Cloudflare, Inc., the security, performance, and reliability company helping to build a better Internet, has announced its 2025 Q3 DDoS report. This report includes insights and trends about the DDoS threat landscape — as observed across the global Cloudflare network, which is one of the largest in the world. 

Key findings

• The Aisuru botnet unleashed hyper-volumetric attacks at unprecedented scale: With an estimated 1–4 million infected hosts, the Aisuru botnet routinely launched hyper-volumetric DDoS attacks exceeding 1 terabit per second (Tbps) and 1 billion packets per second (Bpps) – with attacks surging 54% QoQ.
• AI companies capture the attention of attackers: DDoS attack traffic against AI companies surged by as much as 347% MoM in September 2025, as public concern and regulatory review of AI increases. 
• Geopolitical events continue to reflect in the cyber world: Escalating EU-China trade tensions over rare earth minerals and EV tariffs coincide with a significant increase in DDoS attacks against the Mining, Minerals & Metals industry and the Automotive industry.

DDoS attacks in numbers

• So far in 2025, and with an entire quarter to go until the end of the year, Cloudflare has already mitigated 36.2 million DDoS attacks. That corresponds to 170% of the DDoS attacks Cloudflare mitigated throughout 2024.
• In the third quarter of 2025, Cloudflare automatically detected and mitigated 8.3 million DDoS attacks, representing a 15% increase QoQ and 40% increase YoY.
• Network-layer DDoS attacks, accounting for 71% of the DDoS attacks in 2025 Q3, or 5.9 million DDoS attacks, increased by 87% QoQ and 95% YoY. 
• HTTP DDoS attacks, accounting only for 29% of the DDoS attacks in 2025 Q3, or 2.4 million DDoS attacks, decreased by 41% QoQ and 17% YoY.

Attack characteristics

• While the majority of DDoS attacks are relatively small, in Q3, the amount of DDoS attacks that exceeded 100 million packets per second (Mpps) increased by 189% QoQ. 
• Attacks exceeding 1 Tbps increased by 227% QoQ. On the HTTP layer, 4 out of every 100 attacks exceeded 1 million requests per second.
• Most attacks, 71% of HTTP DDoS and 89% of network-layer, end in under 10 minutes. That’s too fast for any human or on-demand service to react. A short attack may only last a few seconds, but the disruption it causes can be severe, and recovery takes far longer.

Top attack sources

• Seven out of the ten top sources are locations within Asia
• Indonesia is the largest source of DDoS attacks, and it has been ranked number one in the world for an entire year (since 2024 Q3). 

Top attacked industries

• Top 10: In Q3 2025, Information Technology & Services topped the list as the most attacked industry, followed by Telecommunications, Gambling & Casinos, Gaming, Internet, Automotive, Banking and Financial Services, Retail, Consumer Electronics and Media, Production & Publishing.
• DDoS attackers go after rare Earth minerals. DDoS attacks against the Mining, Minerals & Metals industry significantly increased in the third quarter of 2025. Overall, the Mining, Minerals & Metals industry surged 24 spots on the global ranking, making it the 49th most attacked industry in the world.
• The Automotive industry saw the largest surge in DDoS attacks, leaping the industry by 62 spots in just one quarter, placing it as the sixth most attacked industry in the world.
• Cybersecurity companies also saw a significant increase in DDoS attacks. The Cybersecurity industry hopped by 17 spots, making it the 13th most attacked industry in the world.

DDoS attacks against AI surge by 347%

In September 2025, Cloudflare saw MoM spikes as high as 347% in HTTP DDoS attack traffic against generative AI companies (based on a sample of leading generative AI services).

Top attacked locations

• In the third quarter of 2025, China remained the most attacked, followed by Turkey in second, and Germany in third place. 
• The most notable changes within this quarter was an increase in DDoS attacks against the United States, which leaped by 11 spots as the fifth most attacked country. 
• The Philippines saw the largest increase within the top 10 – it jumped by 20 spots.

Attack vectors

Network-layer DDoS attacks

• The amount of UDP DDoS attacks, partially fuelled by Aisuru attacks, increased by 231% QoQ making it the top attack vector at the network-layer. 
• DNS floods came in second place, SYN floods in third, and ICMP floods in fourth — accounting for just over half of all network-layer DDoS attacks. 
• Although almost 10 years have passed since its first major debut, Mirai DDoS attacks are still quite common. Almost 2 out of every 100 network-layer DDoS attacks are launched by permutations of the Mirai botnet.

HTTP DDoS attacks

• Nearly 70% of HTTP DDoS attacks originated from botnets already known to Cloudflare. 
• Another ~20% of HTTP DDoS attacks originated from fake or headless browsers, or included suspicious HTTP attributes. 
• The remaining ~10% were a combination of generic floods, unusual requests, cache busting attacks, and attacks that targeted login endpoints.

Commenting on the report, Bashar Bashaireh, Area VP Middle East, Türkiye & North Africa at Cloudflare, says: ““What the Q3 2025 data clearly shows is that DDoS activity is increasingly tied to geopolitical tension, critical infrastructure, and high-growth sectors such as AI and telecommunications. Across the Middle East, where connectivity underpins economic diversification and smart-nation initiatives, these findings are a timely reminder that legacy defenses are no longer sufficient against today’s botnet-driven attacks.”

Note: Dive into the full report here.