In the first quarter of 2025, Cloudflare reported an unprecedented surge in Distributed Denial of Service (DDoS) attacks, mitigating a staggering 20.5 million incidents. This figure represents a 358% increase compared to the same period in 2024, nearly matching the total number of attacks mitigated throughout the previous year. This dramatic escalation underscores a significant shift in the cyber threat landscape, with attackers deploying more sophisticated and large-scale campaigns than ever before.
Hyper-Volumetric Attacks
April 2025 witnessed the largest packet-rate attack on record, peaking at 4.8 billion packets per second (Bpps). This attack was approximately 52% larger than the previous record of 3.15 Bpps. Originating from 147 countries, the attack targeted a U.S.-based hosting provider and was part of a sustained campaign that also included a separate 6.5 terabits-per-second (Tbps) flood, matching the highest bandwidth attack ever publicly disclosed.
Cloudflare’s Q1 2025 DDoS Threat Report highlighted a 397% quarter-over-quarter increase in network-layer attacks, with approximately 700 hyper-volumetric attacks exceeding 1 Tbps or 1 Bpps. This surge indicates a growing trend of attackers leveraging massive botnets to launch high-volume assaults capable of overwhelming even robust network infrastructures.
Attack Vectors and Amplification Techniques
The report identified SYN floods as the most prevalent attack vector, followed by DNS floods and attacks generated by the Mirai botnet. SYN floods exploit the TCP three-way handshake mechanism by sending numerous connection requests with spoofed source IP addresses, leaving servers with half-open connections that exhaust resources.
Another concerning trend is the 3,488% increase in CLDAP (Connectionless Lightweight Directory Access Protocol) reflection/amplification attacks. CLDAP uses UDP instead of TCP, allowing attackers to spoof source IP addresses in small queries that trigger large responses to victims. This amplification technique enables attackers to magnify the volume of their attacks significantly, making them more potent and harder to mitigate.
Geographical and Sectoral Impact
The report revealed that Germany became the most attacked country during this period, while the Gambling & Casinos industry emerged as the most targeted sector. Hong Kong was identified as the primary source of attack traffic, with Hetzner (AS24940) remaining the largest source of HTTP DDoS attacks among autonomous systems.
Despite the dramatic rise in hyper-volumetric attacks, most incidents remain relatively small, with 99% of Layer 3/4 DDoS attacks under 1 Gbps and 1 million packets per second (Mpps). However, even these smaller attacks can easily overwhelm unprotected servers and network links, causing significant disruptions.
Equally notable is the brevity of most attacks—89% of network-layer attacks and 75% of HTTP DDoS attacks concluded within 10 minutes. The record-breaking 4.8 Bpps attack lasted just 35-45 seconds, highlighting the need for always-on, automated protection.
Recommendations for Mitigation
The current threat landscape leaves no time for human intervention. Detection and mitigation should be always-on, in-line, and automated, with sufficient capacity and global coverage to handle attack traffic alongside legitimate peak traffic.
To help combat these threats, Cloudflare provides a free DDoS Botnet Threat Feed for service providers. Over 600 organizations worldwide use it to identify and take down abusive accounts launching DDoS attacks from within their networks.
