cloud computing infrastructure. It could also mean that there are VPN or proxy endpoints that attackers are using to obfuscate the source of the attacks. And this is kind of why we have that distribution of attacks. And we see that highly concentrated also in mainly in Asia, that could be for a variety of reasons, ranging from you know, unsecure IoT devices to basically cloud computing infrastructure that is being abused, the VPNs or open-socks proxies and stuff like that. It doesn't mean like the government of those countries is doing something at all. It doesn't even mean that the attacker is in those countries. It just means that computers that are being used in different forms are in those countries in a sense. Sjoerd Computers, cameras, anything connected basically that can be used to, that can be hijacked or leveraged for malicious intent. Marco Exactly. There's a top source of networks here in terms of DDoS attacks with the German-based Hetzner retaining its position as the largest source of HTTP DDoS attacks. So this is typically are always the same networks, right? Sjoerd Mostly, yeah. We have the usual suspects here in the top 10. What you can notice from this list is that most of these providers are hosting providers or cloud computing providers, highlighting how this infrastructure is being abused by threat actors to launch more powerful device attacks. Because based on our calculations, a virtual machine-based botnet is roughly 5,000 times stronger than an IoT-based botnet. So you need 5,000 times less botnet nodes in order to launch the same attack force. And it's a real struggle for service providers and hosting providers to crack down on the abuse because like in the case of HTTP attacks, the traffic is encrypted. And for the hosting provider, for example, it's hard to identify where the attack is coming from, which account, which of their accounts is being abused because it's a needle in a haystack. But we see the entire attack and we're able to identify those IPs. And this is why we built a free botnet threat feed for service providers where they can go in, create a, just create a free Cloudflare account, authenticate their network, their ASN with via PeeringDB and start getting threat intel from the Cloudflare network about IP addresses from within their network that we saw participating in DDoS attacks. We've had over 600 organizations around the world sign up to it, including all the big names you can think of. And this is our attempt to take the offensive approach as well and to help service providers crack down on the abuse and reduce DDoS activity. So we're trying to be a good Internet neighbor here as well. Makes sense. We have on Radar, Radar.Cloudflare .com, also more details on attack industries and regions for those who want to explore the different countries in terms of DDoS attacks and select different metrics. Also for the same, for the attack industries in seeing a different network layer, application layer requests overall in terms of the most attack industries. So worth mentioning that specifically. Before we go, I was curious if, in terms of having a perspective on the biggest myths about DDoS attacks that are around that we should even mention specifically. Yeah, so I think, so two things come to mind. And one myth is that I'm not a lucrative target, so I won't be attacked. Over the past few years, since the war between Ukraine and Russia, then in the Middle East and the tensions between Taiwan and China and so on and so forth, we've seen unlikely organizations or industries become the target of attacks just because they're on one side of the conflict or another. So one myth is that I won't be attacked. I'm not that important. I won't be attacked. I'm not like a government, right? Exactly. I'm not a government. I'm not a bank or something like that. And it's just not the case anymore. There have been countless headlines covering various types of attacks that targeted various industries ranging from airport website, educational, healthcare, and so on. That's the first thing. The second thing is that you can rely on an on-demand service that you activate once you're under attack. That is, it's just not applicable for the world we live in. The analogy that I like to give is like a boxing match. So if you are, you know, in a boxing match and you get punched in the face because your guard was down, the impact, the time of impact can be a fraction of the second. But if it hits you just right, then it's a knockout and they broke your nose and it'll take you a lot longer to recover. That's the same with DDoS attacks. Like we said, even the largest ones of 6.5 terabit per second or the smallest ones, they can last seconds or minutes. And even after the attack is over, the trickle effect, the network failures, the application failures can last much longer beyond that short attack. And this is why our recommendation for organizations is to be prepared, to have a strategy in place, and to leverage an always-on, in-line DDoS defense capability. I had one here, a quick fire round, a question that I think you already answered a bit, but I'll do it anyway. Your one-line tip to any business online today. Form a strategy based on the framework that is appropriate for you. There are various frameworks based on the country you operate in. Maybe you're regulatorily required to follow some framework or not. The US National Institute for Standards and Technology has a really good framework for cybersecurity. So have a strategy implemented, train your teams, and make sure that you know what to do if you come under attack. Because from our experience, a organization that has those runbooks, mechanisms, strategies in place significantly improves their ability to withstand any type of attack. Also, most surprising thing from this quarter's report? Well, I would say the attack against the Cloudflare network. I was really surprised. We're always being attacked, we're always being tested, but I was surprised to see an 18-day-long campaign of so many attacks that corresponded, or that simultaneously were, there were hosting providers that were also targeted. So that was a really interesting discovery, because it begs the question of who is behind those attacks, and what is their incentive of trying to take Cloudflare down? Those were record -breaking in terms of terabits and packets. Last but not least, can attackers be amateurs, or is it all organized crime now? So it's never been easier to launch attacks. With the help of generative AI, co-pilots, you name it, you can manipulate those systems to write scripts for you, and to guide you on how to launch attacks. I've done a few proof-of-concepts with popular engines to show how I can improve and create and improve attack scripts that are more efficient, that create more sophisticated attacks. So we're really at a point where zero-knowledge threat actors can cause a lot of havoc. To better be prepared, as you were mentioning, and in the situation we have a great automated tool for that. This was great. Anything we didn't cover that we should mention here at the end? No, I think we covered everything, and maybe just to highlight again that the reports on Radar are super useful, because they are interactive. They let you filter, zoom in, hover, and slice and dice the data in ways that the static blog doesn't allow you to do. So it's really useful like that if you want to zoom in on a specific region, on a specific industry. So I encourage viewers to go and have a look. Makes perfect sense. This was great, Omer. Thank you so much, and hopefully we won't have record -breaking DDoS attacks in the future, but I'm quite sure that won't happen. Oh well. Thank you, John. And that's a wrap.