Security Intelligence
Loading table of contents...
Cloudflare has reported a significant surge in distributed denial-of-service (DDoS) attacks, marking a new record in 2025. According to their Q1 2025 DDoS Report, the company mitigated 21.3 million DDoS attacks in 2024.
In the first quarter of 2025, Cloudflare blocked 20.5 million DDoS attacks reflecting a 358% increase compared to the previous year and a 198% rise from the prior quarter. That also means the number of DDoS attacks blocked in Q1 2025 almost surpasses the total for all of 2024.
A significant portion of these attacks targeted Cloudflare's own infrastructure, with 6.6 million incidents over an 18-day period. These were multi-vector attacks, including SYN floods, Mirai botnet assaults, and SSDP amplification techniques. Network-layer attacks were particularly prevalent, accounting for 16.8 million of the total attacks in Q1 2025, representing a 509% year-over-year increase.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The report also highlights a rise in hyper-volumetric attacks, with over 700 incidents exceeding 1 terabit per second or 1 billion packets per second. On average, eight such attacks occurred daily in the first quarter, doubling the number from the previous quarter.
Emerging threats identified include a 3,488% quarter-over-quarter increase in Connectionless Lightweight Directory Access Protocol (CLDAP) attacks and a 2,301% rise in Encapsulating Security Payload (ESP) reflection/amplification attacks. CLDAP attacks exploit the lack of handshake in UDP, allowing IP spoofing, while ESP attacks leverage misconfigured or vulnerable systems.
Source: Bleeping Computer
Analysis
Cloudflare is a web infrastructure and security company that helps websites stay fast and secure by routing traffic through its global network. It plays a key role in mitigating DDoS attacks by acting as a reverse proxy, meaning all traffic to a site passes through Cloudflare first. This allows it to detect and block malicious requests before they reach the target server.
With its large, distributed network and automated defense systems, Cloudflare can absorb and deflect even massive DDoS attacks, keeping websites online and operational.
Cloudflare has mitigated several record-breaking distributed denial-of-service (DDoS) attacks. One of the most notable incidents occurred in October 2024 when Cloudflare blocked a massive 5.6 terabits-per-second (Tbps) attack targeting an internet service provider in Eastern Asia. This attack, lasting just 80 seconds, was launched using a Mirai-based botnet composed of 13,000 compromised devices.
Earlier that same month, a 3.8 Tbps DDoS attack hit multiple global sectors—including telecommunications, finance, and internet services—lasting 65 seconds and forming part of a larger campaign involving over a hundred similar assaults.
Threat actors have been able to achieve such high request rates primarily through the use of large botnets made up of thousands—or even millions—of compromised IoT devices, servers, and improperly secured endpoints. These systems are often hijacked through outdated software, weak credentials, or known vulnerabilities.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats Like DDoS attacks. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these threats pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Having a firewall will usually not stop the high volume of traffic generated during a high-volume DDoS attack. To properly mitigate this risk, organizations should deploy specific DDoS prevention solutions, like Cloudflare and Akamai, that are designed to counter various types and volumes of DDoS attacks.
