Distributed Denial of Service (DDoS) attacks jumped globally by 40% year-over-year in the third quarter of 2025, with security provider Cloudflare blocking 8.3 million attacks, averaging 3,780 attacks per hour - according to the company's latest quarterly threat report.

The report's release follows Cloudflare's own significant network outage on 18 November 2025. The company claims the three-hour disruption was not caused by a DDoS attack but by an internal database configuration error.

The incident initially resembled an attack from the Aisuru botnet, causing teams to investigate potential DDoS activity before identifying the internal issue.

"An outage like today is unacceptable," Cloudflare stated in its incident report. The outage affected core CDN services, Turnstile, Workers KV, dashboard access and email security functions and underscores vulnerabilities even major security providers face.

Cloudflares’s Q3 threat report reveals an escalating attack landscape driven primarily by the Aisuru botnet, estimated to control 1-4 million infected devices globally.

Aisuru launched 1,304 hyper-volumetric attacks during Q3 2025, representing a 54% increase from the previous quarter. These attacks routinely exceeded 1 terabit per second (Tbps) and 1 billion packets per second (Bpps).

The botnet achieved a record-breaking 29.7Tbps attack using UDP carpet-bombing techniques, bombarding an average of 15,000 destination ports per second. Cloudflare's autonomous mitigation systems detected and blocked the attack without human intervention.

"If Aisuru's attack traffic can disrupt parts of the U.S. Internet infrastructure when said ISPs were not even the target of the attack, imagine what it can do when it's directly aimed at unprotected or insufficiently protected ISPs, critical infrastructure, healthcare services, emergency services, and military systems," the report stated.

Security researcher Brian Krebs reported the botnet caused "widespread collateral Internet disruption" in the United States when attack traffic routed through Internet service providers. Portions of the Aisuru botnet are available for hire, enabling attackers to launch nation-scale disruptions for several hundred to several thousand U.S. dollars.

Network-layer attacks surged 95% year-over-year to 5.9 million incidents, accounting for 71% of all DDoS attacks in Q3. HTTP DDoS attacks decreased 17% year-over-year to 2.4 million attacks.

The threat landscape highlights vulnerabilities in legacy DDoS protection systems. Most attacks (89% at network-layer, 71% at HTTP layer) conclude within 10 minutes - too fast for human response or on-demand mitigation services to activate effectively.

Short-lived attacks create particular risks for organisations managing compliance and digital transformation initiatives. Disruption extends beyond the attack duration, requiring complex recovery processes including system restoration, distributed data consistency checks and secure service rebuilding.

Indonesia maintained its position as the largest source of DDoS attacks globally, a ranking it has held since Q3 2024. HTTP DDoS attack requests originating from Indonesia have increased 31,900% over five years.

The automotive industry experienced the largest surge, jumping 62 positions to become the sixth most-attacked industry globally. This coincided with escalating EU-China trade tensions over electric vehicle tariffs and rare-earth mineral exports.

The mining, minerals and metals sector surged 24 positions, while cybersecurity companies climbed 17 spots as attacks intensified. DDoS traffic against AI companies spiked 347% month-over-month in September 2025 as regulatory scrutiny of artificial intelligence increased.

Information technology and services topped the most-attacked industries list, followed by telecommunications and gambling sectors. Geopolitical events correlated directly with attack patterns, including protests in the Maldives, France and Belgium that coincided with significant DDoS activity increases.

UDP attacks increased 231% quarter-over-quarter, driven largely by Aisuru activity, making it the primary network-layer attack vector. DNS floods ranked second, followed by SYN floods and ICMP floods, collectively accounting for over half of network-layer attacks.

The Mirai botnet, despite first appearing nearly a decade ago, still launches almost 2% of network-layer DDoS attacks. Nearly 70% of HTTP DDoS attacks originated from botnets already catalogued by Cloudflare's threat intelligence systems.

Cloudflare has mitigated 36.2 million DDoS attacks in 2025 through the end of Q3, representing 170% of the total attacks blocked throughout 2024. The company provides unmetered DDoS protection to all customers regardless of attack size, duration or frequency.

The full report is available here.