Cloudflare has announced its 2025 Q2 DDoS report. This report includes insights and trends about the DDoS threat landscape — as observed across the global Cloudflare network, which is one of the largest in the world.
Key findings:
- DDoS attacks continue to break records. During 2025 Q2, Cloudflare automatically blocked the largest ever reported DDoS attacks, peaking at 7.3 terabits per second (Tbps) and 4.8 billion packets per second (Bpps).
- Overall, in 2025 Q2, hyper-volumetric DDoS attacks skyrocketed. Cloudflare blocked over 6,500 hyper-volumetric DDoS attacks, an average of 71 per day.
- Although the overall number of DDoS attacks dropped compared to the previous quarter — which saw an unprecedented surge driven by a large-scale campaign targeting Cloudflare’s network and critical Internet infrastructure protected by Cloudflare — the number of attacks in 2025 Q2 were still 44% higher than in 2024 Q2.
- Critical infrastructure continues to face sustained pressure, with the Telecommunications, Service Providers, and Carriers sector jumping again to the top as the most targeted industry.
DDoS attacks in numbers
In 2025 Q2, Cloudflare mitigated 7.3 million DDoS attacks — down sharply from 20.5 million in Q1, when an 18-day campaign against Cloudflare’s own and other critical infrastructure protected by Cloudflare, drove 13.5 million of those attacks.
Breaking it down further, Layer 3/Layer 4 (L3/4) DDoS attacks plunged 81% quarter-over-quarter to 3.2 million, while HTTP DDoS attacks rose 9% to 4.1 million.
Hyper-volumetric DDoS attacks
In 2025 Q2, Cloudflare blocked over 6,500 hyper-volumetric DDoS attacks, averaging 71 hyper-volumetric attacks per day. Hyper-volumetric attacks include L3/4 DDoS attacks exceeding 1 Bpps or 1 Tbps, and HTTP DDoS attacks exceeding 1 million requests per second (Mrps).
Threat Actors
When asked who was behind the DDoS attacks they experienced in 2025 Q2:
- 71% said they didn’t know who attacked them.
- Out of the remaining 29% respondents that claimed to have identified the threat actor:
- 63% pointed to competitors, a pattern especially common in the Gaming, Gambling and Crypto industries.
- 21% attributed the attack to state-level or state-sponsored actors
- 5% each said they’d inadvertently attacked themselves (self-DDoS), were targeted by extortionists, or suffered an assault from disgruntled customers/users.
Ransom DDoS attacks
The percentage of attacked Cloudflare customers that reported being targeted by a Ransom DDoS attack or that were threatened increased by 68% compared to the previous quarter, and by 6% compared to the same quarter in 2024.
Top attacked locations
The ranking of the top 10 most attacked locations in 2025 Q2 shifted significantly. China took the lead as the most attacked country, followed by Brazil and Germany. India and South Korea completed the top five. Turkey and Hong Kong dropped to sixth and seventh respectively, while Vietnam made a steep rise into eighth. Russia and Azerbaijan also entered the top ten after significant jumps in rank. It’s important to note that these attacked locations are determined by the billing country of the Cloudflare customer whose services were targeted — not that those nations themselves are under attack.
Top attacked industries
The Telecommunications sector became the most attacked industry in Q2, followed by the Internet and Information Technology & Services sectors. Gaming rose to fourth place, while Gambling & Casinos dropped to fifth. Banking & Financial Services held steady in sixth. Retail moved up to seventh, and Agriculture made a notable jump into eighth place. Computer Software and Government rounded out the top ten.
Attack vectors
In Q2 2025, the majority (71%) of HTTP DDoS attacks were launched by known botnets. DNS flood attacks were the top L3/4 attack vector accounting for almost a third of all L3/4 DDoS attacks. SYN floods was the second most common attack vector, dipping from 31% in Q1 to 27% in Q2. In third place, UDP floods also grew meaningfully, rising from 9% in Q1 to 13% in Q2.
Emerging threats
Among emerging L3/4 DDoS threats in 2025 Q2, Teeworlds flood saw the biggest spike. These attacks jumped 385% QoQ, followed by the RIPv1 flood, which surged 296%. RDP floods climbed by 173%, and Demon Bot floods increased by 149%. Even the venerable VxWorks flood made a comeback, rising 71% quarter-over-quarter. These dramatic upticks highlight threat actors’ ongoing experimentation with lesser-known and legacy protocols to evade standard defences.
Attack size & duration
Most DDoS attacks are small and short. In 2025 Q2, 94% of L3/4 DDoS attacks didn’t exceed 500 Mbps. Similarly, around 85% of L3/4 DDoS attacks didn’t exceed 50,000 pps. The majority of HTTP DDoS attacks are also small, 65% stay below 50K rps. “Small”, though, is a relative term.
While the majority of DDoS attacks are small, hyper-volumetric DDoS attacks are increasing in size and frequency. 6 out of every 100 HTTP DDoS attacks exceed 1M rps, and 5 out of every 10,000 L3/4 DDoS attacks exceed 1 Tbps — a 1,150% QoQ increase.
Commenting on the report, Bashar Bashaireh, AVP Middle East, Türkiye & North Africa at Cloudflare, says: “The Q2 data highlights just how quickly the DDoS threat landscape is evolving — with attackers launching faster, shorter, and more aggressive campaigns across a broader range of industries and geographies. This quarter alone, we saw the largest attack ever recorded on our network, and a sharp increase in the abuse of legacy protocols. These trends reinforce the need for organisations to adopt a proactive, always-on security posture. At Cloudflare, we remain committed to delivering unmetered, automated DDoS protection that scales with the threat — no matter the size or complexity of the attack.”
Discussion about this post