Cloudflare, Inc. has announced its 2025 Q1 DDoS Attacks report, that includes insights and trends about the DDoS threat landscape — as observed across the global Cloudflare network, which is one of the largest in the world.
Key findings
- Q1 2025 nearly matches entire 2024 DDoS total: In Q1 2025, Cloudflare’s autonomous systems mitigated 20.5 million DDoS attacks – nearly matching the entire 2024 total of 21.3 million.
- Hyper-volumetric attacks become the new normal: Roughly 700 attacks were hyper-volumetric in Q1, exceeding rates of 1 billion packets per second (pps) or 1 Tbps – averaging about 8 attacks daily.
- Network-layer DDoS attacks skyrocket: Network-layer DDoS attacks saw the most dramatic surge with 16.8 million attacks, representing a 509% year-over-year increase and a 397% quarter-over-quarter increase.
- Germany crowned new DDoS target capital: We saw a significant shift in the most attacked locations, with Germany rising to become the most attacked country, climbing four spots from last quarter. Turkey made a dramatic 11-spot jump to second place, while China slipped to third.
- On the flip side, Hong Kong became the top source of DDoS attacks, followed by Indonesia and Argentina.
- Betting on chaos: In the first quarter of 2025, the Gambling & Casinos industry leapt to the top position as the most targeted by DDoS attacks, climbing four spots. Telecommunications fell to second place, followed by Information Technology & Services.
- The Airlines, Aviation & Aerospace industry had the biggest jump of all, moving up 40 spots making it the tenth most attacked industry.
DDoS attacks in numbers
In the first quarter of 2025, the company mitigated 20.5 million DDoS attacks. For comparison, during the entire year of 2024, it mitigated 21.3 million DDoS attacks. So, in just one quarter Cloudflare mitigated 96% of what it mitigated in 2024.
The most significant increase was in network-layer DDoS attacks. In 2025 Q1, the company mitigated 16.8M network-layer DDoS attacks. That’s a 397% QoQ increase and a 509% YoY increase. HTTP DDoS attacks also increased — a mere 7% QoQ increase but a much larger 118% YoY increase.
Hyper-volumetric DDoS attacks
Hyper-volumetric DDoS attacks are attacks that exceed 1-2 Tbps or 1 Bpps. In 2025 Q1, Cloudflare mitigated over 700 of these attacks. Approximately 4 out of every 100K network-layer DDoS attacks was hyper-volumetric. Hyper-volumetric DDoS attacks tend to be UDP-based.
Emerging threats
In 2025 Q1, Cloudflare saw a 3,488% QoQ increase in CLDAP reflection/amplification attacks. CLDAP (Connectionless Lightweight Directory Access Protocol) is a variant of LDAP (Lightweight Directory Access Protocol). It’s used for querying and modifying directory services running over IP networks. CLDAP is connectionless, using UDP instead of TCP, making it faster but less reliable. Because it uses UDP, there’s no handshake requirement which allows attackers to spoof the IP address thus allowing attackers to exploit it as a reflection vector. In these attacks, small queries are sent with a spoofed source IP address (the victim’s IP), causing servers to send large responses to the victim, overwhelming it. Mitigation involves filtering and monitoring unusual CLDAP traffic.
Cloudflare also saw a 2,301% QoQ increase in ESP reflection/amplification attacks. The ESP (Encapsulating Security Payload) protocol is part of IPsec and provides confidentiality, authentication, and integrity to network communications. However, it can be abused in DDoS attacks if malicious actors exploit misconfigured or vulnerable systems to reflect or amplify traffic towards a target, leading to service disruption. Like with other protocols, securing and properly configuring the systems using ESP is crucial to mitigate the risks of DDoS attacks.
Attack size & duration
Most DDoS attacks are small. In Q1 2025, 99% of L3/4 DDoS attacks were under 1 Gbps and 1M pps. Similarly, 94% of HTTP DDoS attacks were 1M rps. However, even small attacks can cause severe impact to unprotected Internet properties.
Furthermore, most attacks are very short-lived. 89% of L3/4 DDoS attacks and 75% of HTTP DDoS attacks end within 10 minutes. Even the largest attacks can be very short, as short as a minute — leaving no time for human intervention.
On the other hand, hyper-volumetric HTTP DDoS attacks that exceed 1M rps doubled their share. In Q1 2025, 6 out of every 100 HTTP DDoS attacks exceeded 1M rps. On the network-layer, 1 out of every 100K attacks exceeded 1 Tbps or 1B pps.
Top attacked locations
The first quarter of 2025 saw a significant shift in the top 10 most attacked locations globally. Germany made a notable jump, climbing four spots — making it the most attacked country. In second place, Turkey also experienced a surge of 11 spots. China came in third.
Top attacked industry
The top five attacked industries turned out to be Gambling & Casinos in top spot followed by Telecommunications, Service Providers and Carriers, Information Technology & Services, Internet and Gaming.
Top attack sources
Hong Kong soared to the number one position. Indonesia edged down to second place, while Argentina rose two spots compared to the previous quarter to third. Singapore and Ukraine stood at fourth and fifth place.
Commenting on the report, Bashar Bashaireh, AVP Middle East, Türkiye & North Africa at Cloudflare, says: “As the threat landscape continues to evolve, we see that many organizations still adopt DDoS protection only after experiencing an attack or rely on outdated, on-demand solutions. In contrast, our data shows that those with proactive security strategies are far more resilient. That’s why we focus on automation and a comprehensive, always-on, in-line security approach to stay ahead of both existing and emerging threats. Backed by our global network with 348 Tbps of capacity spanning 335 cities, we remain dedicated to delivering unmetered, unlimited DDoS protection—regardless of the size, duration, or frequency of attacks.”
Read the full report here.
