Cloudflare Q2 2025: DDoS Attack Volume Drops, But Hyper-Volumetric Assaults Skyrocket
Cloudflare recorded a dramatic decline in the number of DDoS attacks during the second quarter of 2025, mitigating 7.3 million incidents—down sharply from the 20.5 million reported in the first quarter. However, despite the overall drop in attack volume, the proportion of ultra-powerful assaults surged significantly.
On average, Cloudflare deflected 71 “hyper-volumetric attacks” per day in Q2, with a total exceeding 6,500. These extreme-scale attacks, characterized by overwhelming intensity, stood in stark contrast to the general downtrend. One such incident reached a staggering peak of 7.3 terabits per second and 4.8 billion packets per second in under a minute. These traffic surges combine brute force with more nuanced techniques—such as background vulnerability scans—enabling adversaries to circumvent standard defense systems.
Layer 3/4 attacks dropped by 81% quarter-over-quarter, totaling 3.2 million events. Conversely, HTTP-based attacks rose by 9%, reaching 4.1 million incidents, with over 70% traced to known botnets. The most frequently deployed vectors involved DNS floods, TCP SYN floods, and UDP-based overload techniques.
Cybercriminals primarily targeted telecommunications firms and internet service providers, followed by sectors such as internet platforms, IT services, gaming, and online gambling. The most frequently attacked regions included China, Brazil, Germany, India, South Korea, Turkey, Hong Kong, Vietnam, Russia, and Azerbaijan. Meanwhile, the bulk of malicious traffic originated from Indonesia, Singapore, Hong Kong, Argentina, and Ukraine.
Notably, there was a staggering 592% increase in attacks exceeding the threshold of 100 million packets per second compared to the previous quarter. Ransom-driven assaults also spiked by 68%, with threat actors either launching DDoS attacks or issuing warnings, demanding payment to cease their operations.
Cloudflare emphasized that large-scale attacks are becoming increasingly common. Six out of every hundred HTTP-based attacks now exceed one million requests per second, while five out of every ten thousand Layer 3/4 attacks surpass 1 terabit per second—representing a 1,150% quarterly increase.
The company also highlighted the resurgence of the DemonBot botnet, which primarily targets Linux systems, especially vulnerable IoT devices. This malware exploits open ports and weak passwords to conscript devices into vast DDoS campaigns spanning UDP, TCP, and application-layer vectors. Controlled via command-and-control servers, DemonBot is capable of generating massive volumes of traffic, striking gaming platforms, hosting providers, and enterprise services alike.
The proliferation of such threats is linked to long-standing issues—poor IoT security, exposed SSH ports, and outdated software. These vulnerabilities, when combined with techniques like TCP reflection, DNS amplification, and deceptive traffic bursts, have increasingly become focal points in Cloudflare’s threat intelligence and API security reports.
