Cloudflare’s 2025 Q3 DDoS Report: An In-Depth Look
Cloudflare, a leader in internet security and performance enhancement, has published its Q3 2025 Distributed Denial of Service (DDoS) report. This comprehensive document sheds light on current trends and threats in the DDoS landscape as seen through Cloudflare’s expansive global network.
Key Findings from the Report
Notable Properties of the Aisuru Botnet
The report highlights a significant uptick in DDoS attacks launched by the Aisuru botnet, which has an estimated 1 to 4 million compromised hosts. This botnet has been responsible for hyper-volumetric DDoS assaults that reach unprecedented levels, often exceeding 1 terabit per second (Tbps) and 1 billion packets per second (Bpps). Moreover, there has been a staggering 54% increase in such attacks from the previous quarter.
Rising Targeting of AI Companies
In a notable trend, September 2025 saw a massive spike—up to 347% month-on-month—in DDoS attacks targeting companies in the artificial intelligence sector. This surge reflects growing public concerns and increased regulatory scrutiny surrounding AI technologies.
Geopolitical Influences on Cyber Attacks
The report also indicates that geopolitical issues are resonating in the cyber world. Heightened tensions between the EU and China, especially regarding rare earth minerals and electric vehicle tariffs, have correlated with a rise in DDoS attacks targeting industries such as mining and automotive.
DDoS Attacks: The Numbers Speak
By the end of Q3 2025, Cloudflare has successfully mitigated an astounding 36.2 million DDoS attacks—a figure that already represents 170% of the total for all of 2024. In just the third quarter, 8.3 million attacks were neutralized, marking a 15% increase from the previous quarter and a 40% rise over the same period last year.
Breakdown of Attack Types
- Network-layer DDoS attacks accounted for about 71% of all DDoS occurrences, translating to approximately 5.9 million incidents, an increase of 87% from the prior quarter and a 95% rise year-on-year.
- HTTP DDoS attacks made up 29% (2.4 million) of the total, though these saw a decline of 41% quarter-on-quarter and 17% year-on-year.
Characteristics of Attacks
Although many DDoS attacks remain relatively small, there has been a notable rise in the volume of more substantial attacks. Specifically, attacks exceeding 100 million packets per second (Mpps) surged by 189% from the previous quarter. Attacks surpassing 1 Tbps rose by an even higher 227%. On the HTTP layer, 4% of the attacks generated more than 1 million requests per second.
Most attacks are brief, with 71% of HTTP DDoS attacks and 89% of network-layer DDoS attacks concluding in under 10 minutes. Such short durations can disrupt services significantly, leaving recovery efforts to take much longer than the attack itself.
Sources and Targets of Attacks
Geographic Origins of Attacks
The majority of attack sources were concentrated in Asia, with Indonesia being the leading global origin for a full year running.
Most Affected Industries
The most targeted sectors during Q3 2025 included:
- Information Technology & Services
- Telecommunications
- Gambling & Casinos
- Gaming
- Automotive
- Banking & Financial Services
- Retail
- Consumer Electronics
- Media, Production & Publishing
DDoS incidents against the mining, minerals, and metals sector surged, pushing this industry up 24 positions in global attack rankings. The automotive sector registered the most significant jump, climbing 62 positions to sixth place.
Attack Vectors: Network and HTTP
Network-layer Attacks
The report specifies that UDP floods have become the most prevalent network-layer attack vector, increasing 231% quarter-on-quarter, driven largely by the Aisuru botnet. This was followed by DNS floods, SYN floods, and ICMP floods, collectively accounting for more than half of all network-layer attacks. Variants of the infamous Mirai botnet were still linked to nearly 2% of network-layer incidents.
HTTP Attacks
The data indicates that around 70% of HTTP DDoS attacks originated from botnets already identified by Cloudflare. Approximately 20% involved suspicious HTTP attributes or came from fake browsers, while the remainder included various attack types such as cache-busting and login-endpoint targeting.
Insights from Cloudflare’s Leadership
Bashar Bashaireh, Cloudflare’s Area VP for the Middle East, Türkiye, and North Africa, remarked on the report’s findings, emphasizing the clear link between DDoS activities and ongoing geopolitical tensions. He pointed out the importance of adapting modern defenses against botnet attacks, particularly as connectivity is crucial for economic growth and smart nation initiatives in the region.
The insights provided in this report can serve as a crucial resource for businesses seeking to safeguard their digital infrastructure against the evolving landscape of cyber threats.
