Cloudflare’s latest quarterly analysis of Distributed Denial-of-Service (DDoS) threats paints a complicated picture of how digital attacks are evolving across industries and regions. Although overall attack volumes dipped from earlier peaks, the data reveals that hyper-scale offensives are becoming more intense and, in many cases, surprisingly brief.
During the second quarter of 2025, Cloudflare’s systems automatically mitigated over 7.3 million DDoS attempts. While this figure reflects a substantial drop from the first quarter, which saw an unusual spike linked to an extended campaign targeting core internet infrastructure, the underlying pressure remains high. Compared to the same quarter last year, attack activity has grown significantly, with HTTP-based attacks increasing by well over 100%.
A notable change is the surge in what the company calls hyper-volumetric attacks, offensives that reach a scale previously considered rare. On average, Cloudflare blocked 71 of these every day throughout the quarter. Some of these incidents exceeded thresholds of one terabit per second in bandwidth or one billion packets per second in volume. While most of these outbursts are short, their intensity often pushes unprotected servers to failure before countermeasures can be activated.
Cloudflare also sought to understand who’s behind these attacks. Only a portion of affected customers could confidently identify the origin, but among those who did, most pointed to industry competitors. The gaming, gambling, and crypto sectors stood out as hotspots for this type of commercial sabotage. State-linked actors, extortionists, and misconfigured internal systems were also cited, but to a much lesser extent.
In parallel, ransom-driven DDoS incidents, where attackers demand payment under threat of disruption, rose sharply during the quarter. June saw a particular spike, with a noticeable increase in reports of threats and confirmed ransom attempts. This reflects a trend toward financially motivated DDoS activity that’s becoming more common across both public and private sector targets.
On the geographical front, attack origins and targets continued to shift. The most frequently targeted locations during the quarter were not necessarily political hotspots but rather countries with a high density of digital infrastructure. China moved to the top of the list, followed by Brazil, with Vietnam and Russia also jumping significantly in the rankings. It’s important to note that these figures don’t indicate political targeting; rather, they reflect customer billing regions associated with the attacked services.
Among the sectors most affected, telecommunications and IT service providers remained under the most frequent assault. Other industries that saw a high volume of attacks included gaming, financial services, and retail, while the agriculture and software sectors also experienced unexpected rises. Government entities rounded out the top ten.
From a technical standpoint, Cloudflare’s data pointed to an increase in botnet activity sourced from virtual cloud servers rather than traditional consumer devices. Providers like DigitalOcean, Microsoft, and Tencent were frequently observed as launch points for these attacks, largely due to how easily bad actors can spin up temporary machines on these platforms. Interestingly, networks offering virtual machines were far more prominent among the top sources than those built around standard internet service.
When breaking down attack methods, DNS floods, SYN floods, and UDP-based disruptions made up the bulk of low-level network attacks. At the application layer, volumetric HTTP floods dominated. Emerging threats also became more visible, with attackers revisiting older protocols like RIPv1 and VxWorks in an apparent attempt to bypass modern defenses.
Although many of these attacks are small and short-lived, their frequency and unpredictability create a persistent threat. Even relatively modest attacks, if timed correctly, can disrupt web services, particularly for servers lacking advanced mitigation tools. Some of the most impactful bursts lasted less than a minute but reached traffic levels exceeding the entire bandwidth capacity of a typical enterprise.
To counteract these threats, Cloudflare continues to offer a real-time threat feed to service providers. This system allows internet infrastructure companies to automatically identify and act against known botnet sources operating within their own networks. So far, hundreds of organizations have joined this program, which appears to be gradually improving coordination across the industry.
While the tools to resist these attacks are improving, the data suggests that adversaries are adapting quickly. With botnets growing stronger and attack vectors becoming more complex, the second half of the year is likely to test the resilience of online services even further, especially for those without always-on protection in place.
Read next: Meta Prepares Broader Rollout of Age Verification Tool to Meet New Compliance Standards
During the second quarter of 2025, Cloudflare’s systems automatically mitigated over 7.3 million DDoS attempts. While this figure reflects a substantial drop from the first quarter, which saw an unusual spike linked to an extended campaign targeting core internet infrastructure, the underlying pressure remains high. Compared to the same quarter last year, attack activity has grown significantly, with HTTP-based attacks increasing by well over 100%.
A notable change is the surge in what the company calls hyper-volumetric attacks, offensives that reach a scale previously considered rare. On average, Cloudflare blocked 71 of these every day throughout the quarter. Some of these incidents exceeded thresholds of one terabit per second in bandwidth or one billion packets per second in volume. While most of these outbursts are short, their intensity often pushes unprotected servers to failure before countermeasures can be activated.
Cloudflare also sought to understand who’s behind these attacks. Only a portion of affected customers could confidently identify the origin, but among those who did, most pointed to industry competitors. The gaming, gambling, and crypto sectors stood out as hotspots for this type of commercial sabotage. State-linked actors, extortionists, and misconfigured internal systems were also cited, but to a much lesser extent.
In parallel, ransom-driven DDoS incidents, where attackers demand payment under threat of disruption, rose sharply during the quarter. June saw a particular spike, with a noticeable increase in reports of threats and confirmed ransom attempts. This reflects a trend toward financially motivated DDoS activity that’s becoming more common across both public and private sector targets.
On the geographical front, attack origins and targets continued to shift. The most frequently targeted locations during the quarter were not necessarily political hotspots but rather countries with a high density of digital infrastructure. China moved to the top of the list, followed by Brazil, with Vietnam and Russia also jumping significantly in the rankings. It’s important to note that these figures don’t indicate political targeting; rather, they reflect customer billing regions associated with the attacked services.
Among the sectors most affected, telecommunications and IT service providers remained under the most frequent assault. Other industries that saw a high volume of attacks included gaming, financial services, and retail, while the agriculture and software sectors also experienced unexpected rises. Government entities rounded out the top ten.
From a technical standpoint, Cloudflare’s data pointed to an increase in botnet activity sourced from virtual cloud servers rather than traditional consumer devices. Providers like DigitalOcean, Microsoft, and Tencent were frequently observed as launch points for these attacks, largely due to how easily bad actors can spin up temporary machines on these platforms. Interestingly, networks offering virtual machines were far more prominent among the top sources than those built around standard internet service.
When breaking down attack methods, DNS floods, SYN floods, and UDP-based disruptions made up the bulk of low-level network attacks. At the application layer, volumetric HTTP floods dominated. Emerging threats also became more visible, with attackers revisiting older protocols like RIPv1 and VxWorks in an apparent attempt to bypass modern defenses.
Although many of these attacks are small and short-lived, their frequency and unpredictability create a persistent threat. Even relatively modest attacks, if timed correctly, can disrupt web services, particularly for servers lacking advanced mitigation tools. Some of the most impactful bursts lasted less than a minute but reached traffic levels exceeding the entire bandwidth capacity of a typical enterprise.
To counteract these threats, Cloudflare continues to offer a real-time threat feed to service providers. This system allows internet infrastructure companies to automatically identify and act against known botnet sources operating within their own networks. So far, hundreds of organizations have joined this program, which appears to be gradually improving coordination across the industry.
While the tools to resist these attacks are improving, the data suggests that adversaries are adapting quickly. With botnets growing stronger and attack vectors becoming more complex, the second half of the year is likely to test the resilience of online services even further, especially for those without always-on protection in place.
Read next: Meta Prepares Broader Rollout of Age Verification Tool to Meet New Compliance Standards
