Cloudflare blocked 7.3M DDoS attacks in Q2 2025, down from 20.5M in Q1, while hyper-volumetric attacks surged with 6,500+ blocked, averaging 71 daily.
Cloudflare mitigated 7.3M DDoS attacks in Q2 2025, down from 20.5M in Q1, 13.5M of which stemmed from an 18-day Q1 campaign.
Hyper-volumetric attacks surged, with over 6,500 blocked, averaging 71 per day. In total, Cloudflare has already surpassed its 2024 DDoS mitigation volume with nearly 28M attacks stopped so far in 2025.
“DDoS attacks continue to break records. During 2025 Q2, Cloudflare automatically blocked the largest ever reported DDoS attacks, peaking at 7.3 terabits per second (Tbps) and 4.8 billion packets per second (Bpps).” reads the report published by Cloudflare.
Attacks exceeding 100M pps surged 592% QoQ, while those topping 1B pps or 1 Tbps doubled. HTTP DDoS attacks above 1M rps remained steady at ~20M total, or 220K daily.
In Q2 2025, most of the attacks targeted Cloudflare customers in China, followed by Brazil and Germany. Russia and Vietnam saw major jumps in attack activity, climbing 40 and 15 spots, respectively. On the industry front, telecom, internet services, and IT were hit hardest, while agriculture surprisingly made it into the top 10 after a sharp rise, suggesting attackers are expanding their focus. These rankings reflect where the affected customers are based, not necessarily where the attacks originated.
In Q2 2025, Indonesia became the top source of DDoS attacks, followed by Singapore and Hong Kong. Russia and Ecuador also climbed the ranks. These “sources” reflect where attack traffic originates (e.g., botnet nodes, proxies, or VPNs), not necessarily where the attackers are based.
Notably, most HTTP DDoS traffic came from networks offering virtual machines, highlighting a shift from weaker IoT botnets to much stronger VM-based ones. German provider 3xK Tech took the top spot for HTTP DDoS traffic, overtaking Hetzner for the first time in a year. Cloudflare is helping service providers fight back by offering a free threat intelligence feed that flags abusive IPs from their networks. Over 600 organizations are already using it to take down malicious botnet infrastructure.
In Q2 2025, attackers revived old DDoS methods targeting games, networks, and IoT devices. They flooded Teeworlds game servers with fake UDP packets, exploited outdated RIPv1 routing, abused misconfigured RDP servers, and infected Linux-based IoT devices with DemonBot malware to launch high-volume floods. The researchers warned that VxWorks-based IoT devices also became attack sources. Cloudflare protects customers using Magic Transit, Spectrum, and intelligent filtering to block attacks while preserving legitimate traffic and service availability.
Most DDoS attacks in Q2 2025 stay small and brief, with 94% of L3/4 attacks under 500 Mbps and 85% under 50,000 packets per second. Modern servers can handle moderate traffic, but even small attacks can overwhelm unprotected systems during peak times. While most attacks remain small, very large attacks are growing rapidly, with some exceeding 1 Tbps. Attackers use short, intense bursts to avoid detection and maximize disruption, highlighting the need for constant, real-time defense.
“Critical infrastructure continues to face sustained pressure, with the Telecommunications, Service Providers, and Carriers sector jumping again to the top as the most targeted industry.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, newsletter)