The 2025 Q3 report describes a quarter dominated by ultra‑large, highly automated DDoS attacks, with the Aisuru botnet as the central threat actor.
Overall attack volume and trends
- By the end of Q3 2025, Cloudflare had already mitigated 36.2 million DDoS attacks, about 170% of all attacks mitigated in 2024, with one full quarter still remaining.
- In Q3 alone, Cloudflare automatically blocked 8.3 million attacks, up 15% quarter‑over‑quarter (QoQ) and 40% year‑over‑year (YoY), averaging roughly 3,780 attacks per hour.
- Network‑layer attacks made up about 71% (5.9 million) and grew 87% QoQ, while HTTP attacks accounted for 29% (2.4 million) and actually declined 41% QoQ.
Aisuru: apex hyper‑volumetric botnet
- Aisuru is estimated to control 1–4 million infected hosts and routinely launches “hyper‑volumetric” attacks exceeding 1 Tbps and 1 billion packets per second, with an average of 14 such attacks per day in Q3 and peaks of 29.7 Tbps and 14.1 Bpps.
- Since the start of 2025, Cloudflare has mitigated 2,867 Aisuru attacks; Q3 alone saw 1,304 hyper‑volumetric Aisuru incidents, a 54% QoQ increase.
- Portions of Aisuru are sold as botnet‑for‑hire for a few hundred to a few thousand USD, enabling attackers to threaten backbone networks and critical services and even cause collateral disruption to ISPs that are not the direct target.
Technical attack characteristics
- Q3 saw a 189% QoQ increase in attacks exceeding 100 million packets per second and a 227% increase in attacks exceeding 1 Tbps.
- Around 71% of HTTP and 89% of network‑layer attacks ended within 10 minutes, which is too short for manual or on‑demand responses but long enough to cause outages whose recovery takes much longer.
- On the network layer, UDP attacks (partly driven by Aisuru) surged 231% QoQ and became the top vector, followed by DNS floods, SYN floods, and ICMP floods, with Mirai variants still responsible for nearly 2% of network‑layer attacks.
- For HTTP DDoS, nearly 70% of attacks came from botnets already known to Cloudflare, about 20% from fake or headless browsers or suspicious traffic, and the remaining ~10% from generic floods, unusual requests, cache‑busting, or login endpoint targeting.
Sources, targets, and geopolitics
- Seven of the top ten source locations are in Asia, with Indonesia ranked as the largest DDoS source for a full year and its share of HTTP DDoS traffic growing about 31,900% since Q3 2021.
- By industry, Information Technology & Services was the most attacked sector, followed by Telecommunications and Gambling & Casinos, while Automotive jumped 62 ranks in a single quarter to become the sixth most attacked.
- Mining, Minerals & Metals saw a sharp rise in attacks amid EU–China tensions over EV tariffs and rare‑earth exports, jumping 24 ranks, and cybersecurity companies climbed 17 ranks to the 13th most attacked.
- In September 2025, HTTP DDoS traffic against generative‑AI companies spiked up to 347% month‑over‑month, coinciding with intense public debate and regulatory scrutiny around AI risks and adoption.
- China remained the most attacked country, followed by Turkey and Germany; the United States moved up 11 places to fifth, and the Philippines had the biggest rise within the top 10, jumping 20 places.
- The Maldives, France, and Belgium all experienced major DDoS surges parallel to large‑scale protests and political unrest, underscoring the link between street movements and online disruption.
Defense implications and Cloudflare’s stance
- The report argues that DDoS has entered a phase of extremely large, highly sophisticated, short‑lived, and automated attacks, making legacy on‑prem appliances and on‑demand scrubbing centers insufficient.
- Cloudflare positions its global network and autonomous mitigation systems as a way to provide unmetered DDoS protection to all customers and emphasizes that once a botnet is identified on one customer, protections extend to all.
Elevate Your Cybersecurity with ANP Technology
At ANP Technology, we provide end‑to‑end cybersecurity solutions, including risk assessment, incident response, DDoS protection, email security, anti‑scam technologies, and cloud security services that align with the evolving threats highlighted in this report.
📩 Contact ANP Technology Today
References:Cloudflare’s 2025 Q3 DDoS threat report — including Aisuru, the apex of botnets
