This report provides an in-depth analysis of the Distributed Denial of Service (DDoS) attack landscape, drawing on data from the Cloudflare network. It focuses on the fourth quarter of 2025 and includes overall data for the year 2025.
The fourth quarter of 2025 saw an unprecedented series of attacks from the Aisuru-Kimwolf botnet, known as “The Night Before Christmas” DDoS campaign. This campaign launched hyper-volumetric HTTP DDoS attacks, reaching over 200 million requests per second (rps), against Cloudflare’s customers, dashboard, and infrastructure. This occurred shortly after a record-setting 31.4 Terabits per second (Tbps) attack.
Key Insights
-
DDoS attacks increased by 121% in 2025, with an average of 5,376 attacks automatically mitigated hourly.
-
During the last quarter of 2025, Hong Kong rose 12 positions to become the second most targeted location for DDoS attacks. The United Kingdom also saw a significant jump of 36 places, ranking as the sixth most-attacked location.
-
The Aisuru-Kimwolf botnet, composed of infected Android TVs, launched hyper-volumetric HTTP DDoS attacks against Cloudflare’s network. Telecommunications companies were identified as the most-attacked industry.
2025 Witnessed a Significant Rise in DDoS Attacks
In 2025, the total number of DDoS attacks more than doubled, reaching an astonishing 47.1 million. These attacks have seen a dramatic increase in recent years, with a 236% spike between 2023 and 2025.
On average, 5,376 DDoS attacks were mitigated every hour in 2025. Of these, 3,925 were network-layer DDoS attacks, and 1,451 were HTTP DDoS attacks.
Network-Layer DDoS Attacks More Than Tripled in 2025
Network-layer DDoS attacks showed the most significant increase, more than tripling year over year. Cloudflare mitigated 34.4 million network-layer DDoS attacks in 2025, a substantial rise from 11.4 million in 2024.
Approximately 13.5 million of these network-layer attacks targeted global Internet infrastructure protected by Cloudflare Magic Transit and Cloudflare’s own infrastructure directly. This occurred during an 18-day DDoS campaign in the first quarter of 2025. Of these, 6.9 million targeted Magic Transit customers, while 6.6 million directly targeted Cloudflare.
This assault involved a multi-vector DDoS campaign, including SYN flood attacks, Mirai-generated DDoS attacks, and SSDP amplification attacks. These attacks were automatically detected and mitigated by the systems. The campaign was only discovered during the preparation of the DDoS threat report for 2025 Q1, demonstrating the effectiveness of Cloudflare’s DDoS mitigation.
In the final quarter of 2025, DDoS attacks increased by 31% compared to the previous quarter and 58% compared to 2024. This growth was primarily driven by network-layer DDoS attacks, which constituted 78% of all DDoS attacks in 2025 Q4. While the number of HTTP DDoS attacks remained consistent, their size surged to levels not seen since the HTTP/2 Rapid Reset DDoS campaign in 2023. These recent surges were attributed to the Aisuru-Kimwolf botnet.
“The Night Before Christmas” DDoS Campaign
On December 19, 2025, the Aisuru-Kimwolf botnet initiated a barrage of hyper-volumetric DDoS attacks against Cloudflare’s infrastructure and customers. This campaign was notable for its sheer scale, employing hyper-volumetric HTTP DDoS attacks that surpassed 20 million requests per second (Mrps).
The Aisuru-Kimwolf botnet consists of a vast network of malware-infected devices, predominantly Android TVs, with an estimated 1-4 million compromised hosts. This botnet possesses the capability to launch DDoS attacks severe enough to incapacitate critical infrastructure, overwhelm most traditional cloud-based DDoS protection systems, and even disrupt national internet connectivity.
Cloudflare’s autonomous DDoS defense systems successfully detected and mitigated all attacks throughout the campaign, which included 384 packet-intensive, 329 bit-intensive, and 189 request-intensive attacks, totaling 902 hyper-volumetric DDoS attacks at an average of 53 attacks per day.
The average size of these hyper-volumetric DDoS attacks during the campaign reached 3 Bpps, 4 Tbps, and 54 Mrps. Peak rates recorded were 9 Bpps, 24 Tbps, and 205 Mrps.
To illustrate the magnitude, a 205 Mrps DDoS attack is equivalent to the combined populations of the UK, Germany, and Spain all simultaneously entering a website address and pressing ‘enter’ in the same second.
Despite its dramatic nature, The Night Before Christmas campaign represented only a fraction of the hyper-volumetric DDoS attacks observed throughout the year.
Hyper-Volumetric DDoS Attacks
Throughout 2025, a continuous rise in hyper-volumetric DDoS attacks was observed. In Q4 2025, these attacks increased by 40% compared to the preceding quarter.
Not only did the frequency of attacks grow in 2025, but their size also escalated significantly, increasing by over 700% compared to the large attacks of late 2024. One such attack reached an unprecedented 31.4 Tbps, lasting only 35 seconds. This demonstrates the rapid growth in DDoS attack sizes detected and blocked, with each instance setting a new public record at the time of its occurrence.
The 31.4 Tbps DDoS attack, like all others, was automatically detected and mitigated by Cloudflare’s autonomous DDoS defense, which effectively adapted to and countered botnets such as Aisuru-Kimwolf.
The majority of hyper-volumetric DDoS attacks targeted customers in the Telecommunications, Service Providers, and Carriers industry. Customers in the Gaming industry and those offering Generative AI services also faced significant targeting. Additionally, Cloudflare’s own infrastructure was subjected to various attack vectors, including HTTP floods, DNS attacks, and UDP floods.
Most-Attacked Industries
Across all DDoS attack sizes, the Telecommunications, Service Providers, and Carriers industry emerged as the most targeted, taking over from the Information Technology & Services industry.
The Gambling & Casinos and Gaming industries secured the third and fourth positions, respectively. Notable shifts within the top 10 for the quarter included the Computer Software and Business Services industries, both of which advanced several places.
Industries most frequently targeted are typically those that serve as critical infrastructure, provide essential services to other businesses, or have a high financial sensitivity to service disruptions and latency.
Most-Attacked Locations
The global DDoS landscape presented a mix of consistent targets and significant changes in the most-attacked locations. China, Germany, Brazil, and the United States remained among the top five, indicating their ongoing attractiveness to attackers.
Hong Kong notably climbed twelve positions to become the second most-attacked location. Even more striking was the United Kingdom’s dramatic ascent, surging 36 places this quarter to rank as the sixth most-targeted location.
Vietnam maintained its position as the seventh most-attacked location, followed by Azerbaijan (eighth), India (ninth), and Singapore (tenth).
Top Attack Sources
In the fourth quarter of 2025, Bangladesh surpassed Indonesia to become the primary source of DDoS attacks. Indonesia, which had been the top source for a year, fell to third place. Ecuador advanced two positions to become the second-largest source.
Argentina made a remarkable leap of twenty places, ranking as the fourth-largest source of DDoS attacks. Hong Kong moved up three spots to fifth place. Ukraine secured the sixth position, followed by Vietnam, Taiwan, Singapore, and Peru.
Top Source Networks
The list of top 10 attack source networks highlights major Internet entities, revealing how modern DDoS attacks are structured. A clear pattern emerges: threat actors exploit the most accessible and powerful network infrastructures, particularly large, public-facing services.
Many DDoS attacks originate from IP addresses linked to Cloud Computing Platforms and Cloud Infrastructure Providers, such as DigitalOcean (AS 14061), Microsoft (AS 8075), Tencent (AS 132203), Oracle (AS 31898), and Hetzner (AS 24940). This indicates a strong correlation between easily provisioned virtual machines and high-volume attacks. These cloud sources, largely based in the United States, are closely followed by a significant number of attacks from IP addresses associated with traditional Telecommunications Providers (Telcos). These Telcos, primarily located in the Asia-Pacific region (including Vietnam, China, Malaysia, and Taiwan), complete the remainder of the top 10.
This geographical and organizational diversity confirms a dual nature of attacks: while the largest sources often stem from global cloud hubs, the issue is truly global, utilizing the Internet’s most critical pathways from around the world. Numerous DDoS attacks involve thousands of different source ASNs, emphasizing the widespread distribution of botnet nodes.
To assist hosting providers, cloud computing platforms, and Internet service providers in identifying and neutralizing abusive IP addresses and accounts responsible for these attacks, a free DDoS Botnet Threat Feed for Service Providers is available. This feed leverages unique insights into DDoS attacks. Over 800 networks globally have subscribed to this feed, fostering significant community collaboration in dismantling botnet nodes.
Helping Defend the Internet
DDoS attacks are rapidly increasing in both sophistication and scale, exceeding previous expectations. This dynamic threat landscape poses a considerable challenge for many organizations to effectively manage. Entities currently depending on on-premise mitigation appliances or on-demand scrubbing centers might consider reassessing their defense strategies.
Cloudflare provides free, unmetered DDoS protection to all its customers, irrespective of the attack’s size, duration, or volume. This protection is powered by its extensive global network and autonomous DDoS mitigation systems.
About Cloudforce One
With a commitment to defending the Internet, Cloudforce One utilizes data from Cloudflare’s global network, which secures approximately 20% of the web. This data drives threat research and operational responses, safeguarding critical systems for millions of organizations worldwide.
