Redazione RHC : 16 July 2025 10:59
Cloudflare recorded a sharp decline in DDoS attacks in the second quarter of 2025, blocking 7.3 million attacks, compared to the 20.5 million reported in the first quarter. Despite the overall decline in attacks, the share of extreme incidents increased significantly.
In the second quarter, Cloudflare recorded an average of 71 hypervolumetric attacks per day, bringing the total to over 6,500. These extremely intense attacks became particularly noticeable against the backdrop of the overall decline. One such incident peaked at 7.3 terabits per second and 4.8 billion packets per second in less than a minute. These traffic spikes are accompanied not only by brute-force attacks, but also by more subtle techniques, such as background vulnerability scanning, which allows attackers to bypass standard defenses.
The number of L3/L4 attacks decreased by 81% compared to the first quarter, standing at 3.2 million, while HTTP attacks increased by 9%, reaching 4.1 million. Over 70% of HTTP attacks came from known botnets. The most frequently used methods relied on overloading via DNS, TCP SYN, and UDP protocols.
Cybercriminals most frequently targeted telecommunications companies and service providers, followed by the Internet, IT services, and gambling sectors. The most affected regions were China, Brazil, Germany, India, South Korea, Turkey, Hong Kong, Vietnam, Russia, and Azerbaijan.Most attacks originated from Indonesia, Singapore, Hong Kong, Argentina, and Ukraine.
Of particular note is the increase in attacks exceeding the threshold of 100 million packets per second, a 592% increase compared to the previous quarter. Ransomware attacks also increased by 68%. In these cases, attackers threaten to launch a DDoS attack or are already executing one, then demand a fee to stop it.
Cloudflare points out that large attacks are becoming increasingly frequent. Of 100 HTTP attacks, six exceed one million requests per second, and of 10,000 L3/L4 attacks, five exceed one terabit per second, an increase of 1,150% in one quarter.
The company also reported activity by the DemonBot botnet, which targets Linux systems, primarily vulnerable IoT devices. The malware exploits open ports and weak passwords to engage devices in large-scale DDoS attacks at the UDP, TCP, and application levels. DemonBot is controlled via command-and-control servers and is capable of generating massive amounts of traffic, attacking gaming, hosting, and enterprise services.
The spread of these threats is associated with typical issues: poor IoT device security, open SSH ports, and outdated software. These vulnerabilities, combined with techniques such as reflected TCP attacks, DNS amplification, and deceptive traffic bursts, are increasingly being analyzed in Cloudflare’s threat and API security reports.
Redazione