{
	"id": "e96e5901-88f0-4ffb-8b27-83122c85f933",
	"created_at": "2026-04-06T00:18:29.270951Z",
	"updated_at": "2026-04-10T13:12:43.919211Z",
	"deleted_at": null,
	"sha1_hash": "750f3cfc1a649b860c16b6cdd326685b410dc45f",
	"title": "2025 Q4 DDoS threat report: A record-setting 31.4 Tbps attack caps a year of massive DDoS assaults",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2772492,
	"plain_text": "2025 Q4 DDoS threat report: A record-setting 31.4 Tbps attack\r\ncaps a year of massive DDoS assaults\r\nBy Omer YoachimikJorge PachecoCloudforce One\r\nPublished: 2026-02-05 · Archived: 2026-04-05 15:03:05 UTC\r\n2026-02-05\r\n7 min read\r\nWelcome to the 24th edition of Cloudflare’s Quarterly DDoS Threat Report. In this report, Cloudforce One offers\r\na comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based\r\non data from the Cloudflare network. In this edition, we focus on the fourth quarter of 2025, as well as share\r\noverall 2025 data.\r\nThe fourth quarter of 2025 was characterized by an unprecedented bombardment launched by the Aisuru-Kimwolf\r\nbotnet, dubbed “The Night Before Christmas\" DDoS attack campaign. The campaign targeted Cloudflare\r\ncustomers as well as Cloudflare’s dashboard and infrastructure with hyper-volumetric HTTP DDoS attacks\r\nexceeding rates of 200 million requests per second (rps), just weeks after a record-breaking 31.4 Terabits per\r\nsecond (Tbps) attack.\r\nKey insights\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 1 of 11\n\n1. DDoS attacks surged by 121% in 2025, reaching an average of 5,376 attacks automatically mitigated every\r\nhour.\r\n2. In the final quarter of 2025, Hong Kong jumped 12 places, making it the second most DDoS’d place on\r\nearth. The United Kingdom also leapt by an astonishing 36 places, making it the sixth most-attacked place.\r\n3. Infected Android TVs — part of the Aisuru-Kimwolf botnet — bombarded Cloudflare’s network with\r\nhyper-volumetric HTTP DDoS attacks, while Telcos emerged as the most-attacked industry.\r\n2025 saw a huge spike in DDoS attacks\r\nIn 2025, the total number of DDoS attacks more than doubled to an incredible 47.1 million. Such attacks have\r\nsoared in recent years: The number of DDoS attacks spiked 236% between 2023 and 2025.\r\nIn 2025, Cloudflare mitigated an average of 5,376 DDoS attacks every hour — of these, 3,925 were network-layer\r\nDDoS attacks and 1,451 were HTTP DDoS attacks. \r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 2 of 11\n\nNetwork-layer DDoS attacks more than tripled in 2025\r\nThe most substantial growth was in network-layer DDoS attacks, which more than tripled year over year.\r\nCloudflare mitigated 34.4 million network-layer DDoS attacks in 2025, compared to 11.4 million in 2024.\r\nA substantial portion of the network-layer attacks — approximately 13.5 million — targeted global Internet\r\ninfrastructure protected by Cloudflare Magic Transit and Cloudflare’s infrastructure directly, as part of an 18-day\r\nDDoS campaign in the first quarter of 2025. Of these attacks, 6.9 million targeted Magic Transit customers while\r\nthe remaining 6.6 million targeted Cloudflare directly. \r\nThis assault was a multi-vector DDoS campaign comprising SYN flood attacks, Mirai-generated DDoS attacks,\r\nand SSDP amplification attacks to name a few. Our systems detected and mitigated these attacks automatically. In\r\nfact, we only discovered the campaign while preparing our DDoS threat report for 2025 Q1 — an example of how\r\neffective Cloudflare’s DDoS mitigation is!\r\nIn the final quarter of 2025, the number of DDoS attacks grew by 31% over the previous quarter and 58% over\r\n2024. Network-layer DDoS attacks fueled that growth. In 2025 Q4, network-layer DDoS attacks accounted for\r\n78% of all DDoS attacks. The amount of HTTP DDoS attacks remained the same, but surged in their size to rates\r\nthat we haven’t seen since the HTTP/2 Rapid Reset DDoS campaign in 2023. These recent surges were launched\r\nby the Aisuru-Kimwolf botnet, which we will cover in the next section. \r\n“The Night Before Christmas” DDoS campaign\r\nOn Friday, December 19, 2025, the Aisuru-Kimwolf botnet began bombarding Cloudflare infrastructure and\r\nCloudflare customers with hyper-volumetric DDoS attacks. What was new in this campaign was its size: The\r\nbotnet used hyper-volumetric HTTP DDoS attacks exceeding rates of 20 million requests per second (Mrps).\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 3 of 11\n\nThe Aisuru-Kimwolf botnet is a massive collection of malware-infected devices, primarily Android TVs. The\r\nbotnet comprises an estimated 1-4 million infected hosts. It is capable of launching DDoS attacks that can cripple\r\ncritical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity\r\nof entire nations.\r\nThroughout the campaign, Cloudflare’s autonomous DDoS defense systems detected and mitigated all of the\r\nattacks: 384 packet-intensive attacks, 329 bit-intensive attacks, and 189 request-intensive attacks, for a total of\r\n902 hyper-volumetric DDoS attacks, averaging 53 attacks a day.\r\nThe average size of the hyper-volumetric DDoS attacks during the campaign were 3 Bpps, 4 Tbps, and 54 Mrps.\r\nThe maximum rates recorded during the campaign were 9 Bpps, 24 Tbps, and 205 Mrps.\r\nTo put that in context, the scale of a 205 Mrps DDoS attack is comparable to the combined populations of the UK,\r\nGermany, and Spain all simultaneously typing a website address and then hitting 'enter’ at the same second.\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 4 of 11\n\nWhile highly dramatic, The Night Before Christmas campaign accounted for only a small portion of the hyper-volumetric DDoS attacks we saw throughout the year.\r\nHyper-volumetric DDoS attacks\r\nThroughout 2025, Cloudflare observed a continuous increase in hyper-volumetric DDoS attacks. In 2025 Q4,\r\nhyper-volumetric attacks increased by 40% compared to the previous quarter.\r\nAs the number of attacks increased over the course of 2025, the size of the attacks increased as well, growing by\r\nover 700% compared to the large attacks seen in late 2024, with one reaching 31.4 Tbps in a DDoS attack that\r\nlasted just 35 seconds. The graph below portrays the rapid growth in DDoS attack sizes as seen and blocked by\r\nCloudflare — each one a world record, i.e. the largest ever disclosed publicly by any company at the time.\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 5 of 11\n\nLike all of the other attacks, the 31.4 Tbps DDoS attack was detected and mitigated automatically by Cloudflare’s\r\nautonomous DDoS defense, which was able to adapt and quickly lock on to botnets such as Aisuru-Kimwolf.\r\nMost of the hyper-volumetric DDoS attacks targeted Cloudflare customers in the Telecommunications, Service\r\nProviders and Carriers industry. Cloudflare customers in the Gaming industry and customers providing Generative\r\nAI services were also heavily targeted. Lastly, Cloudflare’s own infrastructure itself was targeted by multiple\r\nattack vectors such as HTTP floods, DNS attacks and UDP flood.\r\nMost-attacked industries\r\nWhen analyzing DDoS attacks of all sizes, the Telecommunications, Service Providers and Carriers industry was\r\nalso the most targeted. Previously, the Information Technology \u0026 Services industry held that unlucky title.\r\nThe Gambling \u0026 Casinos and Gaming industries ranked third and fourth, respectively. The quarter’s biggest\r\nchanges in the top 10 were the Computer Software and Business Services industries, which both climbed several\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 6 of 11\n\nspots. \r\nThe most-attacked industries are defined by their role as critical infrastructure, a central backbone for other\r\nbusinesses, or their immediate, high-stakes financial sensitivity to service interruption and latency.\r\nMost-attacked locations\r\nThe DDoS landscape saw both predictable stability and dramatic shifts among the world's most-attacked locations.\r\nTargets like China, Germany, Brazil, and the United States were the top five, demonstrating persistent appeal for\r\nattackers. \r\nHong Kong made a significant move, jumping twelve spots to land at number two. However, the bigger story was\r\nthe meteoric rise of the United Kingdom, which surged an astonishing 36 places this quarter, making it the sixth\r\nmost-attacked location.  \r\nVietnam held its place as the seventh most-attacked location, followed by Azerbaijan in eighth, India in ninth, and\r\nSingapore as number ten.\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 7 of 11\n\nTop attack sources\r\nBangladesh dethroned Indonesia as the largest source of DDoS attacks in the fourth quarter of 2025. Indonesia\r\ndropped to the third spot, after spending a year as the top source of DDoS attacks. Ecuador also jumped two spots,\r\nmaking it the second-largest source.\r\nNotably, Argentina soared an incredible twenty places, making it the fourth-largest source of DDoS attacks. Hong\r\nKong rose three places, taking fifth place. Ukraine came in sixth place, followed by Vietnam, Taiwan, Singapore,\r\nand Peru.\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 8 of 11\n\nTop source networks\r\nThe top 10 list of attack source networks reads like a list of Internet giants, revealing a fascinating story about the\r\nanatomy of modern DDoS attacks. The common thread is clear: Threat actors are leveraging the world's most\r\naccessible and powerful network infrastructure — primarily large, public-facing services. \r\nWe see most DDoS attacks coming from IP addresses associated with Cloud Computing Platforms and Cloud\r\nInfrastructure Providers, including DigitalOcean (AS 14061), Microsoft (AS 8075), Tencent (AS 132203), Oracle\r\n(AS 31898), and Hetzner (AS 24940). This demonstrates the strong link between easily-provisioned virtual\r\nmachines and high-volume attacks. These cloud sources, heavily concentrated in the United States, are closely\r\nfollowed by a significant presence of attacks coming from IP addresses associated with traditional\r\nTelecommunications Providers (Telcos). These Telcos, primarily from the Asia-Pacific region (including Vietnam,\r\nChina, Malaysia, and Taiwan), round out the rest of the top 10.\r\nThis geographic and organizational diversity confirms a two-pronged attack reality: While the sheer scale of the\r\nhighest-ranking sources often originates from global cloud hubs, the problem is truly worldwide, routed through\r\nthe Internet's most critical pathways from across the globe. In many DDoS attacks, we see thousands of various\r\nsource ASNs, highlighting the truly global distribution of botnet nodes.\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 9 of 11\n\nTo help hosting providers, cloud computing platforms and Internet service providers identify and take down the\r\nabusive IP addresses/accounts that launch these attacks, we leverage Cloudflare’s unique vantage point on DDoS\r\nattacks to provide a free DDoS Botnet Threat Feed for Service Providers. \r\nOver 800 networks worldwide have signed up for this feed, and we’ve already seen great collaboration across the\r\ncommunity to take down botnet nodes.\r\nHelping defend the Internet\r\nDDoS attacks are rapidly growing in sophistication and size, surpassing what was previously imaginable. This\r\nevolving threat landscape presents a significant challenge for many organizations to keep pace. Organizations\r\ncurrently relying on on-premise mitigation appliances or on-demand scrubbing centers may benefit from re-evaluating their defense strategy.\r\nCloudflare is dedicated to offering free, unmetered DDoS protection to all its customers, regardless of the size,\r\nduration, or volume of attacks, leveraging its vast global network and autonomous DDoS mitigation systems.\r\nAbout Cloudforce One\r\nDriven by a mission to help defend the Internet, Cloudforce One leverages telemetry from Cloudflare’s global\r\nnetwork — which protects approximately 20% of the web — to drive threat research and operational response,\r\nprotecting critical systems for millions of organizations worldwide.\r\nCloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale\r\napplications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at\r\nbay, and can help you on your journey to Zero Trust.\r\nVisit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.\r\nTo learn more about our mission to help build a better Internet, start here. If you're looking for a new career\r\ndirection, check out our open positions.\r\nDDoS ReportsDDoSCloudforce OneSecurityAdvanced DDoSAI\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 10 of 11\n\nSource: https://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nhttps://blog.cloudflare.com/ddos-threat-report-2025-q4/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cloudflare.com/ddos-threat-report-2025-q4/"
	],
	"report_names": [
		"ddos-threat-report-2025-q4"
	],
	"threat_actors": [],
	"ts_created_at": 1775434709,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/750f3cfc1a649b860c16b6cdd326685b410dc45f.pdf",
		"text": "https://archive.orkl.eu/750f3cfc1a649b860c16b6cdd326685b410dc45f.txt",
		"img": "https://archive.orkl.eu/750f3cfc1a649b860c16b6cdd326685b410dc45f.jpg"
	}
}