Breaking News

DDoS attacks more than doubled in 2025, hitting 47.1 million, Cloudflare says

The volume and intensity of distributed denial-of-service attacks reached unprecedented levels in 2025, with the total number of DDoS attacks observed by Cloudflare more than doubling to 47.1 million, according to the company's inaugural 2026 Cloudflare Threat Report released this week.

The most alarming growth came from network-layer DDoS attacks, which more than tripled year over year, signaling a fundamental shift in attacker capability and ambition. On average, Cloudflare mitigated 5,376 DDoS attacks every hour — 3,925 at the network layer and 1,451 HTTP-based attacks.

The report, produced by Cloudflare's threat intelligence unit Cloudforce One, draws on telemetry from the company's global network, which processes over 20% of the world's internet traffic.

A new record every month

The year 2025 was defined by a relentless cadence of record-breaking attacks. Cloudforce One observed 19 new world record attacks over the course of the year, with peaks climbing steadily from 3.8 Tbps in September 2024 to 6.5 Tbps in April 2025, before accelerating sharply through the second half of the year.

The current record, set in November 2025, was a 31.4 Tbps UDP flood launched by the Aisuru botnet — nearly six times the peak volume of 2024's largest recorded attack. By October 2025, two separate attacks had already crossed the 29 Tbps threshold, underscoring how rapidly the baseline is shifting.

The Aisuru botnet, along with its successor Kimwolf, has emerged as the primary engine behind this surge. Together, the two botnets are estimated to control between one and four million infected hosts. Unlike traditional botnets that rely on data center infrastructure, these networks tunnel attacks through residential proxy services, making malicious traffic appear to originate from legitimate users and complicating IP-based blocking.

In early 2026, over 550 Kimwolf command-and-control nodes were null-routed in a disruption effort, though the report notes the network continues to expand.

The human intervention window has closed

One of the most operationally significant findings in the report is the speed at which these attacks peak and subside. Most attacks observed in 2025 lasted less than 10 minutes — a window far too narrow for human-led mitigation teams to mount an effective response.

The report describes this as effectively closing the window for human intervention, placing an extreme resource tax on local infrastructure and rendering legacy scrubbing center models insufficient. Organizations that rely on reactive, manual processes to detect and respond to volumetric attacks are, in practice, already behind when the alert fires.

This speed-to-peak dynamic is not incidental. It is a deliberate design characteristic of autonomous botnet strikes, which are engineered to exhaust network capacity before countermeasures can be deployed.

Beyond volumetric: Application-layer exhaustion

The threat is not limited to raw bandwidth. The report flags a parallel trend in which modern bots target specific high-cost application functions — such as complex database search queries — to exhaust a server's CPU and memory and take a site offline with minimal traffic volume. This approach is harder to detect and cheaper to execute, allowing even lower-tier threat actors to achieve effective denial of service without the infrastructure overhead of a volumetric flood.

Democratization of destructive capability

Perhaps the most consequential finding is what the Aisuru and Kimwolf botnets represent strategically. The report notes that the democratization of massive botnets means even mid-tier threat actors can now launch hyper-volumetric attacks that were once the exclusive capability of nation-states.

This lowering of the barrier to entry is consistent with the report's broader thesis around what Cloudflare calls the Measure of Effectiveness — a shift in the threat landscape where maximum disruption at minimum cost has replaced technical sophistication as the defining metric of a successful attack.