Record-breaking DDoS attacks of 2025-2026:
what changed

Back to Blog

The Numbers That Define 2025

In its Q4 2025 DDoS Threat Report, Cloudflare published figures that redefined the baseline for what "large-scale" means. The company mitigated 47.1 million DDoS attacks over the course of the year, a 121% year-over-year increase from 2024. That is roughly 129,000 attacks per day, or about 90 per minute.

The raw attack count tells only part of the story. The nature of those attacks changed, too. Hyper-volumetric attacks, those exceeding 1 Tbps in bandwidth or 1 billion packets per second, became common enough that Cloudflare stopped treating them as exceptional events. In the final quarter of 2025 alone, they mitigated roughly 6.9 million DDoS attacks, a 16% quarter-over-quarter increase and 83% year-over-year increase.

The single largest event of the year was a UDP flood that peaked at 31.4 Tbps, mitigated by Cloudflare in Q4 2025. To put that in perspective: the previous bandwidth record was 5.6 Tbps, set just one quarter earlier in Q4 2024. That means the record grew by more than 5x in roughly three months.

Metric	2024	2025	Change
Total attacks mitigated (Cloudflare)	~21.3 million	47.1 million	+121%
Peak bandwidth record	5.6 Tbps (Q4 2024)	31.4 Tbps (Q4 2025)	+461%
Peak packet-rate record (public)	840 Mpps (OVHcloud, July 2024)	Not surpassed publicly	-
Attacks exceeding 1 Tbps	Rare (handful per quarter)	Common (routine weekly)	Normalized

The 31.4 Tbps Record: What Happened

The 31.4 Tbps attack mitigated by Cloudflare in Q4 2025 was a multi-vector UDP flood that lasted only about 60 seconds at peak intensity. Cloudflare's automated systems handled it without human intervention, which itself is a meaningful data point: the attack was large enough to rewrite the record books but short enough that a manual response would have arrived after it was already over.

The previous Cloudflare bandwidth record of 5.6 Tbps, set in late 2024, already represented a massive leap over the prior record. For context, Google reported mitigating a 3.9 Tbps attack in 2023, which held the public record for roughly a year. The jump from 3.9 to 5.6 to 31.4 Tbps in consecutive years shows an accelerating curve, not a linear one.

What enabled this kind of scale? The short answer is larger botnets with better tooling. The Aisuru botnet (also tracked under the name Kimwolf) was identified as a dominant threat actor behind many of the largest attacks of 2025. Unlike classic Mirai-based botnets that relied on simple credential stuffing against IoT devices, Aisuru incorporated more sophisticated exploitation of routers, DVRs, and enterprise-grade networking equipment with higher per-device bandwidth capacity.

The 31.4 Tbps figure is the peak instantaneous bandwidth as reported by Cloudflare. It does not represent sustained throughput over the full attack duration. Peak-to-sustained ratios in hyper-volumetric attacks are often 3:1 or higher.

The Packet-Rate Dimension: OVHcloud's 840 Mpps Still Matters

While 2025's bandwidth records captured headlines, the packet-rate record disclosed by OVHcloud in July 2024 remains the most technically significant DDoS milestone for infrastructure operators running their own hardware.

OVHcloud reported mitigating attacks peaking at 840 million packets per second (Mpps) in early 2024, generated primarily by compromised MikroTik CCR routers. As they documented in their blog post "The Rise of Packet Rate Attacks," these devices are purpose-built for packet forwarding. A single MikroTik CCR1036 can push 24+ Mpps, making even a small pool of compromised routers capable of generating packet volumes that overwhelm server-grade hardware.

The key insight from OVHcloud's analysis: the 840 Mpps attack consumed roughly 500 Gbps of bandwidth. By volume alone, it would not have ranked among the year's largest attacks. But 840 million minimum-size packets per second is devastating to anything that processes packets in software, because every packet demands individual CPU attention regardless of its size. NICs overflow their ring buffers, kernel softirqs saturate CPU cores, and conntrack tables fill up in milliseconds.

No publicly reported attack in 2025 has surpassed the 840 Mpps packet-rate record. But the infrastructure that enabled it (tens of thousands of unpatched MikroTik devices with internet-exposed management interfaces) has not been remediated. OVHcloud identified approximately 99,382 potentially exploitable MikroTik devices in their research. The threat remains active.

The Aisuru/Kimwolf Botnet: Beyond Mirai

The Aisuru botnet emerged as one of the most significant DDoS threat actors of 2025. Security researchers tracking the botnet identified it as an evolution beyond classic Mirai variants, incorporating several capabilities that explain the jump in attack scale:

• Broader device targeting. Rather than focusing exclusively on consumer IoT devices (cameras, routers, DVRs), Aisuru actively targeted enterprise and carrier-grade networking equipment. These devices have significantly higher bandwidth and packet-generation capacity than a typical compromised webcam.
• Exploit integration. Aisuru incorporated known CVEs for popular router platforms rather than relying solely on default credential lists. This expanded the pool of compromisable devices beyond those with unchanged factory passwords.
• Multi-vector attack orchestration. Attacks attributed to Aisuru frequently combined multiple protocols (UDP fragmentation, DNS amplification, TCP SYN/ACK floods) within a single campaign, rotating vectors mid-attack to evade protocol-specific mitigations.
• Attack-for-hire availability. Like many modern botnets, Aisuru's capabilities were available as a service, lowering the barrier for attackers who lacked the technical skill to build their own infrastructure.

The Aisuru botnet's role in the 2025 attack landscape illustrates a broader trend: the gap between nation-state-grade attack capability and commodity booter-service capability is shrinking. Attacks that would have required significant resources five years ago are now available on demand for modest fees.

Attack Duration and Intensity Trends

One of the clearest shifts documented across multiple threat reports in 2025 is the move toward shorter, more intense attacks. The majority of DDoS attacks now last less than 10 minutes. Many of the largest volumetric events peak within the first 30 to 60 seconds and subside within 2 to 3 minutes.

This pattern is deliberate, not coincidental. Short-duration, high-intensity attacks are optimized to:

• Outrun manual response. Most SOC teams cannot triage and respond to an alert in under 5 minutes. By the time a human reviews the dashboard, the attack is over and the damage is done.
• Evade sustained-traffic detections. Many DDoS detection systems require traffic to exceed a threshold for a sustained period (30 seconds, 60 seconds, 5 minutes) before triggering mitigation. A 45-second burst can fall below these windows.
• Enable repeated probing. Attackers launch short attacks, observe the response, adjust their vector, and attack again. This iterative approach maps the target's defenses without sustaining a single long event that is easier to profile and block.
• Reduce botnet exposure. Shorter attacks mean less time for defenders to fingerprint the attack source, collect packet captures, and share indicators of compromise.

This trend has direct implications for detection architecture. If your detection system polls traffic metrics every 60 seconds and requires two consecutive samples above threshold before alerting, a 45-second attack at 5 Tbps can come and go without generating a single alert. Per-second detection granularity is no longer a nice-to-have. It is a requirement.

Multi-Vector Rotation: The New Normal

Attackers in 2025 increasingly rotated protocols mid-attack. A campaign might begin with a DNS amplification flood, switch to a TCP SYN flood after 30 seconds, pivot to UDP fragmentation for another 20 seconds, and finish with an HTTP/2 request flood. Each vector targets a different layer of the defense stack.

This rotation strategy exploits a common architectural weakness: many DDoS mitigation systems apply protocol-specific rules. A DNS scrubber might handle the initial wave perfectly, but when the attack pivots to TCP SYN floods, traffic needs to be rerouted through a different mitigation pipeline. The switching delay, even if only 5 to 10 seconds, creates windows of unmitigated traffic.

Multi-vector attacks also complicate post-incident analysis. Correlating a DNS amplification flood, a SYN flood, and an HTTP request flood as a single coordinated campaign requires visibility across all layers simultaneously. Many organizations analyze L3/L4 and L7 traffic in separate tools, making it easy to miss the connection.

Target and Origin Shifts

According to Cloudflare's 2025 data, the most targeted industries remained consistent with prior years but with notable shifts in intensity:

• Gaming and gambling continued to lead as the most attacked sector, driven by competitive disruption and extortion.
• Financial services saw increased targeting, particularly during high-traffic trading periods and product launches.
• SaaS and technology companies experienced a significant rise in attacks, reflecting the growing reliance on cloud-hosted business applications.
• Telecommunications providers were increasingly targeted, with attackers aiming to degrade connectivity for downstream customers rather than targeting end services directly.

Geographically, Indonesia, Hong Kong, and Singapore emerged as significant attack origin points, reflecting the concentration of compromised IoT devices and poorly secured hosting infrastructure in those regions. Attack target geography remained weighted toward North America and Western Europe, where the highest-value targets are concentrated.

What Drove the Growth

The 121% year-over-year increase in attack volume was not driven by a single factor. Several converging trends created the conditions for the 2025 surge:

• Cheaper booter/stresser services. The commoditization of DDoS-as-a-service continued to drive down prices and drive up accessibility. Services capable of launching multi-hundred-Gbps attacks are available for under $50/month.
• Larger IoT botnets. The number of internet-connected devices continues to grow faster than the security practices protecting them. Radware's Global Threat Analysis Report noted that IoT botnets grew substantially in both size and sophistication during 2025.
• Router and edge device compromise. As the OVHcloud MikroTik case demonstrated, compromised enterprise routers provide orders of magnitude more attack capacity per device than consumer IoT. This trend accelerated in 2025.
• Improved attack tooling. Modern botnet command-and-control software automates multi-vector rotation, adaptive rate control, and target profiling. The bar for orchestrating complex attacks continues to drop.
• Geopolitical motivation. Hacktivism and state-aligned DDoS campaigns contributed a measurable share of overall attack volume, particularly against government and infrastructure targets.

What This Means for Defenders

The 2025-2026 DDoS landscape makes several things unavoidably clear for anyone responsible for network infrastructure:

Static thresholds are obsolete

If your alerting fires when traffic exceeds a fixed Gbps or PPS threshold, you are running a detection system designed for 2018. Attack volumes now vary by multiple orders of magnitude, and what qualifies as "normal" changes week to week as your legitimate traffic patterns evolve. Detection must use dynamic baselines that adapt to your actual traffic profile, computed over rolling windows of days or weeks.

Per-second detection is required

When the average attack duration is under 10 minutes and peak intensity is reached in the first 30 seconds, a detection system that polls every 60 seconds is structurally unable to provide meaningful alerting. You need per-second granularity for both bandwidth and PPS metrics, with alerts that fire within 1 to 2 seconds of anomaly detection.

Auto-escalation is no longer optional

The speed and intensity of modern attacks means human-in-the-loop response is too slow for the initial mitigation decision. Automated escalation, whether that means triggering upstream scrubbing, activating BGP blackhole announcements, or engaging XDP/eBPF drop rules, needs to happen within seconds of detection. Humans should review and adjust, not initiate.

Monitor PPS, not just bandwidth

The OVHcloud 840 Mpps incident proved that packet-rate attacks can be more destructive than volumetric floods at a fraction of the bandwidth. If your monitoring only tracks Gbps, you are blind to an entire class of attacks that specifically targets CPU and NIC processing capacity. PPS monitoring at the NIC, kernel, and application layers is essential.

Multi-vector visibility is non-negotiable

With attackers rotating protocols mid-attack, you cannot rely on single-protocol detection. Your monitoring needs to correlate L3 (IP), L4 (TCP/UDP), and L7 (HTTP, DNS) anomalies simultaneously and present them as a unified incident view. Otherwise, you will see three separate "small" anomalies instead of one coordinated campaign.

Predictions for the Rest of 2026

Based on the trajectory of the past 18 months, several outcomes seem likely for the remainder of 2026:

• The 50 Tbps barrier will be broken. The jump from 5.6 to 31.4 Tbps happened in a single quarter. The botnet infrastructure and amplification techniques that enabled 31.4 Tbps have not been dismantled. A 50+ Tbps event before the end of 2026 is plausible.
• Packet-rate records will be updated. The 840 Mpps record has stood since early 2024. As more router-class devices are incorporated into botnets, a 1+ Bpps (billion packets per second) attack is within reach.
• Sub-60-second attacks will become the majority. The trend toward shorter, higher-intensity attacks will continue as attackers optimize for evading detection windows and minimizing their own infrastructure exposure.
• AI-assisted attack orchestration will emerge. Automated systems that adapt attack vectors in real time based on observed mitigation responses are a logical next step. Early indicators of this capability were reported in late 2025.
• Regulatory pressure on ISPs will increase. The growing economic impact of DDoS attacks is driving legislative interest in mandatory BCP38 compliance and ISP accountability for hosting compromised infrastructure.

The DDoS landscape of 2025-2026 is defined by acceleration. Attack volumes are growing faster than linear projections predicted. The tools available to attackers are more capable and more accessible than ever. And the duration of individual attacks is shrinking to the point where traditional response workflows cannot keep up.

For defenders, the message is clear: detection and mitigation systems that were adequate two years ago are not adequate today. The baseline has moved. Your defenses need to move with it.

Back to Blog

Related Articles