Overview
Cloudflare's 24th quarterly DDoS threat report reveals that DDoS attacks surged 121% in 2025, totaling 47.1 million attacks. The quarter was marked by a record-breaking 31.4 Tbps attack and the Aisuru-Kimwolf botnet's 'Night Before Christmas' campaign that launched hyper-volumetric HTTP DDoS attacks exceeding 200 million requests per second using infected Android TVs.
What You'll Learn
How DDoS attack volumes and sophistication evolved throughout 2025 with a 121% year-over-year surge
Why infected IoT devices like Android TVs pose a critical threat as botnet infrastructure capable of launching hyper-volumetric attacks
How the Aisuru-Kimwolf botnet orchestrated the 'Night Before Christmas' campaign with attacks exceeding 200 million requests per second
Which industries and geographic locations are most targeted by DDoS attacks and why
Why organizations should re-evaluate on-premise DDoS mitigation strategies in favor of cloud-based autonomous defense systems
Prerequisites & Requirements
- Basic understanding of DDoS attacks and how they disrupt services
- Familiarity with network-layer vs. application-layer (HTTP) attack concepts(optional)
- Understanding of network measurement units (Tbps, Mrps, Bpps)(optional)
Key Questions Answered
How much did DDoS attacks increase in 2025 compared to previous years?
What was the largest DDoS attack ever recorded in 2025?
What is the Aisuru-Kimwolf botnet and how does it launch DDoS attacks?
Which industries were most targeted by DDoS attacks in Q4 2025?
Where do most DDoS attacks originate from geographically?
Which countries were most targeted by DDoS attacks in Q4 2025?
How large were the hyper-volumetric attacks during the Night Before Christmas campaign?
Why are cloud computing platforms major sources of DDoS attacks?
Key Statistics & Figures
Technologies & Tools
Key Actionable Insights
1Re-evaluate on-premise DDoS mitigation strategies immediately. DDoS attacks grew 700% in size during 2025, with the record attack reaching 31.4 Tbps. On-premise appliances and on-demand scrubbing centers are increasingly inadequate against hyper-volumetric attacks of this magnitude.The Aisuru-Kimwolf botnet alone launched 902 hyper-volumetric attacks in a 17-day period, averaging 53 per day, demonstrating that modern attacks require always-on, autonomous cloud-based mitigation.
2Implement IoT device security policies to prevent devices from being recruited into botnets. The Aisuru-Kimwolf botnet comprises 1-4 million infected Android TVs, showing that consumer IoT devices are being weaponized at scale to launch attacks exceeding 200 million requests per second.Organizations should audit and segment IoT devices on their networks, apply firmware updates, and monitor for unusual outbound traffic patterns that could indicate botnet participation.
3Telecommunications and gaming companies should prioritize DDoS defense investment as the most targeted industries. Telcos emerged as the number one target in Q4 2025, surpassing IT services, while Gaming and Generative AI services were also heavily targeted by hyper-volumetric attacks.These industries are targeted due to their role as critical infrastructure and the immediate financial impact of service interruptions on their business models.
4Leverage threat intelligence feeds like Cloudflare's free DDoS Botnet Threat Feed to proactively identify and block abusive IP addresses. Over 800 networks worldwide already use this feed to collaboratively take down botnet nodes before attacks escalate.Hosting providers, cloud platforms, and ISPs can use these feeds to identify compromised accounts and infected machines within their infrastructure, reducing the overall botnet attack surface.
5Prepare for multi-vector DDoS campaigns that combine SYN floods, Mirai-generated attacks, SSDP amplification, HTTP floods, DNS attacks, and UDP floods. The 2025 campaigns demonstrated that attackers use diverse attack vectors simultaneously to overwhelm defenses.An 18-day campaign in Q1 2025 generated approximately 13.5 million network-layer attacks targeting global infrastructure, with 6.9 million targeting Magic Transit customers and 6.6 million targeting Cloudflare directly.
6Monitor geographic threat shifts to adjust defense postures. The UK surged 36 places to become the sixth most-attacked location, while Hong Kong jumped 12 places to second, indicating rapidly changing threat targeting patterns that require dynamic security responses.Attack source countries also shifted dramatically, with Bangladesh dethroning Indonesia and Argentina soaring 20 places, meaning static IP blocklists quickly become outdated.