Cloudflare has revealed in its 21st DDoS Threat Report that it mitigated a staggering 20.5 million Distributed Denial of Service (DDoS) attacks in the first quarter of 2025 alone-representing a 358% year-over-year and 198% quarter-over-quarter increase.
This unprecedented volume nearly matches the total attacks recorded throughout all of 2024 (21.3 million).
The report highlights a watershed moment in DDoS defense: a late-April 2025 campaign saw Cloudflare automatically block the largest packet-per-second (PPS) assault ever publicly disclosed, peaking at 4.8 billion packets per second (Bpps)-a 52% increase over the previous record.
Simultaneously, Cloudflare neutralized a 6.5 terabit-per-second (Tbps) UDP flood, paralleling the highest bandwidth DDoS attacks on record.
These attacks, often lasting just 35–45 seconds, present a significant technical challenge, as they surpass the thresholds at which manual or on-demand mitigations can meaningfully respond.
The onslaught included over 16.8 million network-layer attacks in Q1 2025, marking a 397% quarter-over-quarter and a 509% year-over-year surge.
A notable 6.6 million of these targeted Cloudflare’s own infrastructure, with a further 6.9 million aimed at hosting and service providers under Cloudflare’s protection.
Attackers deployed sophisticated multi-vector campaigns spanning SYN floods, Mirai-botnet assaults, and SSDP amplification-tactics engineered to overwhelm targets from multiple angles and evade standard defenses.
All were deflected by Cloudflare’s autonomous, in-line mitigation systems.
Escalation in Hyper-Volumetric Incident Frequency
Cloudflare’s telemetry recorded over 700 hyper-volumetric DDoS attacks in Q1 2025-each exceeding either 1 Tbps or 1 Bpps.
Although such assaults represent only 0.004% of all network-layer attacks, their magnitude poses existential risks to unprotected networks.
Geographically, these attacks originated from 147 countries, and many targeted high-capacity hosting providers, notably affecting gaming platforms via port 27015, widely used by games like CS:GO and Team Fortress 2.
Surveys of victimized organizations suggest that 39% of known attackers were direct competitors (commonly in gaming and gambling), with state-sponsored actors, disgruntled users, self-inflicted incidents, and extortionists also identified.
On the technical front, attackers increasingly exploited emerging vectors such as CLDAP (Connectionless Lightweight Directory Access Protocol) and ESP (Encapsulating Security Payload) reflection/amplification, which saw quarter-over-quarter increases of 3,488% and 2,301%, respectively.
Most attacks, despite the surge in scale, remained under 1 Gbps and lasted less than 10 minutes. However, even brief high-intensity surges can cripple unprotected services and cause prolonged outages.
Germany emerged as the top target in Q1 2025, followed by Turkey and China, with notable increases in attacks against the Gambling & Casinos, Cyber Security, and Telecommunications sectors.
On the origin front, Hong Kong and Indonesia led as the primary sources of HTTP DDoS traffic, with cloud providers such as Hetzner, OVH, and DigitalOcean identified as major attack origination points-highlighting the dual-use nature of cloud infrastructure.
These developments underscore an urgent need for automated, globally distributed mitigation strategies, as hyper-volumetric attacks now routinely outpace the response capabilities of traditional, manually triggered solutions.
Cloudflare continues to offer free threat intelligence feeds to service providers, aiming to curb abuse at the network level and help the broader Internet ecosystem keep pace with a rapidly escalating threat environment.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
