2025 Q4 DDoS threat report: A record-setting 31.4 Tbps attack caps a year of massive DDoS assaults

Omer Yoachimik
9 min readadvanced
--
View Original

Overview

Cloudflare's 24th quarterly DDoS threat report reveals that DDoS attacks surged 121% in 2025, totaling 47.1 million attacks. The quarter was marked by a record-breaking 31.4 Tbps attack and the Aisuru-Kimwolf botnet's 'Night Before Christmas' campaign that launched hyper-volumetric HTTP DDoS attacks exceeding 200 million requests per second using infected Android TVs.

What You'll Learn

1

How DDoS attack volumes and sophistication evolved throughout 2025 with a 121% year-over-year surge

2

Why infected IoT devices like Android TVs pose a critical threat as botnet infrastructure capable of launching hyper-volumetric attacks

3

How the Aisuru-Kimwolf botnet orchestrated the 'Night Before Christmas' campaign with attacks exceeding 200 million requests per second

4

Which industries and geographic locations are most targeted by DDoS attacks and why

5

Why organizations should re-evaluate on-premise DDoS mitigation strategies in favor of cloud-based autonomous defense systems

Prerequisites & Requirements

  • Basic understanding of DDoS attacks and how they disrupt services
  • Familiarity with network-layer vs. application-layer (HTTP) attack concepts(optional)
  • Understanding of network measurement units (Tbps, Mrps, Bpps)(optional)

Key Questions Answered

How much did DDoS attacks increase in 2025 compared to previous years?
DDoS attacks more than doubled in 2025 to 47.1 million total, representing a 121% year-over-year surge. Between 2023 and 2025, DDoS attacks spiked 236%. Cloudflare mitigated an average of 5,376 attacks every hour, with 3,925 being network-layer attacks and 1,451 being HTTP DDoS attacks.
What was the largest DDoS attack ever recorded in 2025?
The largest DDoS attack recorded was 31.4 Tbps, lasting just 35 seconds. This represented a 700% growth compared to large attacks seen in late 2024. The attack was detected and mitigated automatically by Cloudflare's autonomous DDoS defense systems, making it the largest publicly disclosed DDoS attack by any company at the time.
What is the Aisuru-Kimwolf botnet and how does it launch DDoS attacks?
The Aisuru-Kimwolf botnet is a massive collection of malware-infected devices, primarily Android TVs, comprising an estimated 1-4 million infected hosts. It launched the 'Night Before Christmas' campaign on December 19, 2025, with hyper-volumetric HTTP DDoS attacks exceeding 20 million requests per second, targeting Cloudflare infrastructure and customers with 902 total hyper-volumetric attacks averaging 53 per day.
Which industries were most targeted by DDoS attacks in Q4 2025?
The Telecommunications, Service Providers and Carriers industry was the most targeted, dethroning the previously top-ranked Information Technology & Services industry. Gambling & Casinos ranked third, Gaming fourth, and both Computer Software and Business Services climbed several spots into the top 10. These industries are targeted due to their role as critical infrastructure and financial sensitivity to service interruption.
Where do most DDoS attacks originate from geographically?
Bangladesh dethroned Indonesia as the largest source of DDoS attacks in Q4 2025, with Ecuador jumping to second and Indonesia dropping to third. Argentina surged 20 places to fourth. At the network level, attacks originated primarily from cloud platforms like DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner, alongside telecommunications providers in the Asia-Pacific region.
Which countries were most targeted by DDoS attacks in Q4 2025?
China, Germany, Brazil, and the United States remained persistent top targets. Hong Kong jumped 12 spots to become the second most-attacked location, while the United Kingdom surged an astonishing 36 places to become the sixth most-attacked location. Vietnam held seventh, Azerbaijan eighth, India ninth, and Singapore tenth.
How large were the hyper-volumetric attacks during the Night Before Christmas campaign?
The average size of hyper-volumetric attacks during the campaign was 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps). Maximum rates reached 9 Bpps, 24 Tbps, and 205 Mrps. A 205 Mrps attack is comparable to the combined populations of the UK, Germany, and Spain simultaneously accessing a website at the same second.
Why are cloud computing platforms major sources of DDoS attacks?
Cloud platforms like DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner are top DDoS sources because threat actors leverage easily-provisioned virtual machines to generate high-volume attacks. This demonstrates a two-pronged attack reality: the highest-ranking sources originate from global cloud hubs, while additional attacks are routed through telecommunications providers primarily in the Asia-Pacific region.

Key Statistics & Figures

Total DDoS attacks in 2025
47.1 million
More than doubled from previous year, 121% increase
DDoS attack growth 2023-2025
236%
Spike in total DDoS attacks over two years
Average DDoS attacks mitigated per hour
5,376
3,925 network-layer and 1,451 HTTP DDoS attacks per hour in 2025
Largest DDoS attack recorded
31.4 Tbps
Lasted 35 seconds; largest ever publicly disclosed
Network-layer DDoS attacks in 2025
34.4 million
More than tripled from 11.4 million in 2024
DDoS attack size growth
700%
Compared to large attacks seen in late 2024
Aisuru-Kimwolf botnet estimated size
1-4 million infected hosts
Primarily Android TVs
Night Before Christmas campaign total attacks
902 hyper-volumetric DDoS attacks
384 packet-intensive, 329 bit-intensive, 189 request-intensive; averaging 53 attacks per day
Maximum HTTP DDoS attack rate
205 million requests per second
Peak rate during Night Before Christmas campaign
Maximum bandwidth attack rate
24 Tbps
Peak rate during Night Before Christmas campaign
Maximum packet rate
9 Bpps
billion packets per second
Average campaign attack sizes
3 Bpps, 4 Tbps, 54 Mrps
Average rates during Night Before Christmas campaign
Q1 2025 campaign network-layer attacks
~13.5 million
18-day campaign; 6.9M targeting Magic Transit customers, 6.6M targeting Cloudflare directly
Q4 DDoS attack growth over previous quarter
31%
Quarter-over-quarter increase in Q4 2025
Q4 DDoS attack growth over 2024
58%
Year-over-year increase in Q4 2025
Hyper-volumetric attack growth in Q4
40%
Compared to previous quarter
Network-layer attack share in Q4 2025
78%
Percentage of all DDoS attacks in Q4 2025
Botnet Threat Feed subscribers
800+ networks
Worldwide networks using Cloudflare's free DDoS Botnet Threat Feed
Cloudflare web protection coverage
~20% of the web
Approximate share of web traffic protected by Cloudflare's global network
UK ranking jump in most-attacked locations
36 places
Rose to 6th most-attacked location in Q4 2025
Hong Kong ranking jump
12 places
Became 2nd most DDoS-attacked location in Q4 2025

Technologies & Tools

Network Security
Cloudflare Magic Transit
Protects global Internet infrastructure from network-layer DDoS attacks
Security Automation
Cloudflare Autonomous Ddos Defense
Automatically detects and mitigates DDoS attacks without human intervention
Threat Intelligence
Ddos Botnet Threat Feed
Free feed for service providers to identify and take down abusive IP addresses launching DDoS attacks
Threat Research
Cloudforce One
Cloudflare's threat intelligence team that analyzes DDoS threat landscape using global network telemetry
Protocol
HTTP/2
Referenced in context of HTTP/2 Rapid Reset DDoS attack campaign from 2023

Key Actionable Insights

1
Re-evaluate on-premise DDoS mitigation strategies immediately. DDoS attacks grew 700% in size during 2025, with the record attack reaching 31.4 Tbps. On-premise appliances and on-demand scrubbing centers are increasingly inadequate against hyper-volumetric attacks of this magnitude.
The Aisuru-Kimwolf botnet alone launched 902 hyper-volumetric attacks in a 17-day period, averaging 53 per day, demonstrating that modern attacks require always-on, autonomous cloud-based mitigation.
2
Implement IoT device security policies to prevent devices from being recruited into botnets. The Aisuru-Kimwolf botnet comprises 1-4 million infected Android TVs, showing that consumer IoT devices are being weaponized at scale to launch attacks exceeding 200 million requests per second.
Organizations should audit and segment IoT devices on their networks, apply firmware updates, and monitor for unusual outbound traffic patterns that could indicate botnet participation.
3
Telecommunications and gaming companies should prioritize DDoS defense investment as the most targeted industries. Telcos emerged as the number one target in Q4 2025, surpassing IT services, while Gaming and Generative AI services were also heavily targeted by hyper-volumetric attacks.
These industries are targeted due to their role as critical infrastructure and the immediate financial impact of service interruptions on their business models.
4
Leverage threat intelligence feeds like Cloudflare's free DDoS Botnet Threat Feed to proactively identify and block abusive IP addresses. Over 800 networks worldwide already use this feed to collaboratively take down botnet nodes before attacks escalate.
Hosting providers, cloud platforms, and ISPs can use these feeds to identify compromised accounts and infected machines within their infrastructure, reducing the overall botnet attack surface.
5
Prepare for multi-vector DDoS campaigns that combine SYN floods, Mirai-generated attacks, SSDP amplification, HTTP floods, DNS attacks, and UDP floods. The 2025 campaigns demonstrated that attackers use diverse attack vectors simultaneously to overwhelm defenses.
An 18-day campaign in Q1 2025 generated approximately 13.5 million network-layer attacks targeting global infrastructure, with 6.9 million targeting Magic Transit customers and 6.6 million targeting Cloudflare directly.
6
Monitor geographic threat shifts to adjust defense postures. The UK surged 36 places to become the sixth most-attacked location, while Hong Kong jumped 12 places to second, indicating rapidly changing threat targeting patterns that require dynamic security responses.
Attack source countries also shifted dramatically, with Bangladesh dethroning Indonesia and Argentina soaring 20 places, meaning static IP blocklists quickly become outdated.

Common Pitfalls

1
Relying on on-premise DDoS mitigation appliances or on-demand scrubbing centers that cannot handle modern hyper-volumetric attacks reaching 31.4 Tbps or 205 million requests per second. Legacy solutions are increasingly unable to cope with attacks that have grown 700% in size over the past year.
Organizations should evaluate always-on, cloud-based autonomous DDoS mitigation that can scale to handle attacks of any size without manual intervention.
2
Failing to secure IoT devices on corporate networks, allowing consumer devices like Android TVs to be recruited into botnets. The Aisuru-Kimwolf botnet weaponized 1-4 million infected Android TVs to launch attacks capable of disrupting critical infrastructure and entire nations.
Network segmentation, firmware updates, and outbound traffic monitoring are essential to prevent IoT devices from participating in botnet attacks.
3
Using static geographic IP blocklists for DDoS defense without accounting for rapidly shifting attack sources. Bangladesh replaced Indonesia as the top attack source, Argentina jumped 20 places, and attacks originate from major cloud platforms like DigitalOcean, Microsoft, and Tencent.
Modern DDoS attacks come from thousands of diverse source ASNs highlighting truly global botnet distribution, making static blocking strategies ineffective.
4
Assuming DDoS defense only needs to handle a single attack vector when modern campaigns use multi-vector approaches combining SYN floods, Mirai-generated attacks, SSDP amplification, HTTP floods, DNS attacks, and UDP floods simultaneously.
The Q1 2025 campaign used multi-vector attacks generating 13.5 million network-layer attacks over 18 days, requiring defense systems capable of handling diverse attack types concurrently.

Related Concepts

Ddos Attack Mitigation
Botnet Detection And Takedown
Network-layer Vs. Application-layer Attacks
Syn Flood Attacks
Ssdp Amplification Attacks
HTTP/2 Rapid Reset Vulnerability
Mirai Botnet
Iot Device Security
Cloud Infrastructure Abuse
Autonomous Threat Detection
Threat Intelligence Feeds
Bgp And Magic Transit
Multi-vector Ddos Campaigns
Hyper-volumetric Attacks
Critical Infrastructure Protection