Around mid-May 2025, Cloudflare neutralized 7.3 million DDoS events, down from Q1’s 20.5 million, which included a sustained 18-day barrage. Despite the volume drop, attack intensity surged: over 6,500 hyper-volumetric incidents exceeding 1 Tbps or 1Bpps were intercepted, with a peak of 7.3 Tbps and 4.8 Bpps delivered in just 45 seconds, flooding targets with 37.4 TB of traffic.
The event, directed at a hosting provider via Magic Transit, originated from 122,000+ IPs across 5,400+ ASNs spanning 161 nations. Nearly all payloads were UDP floods, though TCP-based SYNs, DNS amplification, portmap, RIPv1, and NTP reflection vectors were also observed.
Application-layer (L7) DDoS activity rose 74%, targeting financial services, while L3/L4 volumes dropped 81% to 3.2M. HTTP DDoS attacks increased 9%, hitting 4.1M—70% driven by botnets. Six percent of HTTP-based attacks exceeded 1M RPS, and 5 in 10,000 L3/4 incidents surpassed 1 Tbps, a 1,150% QoQ spike.
Ransom-themed DDoS ops surged roughly 68%, overlapping with a steep rise in botnet size. One particular cluster, likely DemonBot-linked, was observed coordinating traffic across an estimated 4.6 million infected endpoints. That scale eclipses anything seen the previous year by a wide margin. Entry points weren’t novel: unsecured SSH, default creds, and exposed ports, mostly on under-maintained Linux-based IoT devices, provided easy footholds. Once enlisted, these nodes pumped out UDP and TCP floods at volume, with some layering in higher-level payloads for added throughput variance.
Affected verticals skewed toward telecom ops, L3 transit providers, MSPs, and gaming networks. Geo-mapping of impact zones pointed heavily to China, Brazil, India, and parts of Western Europe. Distribution didn’t follow legacy targeting patterns, spread suggested opportunistic infrastructure-level disruptions, not purely industry-specific campaigns. Meanwhile, offensive traffic, based on origination metrics, was traced back to sources in Southeast Asia, including Indonesia and Singapore, as well as Ukraine.
Cloudflare’s 388 Tbps global mesh autonomously mitigated attacks across 477 nodes, reinforcing that reactive defense is obsolete. Given AI-fueled tooling, IoT expansion, and geopolitical volatility, organizations must deploy always-on, scalable mitigation platforms.
DDoS is no longer noise, it’s a persistent, strategic risk demanding real-time resilience baked into enterprise infrastructure.
