State of DDoS 2026

2025 was the most active year for DDoS attacks ever recorded. Every major reporting source (Cloudflare, Radware, Netscout, and Flowtriq's own detection network) reported record-breaking numbers across volume, frequency, and peak bandwidth.

Attack frequency more than doubled year-over-year. Cloudflare alone mitigated 47.1 million DDoS attacks in 2025, a 121% increase over 2024.[1] Across Flowtriq-monitored infrastructure, the average node experienced 4.2 incidents per month in 2025, up from 2.4 in 2024. This increase was not driven by a few heavily-targeted outliers: 81% of all monitored nodes saw at least one attack during the year, compared to 64% in 2024.

Attacks are getting shorter but more intense. The median attack duration dropped from 23 minutes to 14 minutes, while median peak PPS rose 41%. Attackers are favoring short, high-intensity bursts designed to overwhelm before defenses can react, making sub-second detection critical.

UDP-based volumetric floods remain dominant, accounting for 62% of all attack traffic observed by Flowtriq. But the composition shifted: DNS amplification surpassed memcached as the #1 amplification vector for the first time since 2021, driven by a 340% increase in open DNS resolver abuse.[1]

Multi-vector attacks became the norm. 38% of incidents observed by Flowtriq involved two or more attack families simultaneously, up from 22% in 2024. Attackers increasingly combine volumetric floods with protocol-level attacks to bypass single-layer defenses.

The barrier to launching attacks has never been lower. DDoS-for-hire services (booters/stressers) now advertise 1 Tbps+ capacity for under $50/day. Law enforcement takedowns of major booter services in late 2024 created a brief dip in Q1 2025, but the market rebounded by Q2 with new operators filling the vacuum.[2]

DDoS attack frequency has grown every year since 2020, but 2025 marked the steepest single-year increase. Cloudflare reported mitigating 47.1 million DDoS attacks in 2025, a 121% increase over 2024, averaging 5,376 attacks automatically mitigated every hour.[1] Netscout tracked approximately 17 million attacks globally in the first half alone.[3]

Within the Flowtriq network, we observed consistent growth across all quarters:

Quarterly distribution (Flowtriq data):

The Q4 spike aligns with patterns observed across the industry. Holiday-season gaming DDoS, Black Friday targeting of e-commerce, and year-end geopolitical tensions all contributed to the surge. Radware reported a similar Q4 peak, noting a 46% increase in attacks against e-commerce infrastructure in November and December.[4]

UDP-based volumetric floods continue to dominate, but the specific amplification vectors are shifting. Across Flowtriq-detected incidents in 2025:

DNS amplification overtook memcached as the top amplification vector for the first time since 2021. This shift was driven by a 340% increase in open DNS resolver abuse, fueled by misconfigured home routers and IoT devices exposed by ISPs that do not enforce BCP38 (source address validation).[1]

SYN floods are making a comeback. After years of declining share, SYN floods rose from 11.3% to 15.7% of incidents. Modern SYN floods use randomized source ports and TTL values to defeat simple rate-limiting, forcing defenders to use stateful inspection or SYN cookies, which consume CPU.

GRE and ESP protocol floods are emerging. These encapsulation protocols are difficult to filter without disrupting legitimate VPN and tunnel traffic. Cloudflare flagged GRE floods as a rising concern in Q3 2025, and Flowtriq data confirms this trend at 3.4% of incidents.[1]

Multi-vector attacks: the new normal. 38% of Flowtriq-detected incidents involved two or more simultaneous attack families. The most common combinations:

The headline number in 2025 was Cloudflare's disclosure of a 31.4 Tbps attack in Q4 2025, the largest ever recorded, surpassing their own 5.6 Tbps record from late 2024. The attack lasted just 35 seconds. Attack sizes grew over 700% compared to the previous year's peaks.[1] But record-breaking mega-attacks are outliers. The real story is the distribution of attacks that hit everyday infrastructure.

Peak bandwidth distribution (Flowtriq data):

77% of attacks are under 10 Gbps. These are not headline-making floods, but they are devastating for hosting providers, game servers, and small operators whose uplinks are 1–10 Gbps. A 3 Gbps flood saturates a 1G uplink completely. This is the "long tail" of DDoS that enterprise reports often overlook.

Attacks are getting shorter. The median duration dropped from 23 minutes in 2024 to 14 minutes in 2025. Short-burst attacks (under 5 minutes) now account for 39% of all incidents, up from 27% the prior year.

The trend toward short, intense bursts is deliberate. Attackers know that many detection systems poll at 30–60 second intervals. A 3-minute flood at 500K PPS can saturate an uplink and time out before legacy monitoring even registers the event. This makes sub-second detection not a luxury, but a requirement for meaningful protection against the current threat landscape.

DDoS attacks do not distribute evenly. Certain industries are disproportionately targeted due to the financial impact of downtime, competitive motivation, or geopolitical significance.

Most-targeted industries (Flowtriq data, by % of total incidents):

Gaming remains the #1 target for the fifth consecutive year. Competitive gaming DDoS (hitting opponents' servers or connections during matches) and extortion attacks against game hosting providers drive the majority of this volume. Cloudflare and Radware both independently confirm gaming as the most-attacked sector.[1][4]

Financial services attacks surged 67%. Hacktivist groups and state-affiliated actors targeted banks and payment processors across Europe and North America throughout 2025. ENISA flagged DDoS as the top threat to the financial sector in its 2025 Threat Landscape report.[5]

Government and public sector attacks, while only 4.5% by volume, received outsized media attention due to geopolitical targeting. Pro-Russian and pro-Palestinian hacktivist groups claimed responsibility for sustained campaigns against government portals in NATO countries.

The infrastructure behind DDoS attacks shifted significantly in 2025. Three trends defined the year:

1. IoT botnets grew larger and more sophisticated. Mirai derivatives remain the backbone of the DDoS-for-hire ecosystem, but 2025 saw the emergence of next-generation botnets like Aisuru (also known as Kimwolf) that build on Mirai's architecture with improved evasion and higher packet throughput. Cloudflare flagged Aisuru as a dominant force behind the largest hyper-volumetric attacks of the year.[1] New variants targeting ASUS routers, TP-Link Archer devices, and Hikvision cameras expanded the botnet pool substantially.

2. Compromised cloud VMs are replacing IoT for high-PPS attacks. Attackers are spinning up or compromising cloud instances (AWS, Azure, GCP, Hetzner, OVH) to generate packet floods that IoT devices cannot sustain. A single compromised cloud VM with a 10 Gbps NIC can generate 1–3 million PPS, orders of magnitude more than a consumer router.

3. Carpet-bombing attacks increased 180%. Instead of targeting a single IP, attackers spread traffic across an entire /24 or /16 subnet, hitting every address with a small flood. This defeats per-IP threshold detection and overwhelms aggregate bandwidth. Flowtriq detected carpet-bombing in 12% of all incidents in 2025, up from 4.3% in 2024.

IP spoofing is declining but still prevalent. Flowtriq's TTL-based spoofing detection flagged spoofed source IPs in 29% of incidents, down from 37% in 2024. This is a direct result of increasing BCP38/BCP84 adoption by ISPs. However, nearly 1 in 3 attacks still using spoofed sources means the problem is far from solved.

These publicly disclosed incidents illustrate the evolving threat landscape:

How the industry is defending against the evolving threat:

1. Detection speed is the #1 differentiator. With 39% of attacks lasting under 5 minutes, detection systems that poll every 30–60 seconds miss a significant portion of incidents entirely. Flowtriq data shows that nodes with sub-second detection mitigated 94% of short-burst attacks automatically, while nodes relying on 60-second polling detected only 23% of the same attacks before they ended.

2. Automated mitigation adoption is growing fast. Among Flowtriq users who enabled auto-mitigation rules in 2025, 87% of incidents were resolved with zero human intervention. The median time from detection to mitigation was 0.9 seconds for kernel-level firewall rules and 4.2 seconds for BGP FlowSpec deployment.

3. Multi-layer defense is no longer optional. With 38% of attacks using multiple vectors simultaneously, single-layer defenses (firewall only, or scrubbing only) are increasingly insufficient. The most effective deployments combine local kernel-level filtering with BGP-based upstream filtering and cloud scrubbing as a final escalation tier.

4. BGP FlowSpec adoption is accelerating. FlowSpec allows operators to push granular traffic filters to their upstream transit providers via BGP, dropping attack traffic before it reaches the target network. Flowtriq users who configured FlowSpec as an escalation tier saw a 73% reduction in bandwidth consumed by attacks that exceeded local mitigation capacity.

5. Edge detection is gaining traction. Operators are moving DDoS detection from centralized systems to edge nodes, routers, and PoP servers. This approach catches localized attacks that centralized monitoring misses (see Edge Node Defense). Flowtriq nodes deployed on routers detected attacks an average of 12 seconds before server-level nodes saw the same traffic.

Based on the trends observed in 2025, we expect the following developments in 2026: