With a record-breaking 20.5 million Distributed Denial of Service (DDoS) attacks prevented in the first quarter alone, a 358% rise over the same period last year, Cloudflare has reported a historic spike in cyberattacks to start 2025.
This explosive growth nearly equals the total number of attacks Cloudflare mitigated in all of 2024, underscoring a dramatic escalation in both the volume and intensity of DDoS threats.
This surge underscores a dramatic shift in the global threat landscape, with attackers deploying more sophisticated and larger-scale campaigns than ever before.
.png
)
Hyper-Volumetric Attacks
In April 2025, Cloudflare’s systems automatically detected and mitigated the largest packet-rate attack on record, peaking at 4.8 billion packets per second (Bpps) – approximately 52% larger than the previous 3.15 Bpps record.
This massive attack, originating from 147 countries, targeted the U.S.-based hosting provider and was part of a sustained campaign that also included a separate 6.5 terabits-per-second (Tbps) flood, matching the highest bandwidth attack ever publicly disclosed.
“The threat landscape has evolved dramatically in just one quarter,” said Cloudflare in their Q1 2025 DDoS Threat Report.
“We’ve observed a 397% quarter-over-quarter increase in network-layer attacks, with approximately 700 hyper-volumetric attacks exceeding 1 Tbps or 1 Bpps.”
Attack Vectors and Amplification
The report identified SYN flood as the most prevalent attack vector, followed by DNS floods and Mirai-generated attacks.
SYN floods exploit the TCP three-way handshake mechanism by sending numerous connection requests with spoofed source IP addresses, leaving servers with half-open connections that exhaust resources.
System administrators can implement protection using iptables rules such as:
Another concerning trend is the 3,488% increase in CLDAP reflection/amplification attacks. CLDAP (Connectionless Lightweight Directory Access Protocol) uses UDP instead of TCP, allowing attackers to spoof source IP addresses in small queries that trigger large responses to victims.
The report revealed that Germany became the most attacked country, while the Gambling & Casinos industry jumped to the most targeted industry.
Hong Kong emerged as the primary source of attack traffic, with Hetzner (AS24940) remaining the largest source of HTTP DDoS attacks among autonomous systems.
Despite the dramatic rise in hyper-volumetric attacks, most attacks remain relatively small, with 99% of Layer 3/4 DDoS attacks under 1 Gbps and 1 Mpps.
However, even these smaller attacks can easily overwhelm unprotected servers and network links.
Equally notable is the brevity of most attacks – 89% of network-layer attacks and 75% of HTTP DDoS attacks concluded within 10 minutes.
The record-breaking 4.8 Bpps attack lasted just 35-45 seconds, highlighting the need for always-on, automated protection.
“The current threat landscape leaves no time for human intervention,” researchers said.
“Detection and mitigation should be always-on, in-line and automated – with sufficient capacity and global coverage to handle attack traffic alongside legitimate peak traffic.”
To help combat these threats, Cloudflare provides a free DDoS Botnet Threat Feed for service providers. Over 600 organizations worldwide use it to identify and take down abusive accounts launching DDoS attacks from within their networks.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
