The latter half of 2025 marked a significant turning point in the realm of distributed denial-of-service (DDoS) attacks, as organizations across the globe grappled with a confluence of escalating threats. This period saw a maturation of artificial intelligence (AI) as an offensive tool, the rise of botnet infrastructures that boast multiterabit attack capacities, and the increased accessibility of DDoS-for-hire services even to those lacking technical expertise.

According to NETSCOUT’s ATLAS global threat intelligence platform, which documented over 8 million DDoS attacks across 203 countries and territories, the threat landscape evolved to a point where the distinction between intent and capability had almost vanished. Attacks now reached astonishing rates of up to 30 terabits per second, with many leveraging conversational AI interfaces to assist even unskilled offenders in executing complex operations. This alarming trend underscores the changing dynamics of cyber threats and the urgent need for heightened vigilance.

Executive Summary

Between July and December of 2025, while the count of DDoS attacks remained relatively stable when compared to the first half of the year, the nature of these attacks showcased dramatic transformations:

• Massive Attack Capacity: Demonstration attacks saw peaks of 30 terabits per second and 4 gigapackets per second, predominantly powered by Internet of Things (IoT) botnets, notably variants such as Aisuru and TurboMirai.
• Integration of AI: The assimilation of AI, including large language models from the dark web, evolved from a budding trend to a practical reality, enabling sophisticated attacks to be orchestrated by a broader spectrum of threat actors.
• Persistent Threat Actors: Despite intensified efforts from international law enforcement, hacktivist groups and commodity botnets continued to exert pressure. For instance, the hacking collective NoName057(16) claimed responsibility for over 200 attacks in July alone, showcasing their resilience even following infrastructure seizures. Critical infrastructure bore the brunt of relentless attacks, notably DNS root servers and Network Time Protocol (NTP) services, which experienced over 45,000 NTP-related alerts. While well-constructed systems demonstrated resilience, the consistent threats remained evident.
• Targeted Sectors and Regions: The most targeted sectors included government, finance, telecommunications, transportation, and hospitality. Geographically, the Europe, Middle East, and Africa (EMEA) region was the hardest hit with 3.3 million recorded attacks, followed by the Asia-Pacific (APAC), North America, and Latin America.

The latter half of 2025 was not merely an evolution in attack strategies but represented a fundamental shift regarding who can initiate sophisticated DDoS attacks, their adaptability, and the extensive impact they can have.

Key Findings

1. Global Scale and Attack Volume: The records indicated that more than 8 million DDoS attacks occurred across 203 countries and territories, emphasizing the persistent and growing operational risks faced by digitally connected entities on a global scale. Although the number of attacks remained relatively stable, the sophistication and nature of these attacks have undergone substantial changes.
2. Rise of IoT Botnets and Outbound Risk: Massive direct-path attacks in 2025 highlighted the risks posed by compromised customer-premises equipment (CPE), which could initiate outbound floods exceeding 1 terabit per second. This posed considerable liability and service availability concerns for broadband providers. The TurboMirai class of IoT botnets, such as Aisuru and Eleven11 (RapperBot), emerged as key players capable of launching attacks up to 30 terabits per second and 4 gigapackets per second. Notably, Eleven11 was linked to over 3,600 DDoS incidents between 2021 and the middle of 2025.
3. AI-Enhanced DDoS-for-Hire Services: Platforms offering DDoS-for-hire services began incorporating dark-web large language models and conversational AI, significantly lowering the technical barriers necessary for orchestrating complicated, multivector attacks. As a result, even those with minimal skills could now conduct sophisticated campaigns through simple natural-language prompts, thereby amplifying risks across industries.
4. Cooperation Among Threat Actors: July 2025 witnessed a remarkable surge of over 20,000 botnet-driven attacks. Coordinated threat activities overwhelmed defenses, leading to disruptions in vital services across government, finance, and transportation sectors. Collaborations among groups such as Keymous+ showcased how partnerships between threat actors could exponentially increase attack potency, with joint campaigns peaking at 44 gigabits per second.
5. Demanding Pressure on Critical Infrastructure: High-value services like DNS root servers and NTP endured continuous attacks, with 38 significant DNS root events reported, including a major 21-gigabit flood against the A root server. Over 45,000 alerts regarding NTP-related attacks further underscored the pressing need for resilient and globally distributed architectures, as well as robust mitigation protocols.
6. Geographical and Sectoral Targeting: The sectors most frequently targeted included government agencies, financial services, telecommunications, transportation, and hospitality. In regional terms, EMEA led the charts with 3.3 million attacks, trailed by APAC (1.9 million), North America (1.27 million), and Latin America (1.01 million).
7. Multivector and Carpet-Bombing Attacks: Notably, over half of all attacks employed multivector strategies, with 42% leveraging between two to five attack vectors. Carpet-bombing attacks experienced a surge, averaging between 750 to 830 events daily during the latter half of 2025. Attackers regularly combined methods, including DNS amplification, SSDP, SNMP, mDNS, memcached, CLDAP, and mixed TCP flood attacks to maximize disruption.
8. Defensive Achievements and Continuing Challenges: Systems characterized by robust architectures, especially those utilizing anycast-based defenses, exhibited remarkable resilience, maintaining availability despite relentless attack pressures. Conversely, the ongoing prevalence of vulnerable devices and the rapid evolution of threat actors necessitate that organizations remain vigilant and proactive in their defensive measures.

Conclusion

The DDoS threat landscape at the end of 2025 was underscored by a sustained high volume of global attacks, increasingly capable IoT botnets, and sophisticated campaigns orchestrated by threat actors that have significantly shifted towards AI-driven DDoS-for-hire operations. While the most colossal attacks are still relatively rare, their existence profoundly influences defensive strategies. The typical DDoS attack now tends to be short-lived, intense, and multisectoral, targeting a diverse array of industries and geographical regions.

Organizations must therefore understand the democratization of attack tools, especially in light of AI integration, which has dramatically lowered the barrier to entry for cybercriminals. Defending against these threats calls for not only robust infrastructure but also adaptive, intelligence-driven strategies that can effectively match the evolving tactics employed by adversaries.

For further details, readers are encouraged to consult NETSCOUT’s 2H 2025 DDoS Threat Intelligence Report.