SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
DDoS
#
Network Security
#
Cybersecurity

Cloudflare warns of 358% surge in global DDoS attacks in 2025

Today
Author image
By Melania Watson, Interview Editor

Cloudflare has released its Q1 2025 DDoS Threat Report, highlighting a steep rise in global Distributed Denial of Service (DDoS) attacks and notable shifts in attack trends and targets.

According to the report, Cloudflare mitigated 20.5 million DDoS attacks in the first quarter of 2025 alone.

This figure nearly matches the total number of attacks blocked throughout all of 2024, which stood at 21.3 million. This represents a 358% year-over-year increase in DDoS attacks and a 198% increase compared to the previous quarter.

Around one third of these attacks, equating to 6.6 million, specifically targeted Cloudflare's own network infrastructure as part of a sustained 18-day multi-vector campaign. The remainder targeted various hosting providers and service providers under Cloudflare's protection. All attacks were detected and blocked by Cloudflare's automated defences.

Network-layer DDoS attacks were the primary driver of the overall surge. In Q1 2025, 16.8 million of these attacks were blocked, representing a 509% year-over-year rise and a 397% increase from the prior quarter. Hyper-volumetric attacks, defined as those exceeding 1 terabit per second (Tbps) or one billion packets per second (Bpps), have become increasingly common. Cloudflare reported approximately 700 such attacks during the quarter, averaging about eight per day.

While the focus of the report is Q1 2025, it also covers a significant campaign in April 2025, which included some of the largest DDoS attacks publicly disclosed to date. Cloudflare blocked a packet rate attack peaking at 4.8 billion packets per second, representing a 52% increase over the previous record. Separately, the company defended against a 6.5 Tbps flood, matching the highest bandwidth attacks ever reported. These attacks were typically short, lasting between 35 and 45 seconds, and originated from 147 countries, primarily targeting a hosting provider protected by Cloudflare Magic Transit.

Globally, there have been notable changes in the most-targeted locations. Germany moved up four spots to become the most attacked country in Q1 2025.

Turkey made an 11-place jump to secure second position, while China dropped to third. Hong Kong, India, and Brazil also appeared among the top most-attacked countries, with movements seen across several regions in the rankings. Australia, for its part, remained outside the global top ten.

Industries facing the most pressure have shifted this quarter as well. The Gambling & Casinos sector moved to the top position as the most targeted industry, after climbing four places.

Telecommunications dropped to second, and Information Technology & Services followed in third. Other industries experiencing notable increases in attacks included Cyber Security, which jumped 37 places, and Airlines, Aviation & Aerospace, which rose 40 places to become the tenth most targeted sector. In Australia, the industries facing the most attacks were Telecommunications, Information Technology and Services, Human Resources, and Consumer Services.

The report detailed attack vectors and trends, showing that the most common technique at the network layer remains SYN flood attacks, followed by DNS flood and Mirai-launched attacks.

Among HTTP DDoS attacks, more than 60% were identified and blocked as known botnets, with others attributed to suspicious attributes, browser impersonation, and cache busting techniques.

Cloudflare observed significant surges in two emerging attack methods. CLDAP reflection/amplification attacks grew by 3,488% quarter-over-quarter, exploiting the connectionless nature of the protocol to overwhelm victims with reflected traffic. Similarly, ESP reflection/amplification attacks rose 2,301%, underscoring vulnerabilities in systems using the Encapsulating Security Payload protocol.

Despite the increase in the volume and size of attacks, the report noted that 99% of network-layer DDoS attacks in Q1 2025 were below 1 Gbps and one million packets per second.

Likewise, 94% of HTTP attacks fell below one million requests per second. Most attacks were short-lived, with 89% of network-layer and 75% of HTTP attacks ending within 10 minutes, but the impact can persist much longer due to the resulting service disruptions.

Investigations into attack origins pointed to a concentration among a small number of cloud and hosting providers' networks. German-based Hetzner retained its position as the largest source of HTTP DDoS attacks, followed by France's OVH, the US-based DigitalOcean, and another German provider, Contabo. Additional significant sources included ChinaNet Backbone and Tencent (China), Drei (Austria), and US-based providers Microsoft, Oracle, and Google Cloud Platform.

Cloudflare provides a free DDoS Botnet Threat Feed to service providers globally, aiming to help identify and dismantle botnets operating from within their networks. Over 600 organisations have already joined this effort, benefiting from timely threat intelligence that allows for faster mitigation and greater network security.

The report also highlighted a concerning trend regarding attribution of these attacks. When surveyed, the majority of Cloudflare customers targeted by DDoS attacks indicated they did not know who was behind the attacks. Of those who did, 39% identified competitors as the source, a trend particularly prevalent in the gaming and gambling sectors. State-level actors and disgruntled users or customers were each named by 17% of respondents, while self-inflicted (self-DDoS), extortionist-led, and employee-initiated attacks accounted for the remainder.

Cloudflare's analysis underscores the growing frequency and intensity of DDoS attacks, the increasing sophistication of attack methods, and the need for proactive, automated, and always-on mitigation strategies.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Kinetics Group expands IT services with OutSource merger
Varonis unveils AI Shield to defend sensitive data in real time
Experts urge strong identity measures as password risks grow
APAC CIOs face cyber threats despite rising security spend
Waratek names Rimini Street exclusive Pinnacle Partner globally
Top stories
Arctic Wolf doubles warranty to USD $3 million with new AI engine
Arctic Wolf & Anthropic to develop autonomous AI cyber SOCs
Arctic Wolf launches Cipher, AI-powered security assistant beta
BeyondTrust unveils free assessment to expose hidden identity risks
World Password Day reminds us: It’s time to rethink access security