DDoS attacks were down in the second quarter of 2025

It wasn’t the busiest quarter for DDoS (Distributed Denial of Service) attacks. According to Cloudflare, the IT service company, 7.3 million DDoS attacks in Q2 2025 were mitigated, a sharp drop from the 20.5 million attacks it fended off just a quarter earlier. But the story beneath the surface paints a very different picture.

While the total volume of attacks fell, the intensity, precision, and impact of those attacks increased. Hyper-volumetric DDoS attacks, those measured in hundreds of gigabits or even terabits per second, skyrocketed. Cloudflare blocked over 6,500 of these extreme events during the quarter, averaging 71 per day.

The most staggering of them all? A single attack that peaked at 7.3 terabits per second and 4.8 billion packets per second, all within a 45-second window. It was one of the largest bursts of DDoS traffic Cloudflare has ever recorded and a sign of what’s to come.

Part of the reason Q1’s numbers were so inflated was an 18-day sustained campaign that flooded Cloudflare’s systems and its clients with 13.5 million attacks. That campaign has since quieted, but the attackers haven’t gone away, they’ve just evolved.

There’s also been a dramatic shift in attack types. Traditional Layer 3/4 (network-layer) DDoS attacks dropped 81% quarter-over-quarter, down to 3.2 million. In contrast, HTTP DDoS attacks, which hit the application layer, rose 9% to 4.1 million. These tend to be more stealthy, harder to detect, and more aligned with today’s botnet-driven strategies.

Ransom-driven and botnet-powered threats on the rise

And botnets are definitely a factor. Cloudflare noted that over 70% of HTTP DDoS traffic came from known botnets, many using infected IoT devices as launch points.

The most common network-layer vectors remain DNS floods, TCP SYN floods, and UDP-based attacks, many of which are used in reflection or amplification campaigns. These aren’t new techniques, but their size and delivery are escalating.

Telecom and carrier networks continue to be top targets, followed by internet infrastructure, IT services, gaming platforms, and online gambling sites. These sectors depend heavily on uptime and bandwidth, making them prime bait for attackers looking to disrupt or extort.

The most targeted regions for DDoS attacks

The geography of attacks is also shifting. Based on customer billing data, the most targeted regions included China, Brazil, Germany, India, South Korea, and Turkey. Meanwhile, attack traffic most often originated from Indonesia, Singapore, Hong Kong, Argentina, and Ukraine.

Perhaps the most troubling trend? The 592% quarter-over-quarter increase in hyper-volumetric DDoS attacks, those exceeding 100 million packets per second. These attacks don’t just cause momentary disruption; they overwhelm entire infrastructures in seconds.

Cloudflare also reported a 68% rise in ransom DDoS incidents, where attackers demand payment in exchange for stopping or preventing attacks. Some organisations were hit first, then asked to pay to make it stop, others received threats in advance. Either way, the ransom DDoS model is gaining traction.

The most active distributed denial-of-service (DDoS) botnet

One particularly active player in this landscape is DemonBot, a botnet variant that infects Linux-based systems, primarily unsecured IoT devices, through open ports and weak credentials. Once inside, these systems are hijacked to launch massive UDP, TCP, and app-layer floods.

Cloudflare warns that DemonBot and similar botnets can generate sudden surges of traffic, often targeting gaming servers, hosting platforms, or enterprise apps. Protecting against these infections requires stronger endpoint security, antivirus tools, domain filtering, and updated firmware, still weak points for many organisations.

DDoS attacks are getting smarter, not just louder

Despite the drop in raw attack numbers this quarter, Cloudflare says the risk is actually rising. Attackers are getting smarter, not just louder. They're no longer content with overwhelming defences, they're now working to slip past them entirely, combining sheer volume with precision timing and reconnaissance tactics.

In total, Cloudflare stated that now nearly 28 million DDoS attacks were blocked in just the first half of 2025, more than it did in all of 2024. And if this quarter has shown anything, it’s that the future of DDoS isn’t just about size. It’s about strategy, speed, and scale, all at once.