Cloudflare records largest DDoS attack at 7.3 Tbps in Q2 2025
Cloudflare's latest DDoS Threat Report for Q2 2025 highlights a year-on-year increase in both the scale and complexity of distributed denial-of-service (DDoS) attacks against online infrastructure.
The report documents a significant rise in the severity of attacks despite a quarter-on-quarter decline in overall volumes.
During the quarter, Cloudflare automatically blocked the largest DDoS attack ever recorded, which peaked at 7.3 terabits per second (Tbps) and 4.8 billion packets per second (Bpps). Over 6,500 hyper-volumetric attacks were mitigated between April and June, averaging 71 per day.
Year-on-year, total DDoS activity was up 44%, and HTTP-based attacks saw a 129% rise compared to Q2 2024. Although the volume of attacks lessened since the unprecedented surge in early 2025, cybercriminals employed larger and more frequent hyper-volumetric assaults. Notably, June accounted for nearly 38% of all observed DDoS activity in the quarter.
Critical targets and sectors
Telecommunications, service providers, and carriers experienced the highest targeting rates during the period, reclaiming their position as the most attacked sector. The report notes that critical infrastructure remains under sustained threat from DDoS campaigns, while industries such as gaming, gambling, and crypto continued to attribute attacks to competitor actions.
Cloudflare emphasised that all incidents detailed in the report were "automatically detected and blocked by our autonomous defenses."
Attack types and patterns
The company mitigated 7.3 million DDoS attacks in Q2 2025, a decrease from 20.5 million in the first quarter.
This decline was attributed to the end of an 18-day campaign against Cloudflare and other protected infrastructure, which alone accounted for a substantial number of attacks earlier in the year. Despite the dip, 2025's year-to-date DDoS events equate to 130% of all attacks recorded in the full year of 2024.
Layer 3 / Layer 4 (L3/4) DDoS attacks fell sharply by 81% quarter-over-quarter to 3.2 million, while HTTP DDoS attacks rose 9% to 4.1 million. Six out of every 100 HTTP DDoS attacks exceeded 1 million requests per second, and five out of every 10,000 L3/4 attacks surpassed 1 Tbps, representing a 1,150% increase from the previous quarter.
Emerging threats evolve
The quarter saw surges in attacks using legacy and lesser-known protocols. Teeworlds flood attacks increased 385% quarter-over-quarter, RIPv1 floods by 296%, RDP floods by 173%, and Demon Bot floods by 149%. A resurgence of VxWorks floods was also observed. These tactics demonstrate attackers' ongoing experimentation to bypass traditional defences.
Of note, the majority (71%) of HTTP DDoS attacks reported in Q2 2025 were launched by known botnets, with Cloudflare's network using real-time threat intelligence to rapidly block criminal infrastructure as it shifts tactics.
Ransom and hyper-volumetric attacks
The percentage of Cloudflare customers reporting ransom DDoS attacks or threats increased by 68% compared to Q1 2025, and by 6% from Q2 2024. Such incidents rose sharply in June, with approximately one third of survey respondents indicating they experienced related threats during the month.
"Small" attacks - those below 500 Mbps - made up 94% of L3/4 events, but Cloudflare cautioned that even these can take typical servers offline if left unprotected. Most DDoS attacks remained short in duration, with the record-breaking 7.3 Tbps burst lasting only 45 seconds. Attackers continue to favour brief, intense traffic spikes to evade detection and overwhelm targets quickly.
Geographic insight
The top 10 most attacked locations shifted, with China, Brazil, and Germany occupying the first three spots. Significant movement was recorded, with Vietnam and Russia jumping fifteen and forty places, respectively, into the top ten. Cloudflare noted that these rankings reflect customer billing locations rather than indicators of direct geopolitical targeting.
The main sources of attack traffic included Indonesia, Singapore, and Hong Kong, while the German-based Drei-K-Tech-GmbH network became the top source of HTTP DDoS attacks for the first time in a year, overtaking Hetzner and DigitalOcean. Cloudflare attributed the strength of many attacks to virtual machine (VM)-based botnets, which the company estimates are 5,000 times more potent than those based on Internet-of-Things devices.
Attack vectors
DNS flood attacks were the leading L3/4 DDoS vector, accounting for almost one third of all attacks, followed by SYN and UDP floods. Cloudflare set out its recommended best practices for mitigating these and other common DDoS vectors for both vulnerable organisations and their upstream service providers.
Collaboration and threat sharing
"To help hosting providers, cloud computing providers and any Internet service providers identify and take down the abusive accounts that launch these attacks, we leverage Cloudflare's unique vantage point to provide a free DDoS Botnet Threat Feed for Service Providers. Over 600 organizations worldwide have already signed up for this feed, and we've already seen great collaboration across the community to take down botnet nodes. This is possible thanks to the threat feed which provides these service providers a list of offending IP addresses from within their ASN that we see launching HTTP DDoS attacks. It's completely free and all it takes is opening a free Cloudflare account, authenticating the ASN via PeeringDB, and then fetching the threat intelligence via API."
Industry perspective
The report reiterates Cloudflare's message that always-on, proactive defences deliver more effective protection than reactive measures. The network's recorded throughput now reportedly reaches 388 Tbps across more than 330 global cities, providing capacity for real-time mitigation of large and complex DDoS events.
