CloudFlare said Tuesday it mitigated a 7.3 million distributed denial-of-service (DDOS) attack in the second quarter of 2025, significantly lowering its 20 million DDOS attack, which it lost in the last quarter.
“Overall, the second quarter of 2025 saw a surge in ultra-volume DDOS attacks,” said Omer Yoachimik and Jorge Pacheco. “CloudFlare blocked over 6,500 ultra-volume DDOS attacks, averaged 71 per day.”
In the first quarter of 2025, the company said an 18-day sustained campaign against its own and other critical infrastructure protected by CloudFlare was responsible for the 13.5 million attacks observed over the period. Cumulatively, CloudFlare blocked nearly 28 million DDO attacks, exceeding the number of attacks it mitigated throughout 2024.
What’s notable about the second quarter of 2025 attack is the incredible DDOS attack, which peaked at 7.3 terabits per second (TBPS) and 4.8 billion packets (BPP) within 45 seconds.
While these large traffic spikes make headlines, what is often overlooked is how attackers are combined with smaller target probes. Instead of an overwhelming system with brute force, they mix large floods with quiet scans to slip past defenses built to find weak spots and block only the obvious.
Layer 3/Layer 4 (L3/4) DDOS attacks fell by 81% quarter to 3.2 million, while HTTP DDOS attacks increased by 9% to 4.1 million. Over 70% of HTTP DDOS attacks came from known botnets. The most common L3/4 attack vectors were flood attacks carried out via DNS, TCP Syn, and UDP protocols.
Communications service providers and carriers were the most targeted, followed by the Internet, IT services, gaming and gambling sectors.
China, Brazil, Germany, India, South Korea, Turkey, Hong Kong, Vietnam, Russia and Azerbaijan emerged as the most attacked locations based on the claims of Cloudfraa customers. Indonesia, Singapore, Hong Kong, Argentina and Ukraine were the top five sources for the DDOS attack.
Web infrastructure and security companies also revealed that the number of high-voltage DDOS attacks exceeding 100 million packets per second (PPS) (PPS) increased by 592% compared to the previous quarter.
Another important aspect is the 68% increase in ransom DDOS attacks. This happens when a malicious actor tries to force money from an organization by threatening it with a DDOS attack. It also includes scenarios in which the attack is carried out and scenarios in which a ransom is required to prevent it from happening again.
“The majority of DDOS attacks are small, but the size and frequency of ultra-volume DDOS attacks are increasing,” CloudFlare said. “If six of the 100 HTTP DDOS attacks exceed 1M RPS and five of the 10,000 L3/4 DDOS attacks exceed 1 Tbps, a QOQ increase of 1,150%.”
The company will also be joining DDOS botnets that can run UDP, TCP and application layer floods, bringing attention to Linux-based systems, botnet variants called Demonbots that infect IoT devices that are primarily not responsible for, via open ports or weak credentials.
“Attacks are usually command and control (C2) driven, and can often target games, hosting or enterprise services to generate significant volume traffic,” he added. “Use antivirus software and domain filtering to avoid infection.”
Infection vectors, such as those exploited by Demonbot, highlight the broader challenges with unsecured IoT exposure, weak SSH credentials, and outdated firmware. Related attack strategies such as TCP reflection, DNS amplification, and burst layer avoidance are increasingly debated in CloudFlare’s application layer threat reporting and API security breakdowns.
Source link
