Cloudflare Reports Surge in DDoS Attacks in Q1 2025
In a significant announcement, Cloudflare revealed that it successfully mitigated a staggering 20.5 million Distributed Denial of Service (DDoS) attacks during the first quarter of 2025. This figure represents a remarkable 358% increase compared to the same period last year, illustrating a concerning trend in cybersecurity threats. The company’s Q1 2025 DDoS report unveiled not only a rise in the number but also in the scale of these attacks, highlighting some of the most formidable incidents ever documented.
Map of top 10 most attacked industries in Q1 2025 (Source: Cloudflare)
Massive Multi-Vector Attacks
Of the total attacks recorded, nearly one-third, or approximately 6.6 million, specifically targeted Cloudflare’s internal network infrastructure. This surge coincided with an intense 18-day campaign marked by multi-vector assaults that also impacted various hosting and service providers. The methods employed in these attacks were diverse, encompassing SYN floods, Mirai botnet strikes, and SSDP amplification attacks.
In addition, researchers noted the emergence of over 700 hyper-volumetric attacks—defined as those exceeding 1 terabit per second (Tbps) or 1 billion packets per second (Bpps). On average, this leads to a staggering eight hyper-volumetric attacks occurring each day, predominantly characterized by UDP-based flood assaults.
One particularly alarming trend observed is the unprecedented speed and intensity of the largest attacks. For instance, in late April, Cloudflare reported that it successfully mitigated attacks that peaked at 6.5 Tbps and 4.8 billion packets per second. Despite these attacks lasting less than a minute, their potential to overwhelm unprotected systems is significant. Some of these incidents spilled over into the second quarter of 2025, targeting a hosting provider.
While these high-capacity attacks make headlines, it’s essential to note that the majority of DDoS attacks remain relatively small in scale. Data indicated that 99% of network-layer assaults remained under 1 Gbps and 1 million packets per second. Nevertheless, even such smaller-scale attacks have the potential to saturate network links or incapacitate unprotected services effectively.
Most Victims Unsure of Attack Origins
The September report shed light on another concerning trend regarding the victims of these attacks. A staggering 89% of network-layer attacks and 75% of HTTP attacks concluded within just 10 minutes. In cases involving hyper-volumetric attacks, many incidents lasted a mere 35 to 45 seconds. This rapidity in attack durations has rendered manual mitigation tactics nearly obsolete.
Regarding the identities of the threat actors, many victims expressed uncertainty about the origins of the attacks. Among those who had a clearer picture, competitors were the primary suspects, accounting for 39% of cases. They were followed by suspected state-sponsored actors and disgruntled users or customers, each constituting 17% of the responses. Self-inflicted DDoS incidents and extortionists were also mentioned by 11% of victims, while former employees made up 6% of the suspects.
The report further detailed an alarming increase in emerging DDoS tactics. CLDAP reflection attacks witnessed a staggering 3,488% surge quarter-over-quarter, while ESP reflection attacks grew by an astounding 2,301%. Both of these techniques capitalize on the properties of UDP traffic to amplify malicious endeavors toward victims.
Shifts in DDoS Targets
The landscape of DDoS targets has also shifted notably in this quarter. Germany emerged as the most frequently attacked country, with Turkey making a significant leap to secure the second position, pushing China down two slots to third place. The industry most targeted by these DDoS incidents transitioned to Gambling and Casinos, which dethroned Telecommunications, now in second place.
Map of top 10 most attacked locations in Q1 2025 (Source: Cloudflare)
Further analysis revealed changes in the geographical origins of these attacks. Hong Kong emerged as the leading source of DDoS traffic, followed by Indonesia and Argentina. Many of these attacks continued to exploit compromised infrastructures hosted by various cloud providers, with notable contributors including Hetzner, OVH, DigitalOcean, Contabo, and ChinaNet-Backbone.
As the landscape of cyber threats continues to evolve, the findings presented in Cloudflare’s report on Q1 2025 serve as a stark reminder of the increasing sophistication and danger posed by DDoS attacks. The information underscores the urgent need for organizations to bolster their cybersecurity measures to mitigate these burgeoning threats effectively.