Q2 2025 report reveals evolving tactics, legacy protocol abuse, and growing risks for telecom, IT, and gaming industries
Cloudflare has released its Q2 2025 DDoS Threat Report, revealing a significant shift in the threat landscape marked by more aggressive, hyper-volumetric attacks and increased targeting of critical infrastructure sectors like telecommunications, internet services, and gaming.
The standout highlight: Cloudflare mitigated the largest DDoS attack ever recorded, peaking at 7.3 terabits per second (Tbps) and 4.8 billion packets per second (Bpps). Over the quarter, Cloudflare blocked 6,500+ hyper-volumetric DDoS attacks, averaging 71 per day — a staggering trend even as overall attack volumes fell from Q1 due to the end of a major 18-day campaign.
“The Q2 data highlights just how quickly the DDoS threat landscape is evolving — with attackers launching faster, shorter, and more aggressive campaigns across a broader range of industries and geographies,” said Bashar Bashaireh, AVP – Middle East, Türkiye & North Africa, Cloudflare. “These trends reinforce the need for organizations to adopt a proactive, always-on security posture.”
Despite a sharp drop in total attacks from 20.5 million in Q1 to 7.3 million in Q2, attacks remain 44% higher year-over-year. HTTP DDoS attacks climbed 9% to 4.1 million, while L3/4 attacks plummeted 81% to 3.2 million, revealing an evolution in attack vectors and scale.
Key Sector & Geography Trends
- Telecoms, service providers, and carriers were the most targeted sectors, followed by IT, gaming, and gambling.
- China emerged as the most attacked location, followed by Brazil, Germany, India, and South Korea.
- Ransom DDoS (RDDoS) threats surged, with a 68% increase in incidents or threats compared to Q1.
Botnets, Protocol Abuse & Emerging Tactics
A significant 71% of HTTP DDoS attacks were launched via known botnets. Among L3/4 vectors, DNS floods topped the list, followed by SYN and UDP floods. Attackers increasingly abused obscure or legacy protocols — a 385% surge in Teeworlds floods, 296% in RIPv1 floods, and 173% in RDP floods, among others.
These trends signal heightened sophistication as attackers seek to bypass traditional defense mechanisms using unpredictable traffic patterns and underutilized protocol exploits.
Attack Size & Duration
While most attacks remain small — 94% of L3/4 attacks didn’t exceed 500 Mbps — the growth in massive, targeted attacks is accelerating. HTTP DDoS attacks exceeding 1 million requests per second now account for 6 out of every 100 incidents, while 1 in every 2,000 L3/4 attacks breached the 1 Tbps mark — up 1,150% QoQ.
Cloudflare emphasized its ongoing commitment to providing unmetered, automated DDoS protection that adapts to rising volumes and complexity. The company continues to invest in real-time threat intelligence, automation, and a global infrastructure that scales against the most extreme attack scenarios.
