Cloudflare records largest DDoS attack at 7.3 Tbps in Q2 2025
The report documents a significant rise in the severity of attacks despite a quarter-on-quarter decline in overall volumes.
During the quarter, Cloudflare automatically blocked the largest DDoS attack ever recorded, which peaked at 7.3 terabits per second (Tbps) and 4.8 billion packets per second (Bpps). Over 6,500 hyper-volumetric attacks were mitigated between April and June, averaging 71 per day.
Year-on-year, total DDoS activity was up 44%, and HTTP-based attacks saw a 129% rise compared to Q2 2024. Although the volume of attacks lessened since the unprecedented surge in early 2025, cybercriminals employed larger and more frequent hyper-volumetric assaults. Notably, June accounted for nearly 38% of all observed DDoS activity in the quarter.
Critical targets and sectors
Telecommunications, service providers, and carriers experienced the highest targeting rates during the period, reclaiming their position as the most attacked sector. The report notes that critical infrastructure remains under sustained threat from DDoS campaigns, while industries such as gaming, gambling, and crypto continued to attribute attacks to competitor actions.
Cloudflare emphasised that all incidents detailed in the report were "automatically detected and blocked by our autonomous defenses."
Attack types and patterns
The company mitigated 7.3 million DDoS attacks in Q2 2025, a decrease from 20.5 million in the first quarter.
This decline was attributed to the end of an 18-day campaign against Cloudflare and other protected infrastructure, which alone accounted for a substantial number of attacks earlier in the year. Despite the dip, 2025's year-to-date DDoS events equate to 130% of all attacks recorded in the full year of 2024.
Layer 3 / Layer 4 (L3/4) DDoS attacks fell sharply by 81% quarter-over-quarter to 3.2 million, while HTTP DDoS attacks rose 9% to 4.1 million. Six out of every 100 HTTP DDoS attacks exceeded 1 million requests per second, and five out of every 10,000 L3/4 attacks surpassed 1 Tbps, representing a 1,150% increase from the previous quarter.
Emerging threats evolve
The quarter saw surges in attacks using legacy and lesser-known protocols. Teeworlds flood attacks increased 385% quarter-over-quarter, RIPv1 floods by 296%, RDP floods by 173%, and Demon Bot floods by 149%. A resurgence of VxWorks floods was also observed. These tactics demonstrate attackers' ongoing experimentation to bypass traditional defences.
Of note, the majority (71%) of HTTP DDoS attacks reported in Q2 2025 were launched by known botnets, with Cloudflare's network using real-time threat intelligence to rapidly block criminal infrastructure as it shifts tactics.
Ransom and hyper-volumetric attacks
The percentage of Cloudflare customers reporting ransom DDoS attacks or threats increased by 68% compared to Q1 2025, and by 6% from Q2 2024. Such incidents rose sharply in June, with approximately one third of survey respondents indicating they experienced related threats during the month.
"Small" attacks - those below 500 Mbps - made up 94% of L3/4 events, but Cloudflare cautioned that even these can take typical servers offline if left unprotected. Most DDoS attacks remained short in duration, with the record-breaking 7.3 Tbps burst lasting only 45 seconds. Attackers continue to favour brief, intense traffic spikes to evade detection and overwhelm targets quickly.
Geographic insight
The top 10 most attacked locations shifted, with China, Brazil, and Germany occupying the first three spots. Significant movement was recorded, with Vietnam and Russia jumping fifteen and forty places, respectively, into the top ten. Cloudflare noted that these rankings reflect customer billing locations rather than indicators of direct geopolitical targeting.
The main sources of attack traffic included Indonesia, Singapore, and Hong Kong, while the German-based Drei-K-Tech-GmbH network became the top source of HTTP DDoS attacks for the first time in a year, overtaking Hetzner and DigitalOcean. Cloudflare attributed the strength of many attacks to virtual machine (VM)-based botnets, which the company estimates are 5,000 times more potent than those based on Internet-of-Things devices.
Attack vectors
DNS flood attacks were the leading L3/4 DDoS vector, accounting for almost one third of all attacks, followed by SYN and UDP floods. Cloudflare set out its recommended best practices for mitigating these and other common DDoS vectors for both vulnerable organisations and their upstream service providers.
Collaboration and threat sharing "To help hosting providers, cloud computing providers and any Internet service providers identify and take down the abusive accounts that launch these attacks, we leverage Cloudflare's unique vantage point to provide a free DDoS Botnet Threat Feed for Service Providers. Over 600 organizations worldwide have already signed up for this feed, and we've already seen great collaboration across the community to take down botnet nodes. This is possible thanks to the threat feed which provides these service providers a list of offending IP addresses from within their ASN that we see launching HTTP DDoS attacks. It's completely free and all it takes is opening a free Cloudflare account, authenticating the ASN via PeeringDB, and then fetching the threat intelligence via API."
Industry perspective
The report reiterates Cloudflare's message that always-on, proactive defences deliver more effective protection than reactive measures. The network's recorded throughput now reportedly reaches 388 Tbps across more than 330 global cities, providing capacity for real-time mitigation of large and complex DDoS events.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
3 days ago
- Techday NZ
Quadruple extortion ransomware rises in Asia Pacific region
The Akamai State of the Internet (SOTI) report has identified a shift in ransomware tactics in the Asia Pacific region, with quadruple extortion methods emerging alongside sustained use of double extortion techniques. The report, titled "Ransomware Report 2025: Building Resilience Amid a Volatile Threat Landscape," details how cybercriminals are incorporating an increasingly complex mix of threats and pressure on their victims. While double extortion ransomware, which involves encrypting a victim's data and threatening public release unless ransoms are paid, remains prevalent, the new quadruple extortion methods now include Distributed Denial of Service (DDoS) attacks and pressure exerted on customers, partners or the media to intensify the coercion. Steve Winterfeld, Advisory CISO at Akamai, outlined the expanding risk landscape facing organisations. "Ransomware threats today are not just about encryption anymore. Attackers are using stolen data, public exposure, and service outages to increase the pressure on victims. These methods are turning cyberattacks into full-blown business crises, and are forcing companies to rethink how they prepare and respond." Ransomware accounted for a significant share of total data breaches in Asia Pacific in 2024, with the report warning that organisations must enhance cyberdefence strategies and test resilience capabilities in order to prevent major disruptions. Regional impacts According to the report, groups such as LockBit, BlackCat/ALPHV, and CL0P continue to pose major threats in the region, although newcomers Abyss Locker and Akira are growing in prevalence. These syndicates have prioritised critical sectors, with healthcare and legal services identified as primary targets. High-profile incidents in recent months include the Abyss Locker breach, which resulted in the theft of 1.5TB of sensitive data from Australia's Nursing Home Foundation, and a USD $1.9 million extortion payout by a Singapore-based law firm following an Akira ransomware incident. Emergence of hybrid actors The report notes the growing activity from hybrid ransomware activist groups, some of which leverage ransomware-as-a-service (RaaS) to expand operational reach. Groups such as RansomHub, Play, and Anubis have been implicated in attacks on small and medium-sized enterprises, healthcare organisations, and educational institutions across Asia Pacific. Targets include an Australian in vitro fertilisation clinic and several medical practices affected by these syndicates. Compliance complexity A key theme highlighted is the increasingly complicated compliance landscape facing affected businesses. In Asia Pacific, uneven regulatory maturity and fragmented data protection laws have enabled cybercriminals to exploit gaps and delays in incident response. The report outlines how non-compliance risks differ significantly, citing Singapore's Personal Data Protection Act (PDPA) – with fines up to 10% of annual revenue – compared to potential criminal penalties in India, and the lack of formal financial penalties in Japan. These variations create a patchwork of obligations that multinational firms must navigate whilst managing the onset of a ransomware crisis. Zero Trust and defence strategies The report urges organisations to focus on the adoption of Zero Trust architectures and microsegmentation in order to address the challenges of modern ransomware threats. Case studies include a regional consulting firm in Asia Pacific deploying software-defined microsegmentation, which facilitated restrictive access controls and limited the spread of an attack within its network. Reuben Koh, Director of Security Technology and Strategy, Asia-Pacific & Japan at Akamai, commented on the regional context and the growing expectations on security teams. "Asia-Pacific's digital economy is one of the fastest growing in the world, largely due to its rapid pace of innovation. However, security teams are being challenged to keep up with a frequently expanding attack surface, and Ransomware attacks tend to target those blind spots. Organisations need to re-assess their security posture and double-down in their efforts to be more cyber resilient. Adopting Zero Trust architectures that are centred around verified access and microsegmentation are a good way to minimise the impact of a ransomware attack. Together with regular recovery drills and incident response simulations, these will become core essentials in improving cyber resilience against attacks like ransomware." Global trends On a global scale, the report identifies that the rise of generative artificial intelligence (GenAI) and large language models (LLMs) is accelerating both the frequency and sophistication of ransomware attacks by lowering the technical barriers for attackers. The use of ransomware-as-a-service is also broadening the base of active threat actors, with many campaigns motivated by political or ideological factors as well as financial gain. The research highlights that almost half of the cryptomining attacks analysed targeted nonprofit and educational organisations, indicating resource constraints make these sectors a frequent target. Additionally, the Trickbot malware family, used extensively by ransomware operators, has enabled the extortion of USD $724 million in cryptocurrency from victims globally since 2016.
Techday NZ
3 days ago
- Techday NZ
Cyberattacks reshape modern conflict & highlight resilience needs
Recent cyberattacks on infrastructure, government, and healthcare demonstrate the increasing integration of digital tactics in contemporary conflicts. The digital frontline Incidents over the past two years highlight a clear shift in the landscape of modern conflict, with the digital realm now playing a significant role. In October 2023, parts of Denmark's railway network were shut down following a coordinated cyberattack, causing train delays nationwide. The following month, hackers disrupted Poland's government document portal at a time of geopolitical tension with Belarus. Early in 2024, a ransomware campaign affected over 100 hospitals in the United States and Europe, resulting in postponed surgeries and diversion of emergency patients. These events underscore a trend where cyberattacks target both public infrastructure and critical services. Political and military responses to such attacks have so far been limited, partly due to challenges in attribution and the perceived impunity attached to digital operations. The press release notes, "The perceived impunity of the digital realm and challenges of timely attribution make digital warfare an active endeavour of many geopolitical adversaries." Government responses Governments worldwide are responding to the changing threat landscape. The United States, European Union, and NATO have increased spending on cyber defence and digital threat-response measures. The UK's National Cyber Force has broadened its recruitment initiatives, while the European Union has introduced new cyber resilience strategies. Even countries with neutral status, such as Switzerland, have begun investing more heavily in cyber intelligence. Types of attacks Analysis of recent incidents reveals five prominent categories of cyberattacks poised to have significant impacts in ongoing and future conflicts. Critical infrastructure attacks Critical infrastructure encompasses power grids, water systems, and transport networks. These environments often use operational technology (OT) networks that are separated from the internet but still have vulnerabilities. Attackers typically exploit mechanisms such as phishing, infected external drives, or unsecured remote access points to gain entry. In 2024, a group linked to Iran, called CyberAv3ngers, breached several US water utilities by targeting internet-connected control systems, raising risks of water contamination. The FBI confirmed a combination of credential theft and unpatched devices were used in these attacks. DDoS attacks Distributed Denial-of-Service (DDoS) attacks deploy networks of compromised devices to overwhelm targeted websites or services, making them inaccessible. Recently, DDoS campaigns caused outages across the Baltic region, affecting government services and private sector industries. An incident in early 2025 targeted multiple industries in Lithuania, illustrating the scale and political motivation behind such attacks. DNS poisoning DNS poisoning manipulates the Domain Name System to divert users from legitimate websites to malicious copies, potentially enabling espionage, service disruption, or data theft. A Google security report in March 2024 confirmed DNS cache poisoning remains a risk, even with advanced defences in place. DNS poisoning has broader implications, potentially disrupting access to critical information or services for entire populations during periods of heightened tension. Ransomware campaigns Ransomware attacks enable criminals to encrypt sensitive files and demand payments for decryption or to prevent the leak of stolen data. In May 2024, Ascension Health in the United States experienced such an attack, affecting 5.6 million patients, disrupting medical procedures, and forcing staff to use manual record-keeping processes. The event highlighted the risks to patient safety and service continuity in healthcare systems during digital attacks. Telecom infrastructure compromise Telecommunications providers are increasingly targeted due to the sensitive nature of the data they handle. In 2024, a group identified as Salt Typhoon, linked to China, exploited vulnerabilities in core networking equipment at major US and Canadian telecom providers. These breaches allowed the attackers to access metadata and unencrypted communications, particularly targeting political and law enforcement communications. The cyber war has arrived, long before there are boots on the ground there are keys on keyboards. The tactics that are shaping it are already here, unfolding across civilian systems, critical infrastructure, and the devices we rely on every day. These aren't hypothetical "future threats", they're warning shots, stress tests, and rehearsals. Strengthening resilience According to the press release, resilience at an individual level can help reduce exposure to these types of attacks. "Resilience for individuals starts with the basics: phishing awareness, strong password practices, regular software updates, and healthy scepticism online. These are simple but powerful habits that reduce exposure to the kinds of attacks already shaping the digital battleground." Organisations are advised against bespoke security models, with tried and tested frameworks such as NIST CSF, OWASP SAMM, and ISO standards cited as effective guides for structuring improvement. The statement continues, "Like any quality control system it is all about analysis of the situation and iterative improvements. Things evolve slowly until they happen all at once." "For cybersecurity professionals, policymakers, and everyday users alike, the takeaway is not panic, but preparation. Building digital resilience isn't just a job for governments or big tech. It affects all of us. It's also about awareness, good hygiene, and knowing how attacks work before they happen."
Techday NZ
23-07-2025
- Techday NZ
DDoS attacks hit new peak with over 250 billion requests in major June surge
Fastly's latest DDoS Weather Report for June 2025 has detailed a surge in sophisticated attacks, including a coordinated event targeting a major high technology provider with over 250 billion malicious requests. The company's findings are based on telemetry from its global edge network, which handles up to 427 Terabits per second of traffic and 1.8 trillion requests each day. Fastly's systems detected trillions of attempted distributed denial-of-service (DDoS) attacks at network layers 3 and 4, but new trends point to more elusive and dangerous application-layer (layer 7) attacks. According to the June report, the scale and duration of attacks hit new highs, with Fastly observing nearly two attacks per minute on average throughout the month. The month's figures were heavily skewed by two days of unprecedented activity on 6 and 7 June, which saw attack volumes twenty times greater than any other day in 2025. Major incident details On these two days, attackers focused their efforts on a single large enterprise customer in the high technology sector. Fastly reports that "over the course of just two days, bad actors launched two separate attacks reaching a cumulative 250+ billion requests." The initial attack started at 10 pm local time and lasted for over four hours, peaking at 1.6 million requests per second. The attack originated from numerous countries, including Germany, China, the United States, India, and especially the Netherlands. Fastly's systems identified and contained the attack within seconds, using identifiers such as hostname and TLS details to differentiate malicious from legitimate traffic. The first wave concluded at around 2:15 am, but less than thirty minutes later, a second barrage began and persisted for 19 more hours, peaking even higher at 1.7 million requests per second. Describing the attack pattern, the report states, "Bringing data from both attacks together reveals that while the majority of the traffic came from the Netherlands, the United States, Germany, and Indonesia, each of the rules automatically created to mitigate the attack featured one additional country (France, China, or the United Kingdom). This appears to be a concerted effort by the attacker to hide their tracks." Despite the massive scale, Fastly confirmed that "the customer experienced no downtime or latency impacts and our proprietary Attribute Unmasking technology still honed in on their attack characteristics." Broader trends Overall, Fastly counted 77,451 individual DDoS "events" in June, which is just eight fewer than the previous month. The company notes that "if we were to evenly distribute events in June, we'd have seen almost two attacks every minute." The report also highlights that while enterprises accounted for the largest volume of attack traffic due to the major incident, the majority of attack "events" targeted small and medium businesses, particularly those in the media and entertainment sector. Fastly's analysis suggests this industry remains a frequent target, "possibly because this industry is the most likely to gain the unwanted attention of attackers who disagree with content published on their sites." Mitigation strategies Fastly reviewed how its DDoS Protection rules were triggered, noting consistent patterns in the use of IP address and geolocation across recent months – with geolocation included in 67% of rules in May. The June report shifted focus to the use of JA4 signatures, a type of TLS client fingerprint. "While it isn't uncommon for JA4s to be shared amongst completely legitimate requests, when combined with other parameters, they create an effective lens through which we can identify an attacker," the report explained. Notably, one JA4 signature featured in 17% of all rules for June. Analysis found this was linked to a botnet with significant distribution and a focus on customers in European news agencies and hyper-regional platforms. Based on its activity, Fastly referred to the likely perpetrator as the "Byline Banshee," explaining that "their attacks have been quite noisy, just as the wailing spirit the name comes from. We'll keep an eye on whether the Byline Banshee makes a resurgence in future months!" Actionable guidance "It's important to note that this report only represents one month of data and should be used with first-party insights from your observability tools and longer-term research to create a comprehensive view. However, from this data alone, there are a few key learnings you can integrate into your existing security efforts: Ensure your defence is robust enough to handle application DDoS attacks at the scale of 1 billion+ RPS. While in the past we've seen attacks of this size target the largest Enterprise customers on our platform, June's attack on an organisation of Commercial size makes it clear that just because those organisations make less revenue, they're no less likely to receive the unwanted attention of attackers. Consider leveraging signatures like JA4 to identify attackers (or leveraging products like Fastly DDoS Protection that automatically incorporate them in rules). While not a novel concept, this provides yet another lens to look at attacks through and accurately separate the traffic without impacting legitimate users. Be mindful of how you're leveraging geo-based decisioning if you're still manually creating rules or rate limits (or shift to automatic rule creation). As seen in the Byline Banshee's attacks this month, the vast majority of traffic came from countries that don't fit the nation-state definition. Automatically mitigate disruptive and distributed attacks."
