This is the first of three posts in which we will analyze how these threats have evolved and how they impact modern cybersecurity strategies. In this post, we will explore the current DDoS situation: how the attack profile has changed, the most recent figures, new techniques employed, the most impacted sectors, and what types of defense strategies are becoming essential. The upcoming installments will focus on network vectors (L3/L4) and application layer (L7) attacks, from a more technical and detailed perspective.
We start here: with a clear snapshot of the current state of DDoS, its recent evolution, its global impact, and the keys to responding effectively in an increasingly complex and fast environment.
Since the beginning of the century, distributed denial-of-service (DDoS) attacks have evolved radically: from simple basic saturation attacks to coordinated offensives with high strategic level. In 2007, Estonia was the victim of one of the first nationwide DDoS cyberattacks, marking a before and after in cybersecurity history. Years later, in 2016, a botnet formed by compromised IoT devices attacked Dyn, a key DNS service provider, causing widespread disruptions on global platforms like Twitter, PayPal, Amazon, and Netflix.
The escalation did not stop there. GitHub (2018), AWS (2020), Azure (2021), and Google (2023) were also targets of increasingly massive and complex attacks, reaching record figures: hundreds of millions of requests per second or peaks exceeding 33 Tbps (terabits per second).
But all this was overshadowed by an unprecedented event in 2025. Cloudflare managed to mitigate the largest DDoS attack ever recorded: 7.3 Tbps in just 45 seconds, generating over 37 terabytes of malicious traffic. This attack, targeted at a major web hosting provider, combined multiple vectors such as UDP Floods, NTP reflection attacks, and traffic originating from variants of the Mirai botnet.
This historical overview reveals a key transformation: DDoS attacks are no longer measured solely by volume; now execution speed, vector intelligence, and evasion capability matter. This paradigm shift represents a turning point for the entire digital ecosystem.
The most recent reports from Cloudflare and Nexusguard confirm this new reality. A new era has begun: DDoS attacks no longer need to last hours or move petabytes to take down entire infrastructures. Today, a few well-orchestrated seconds are enough to destabilize critical applications and take out even organizations with advanced defenses.
The start of 2025 has made it clear that we are facing a completely new and challenging scenario: DDoS attacks are not only more frequent and powerful but also shorter and more sophisticated, surpassing the capabilities of traditional protection and detection mechanisms.
Escalation of threats and unprecedented magnitude
The first quarter of 2025 showed alarming figures confirming a radical transformation in the DDoS threat landscape. Cloudflare mitigated 20.5 million attacks, representing a 358% year-over-year increase and 198% compared to the previous quarter. This volume is practically equivalent to the total blocked throughout 2024, evidencing an unprecedented acceleration in attack frequency.
Among the most notable events is a prolonged 18-day campaign with multiple attack vectors, which generated more than 6.6 million attacks directly targeting Cloudflare's network infrastructure. This offensive included vectors such as SYN floods, SSDP amplification, and attacks generated by botnets like Mirai. The highest intensity peaks reached 6.5 Tbps of traffic and 4.8 billion packets per second, figures that surpass any previous record and, due to their brevity (35–45 seconds), exceed manual response capacity.
In parallel, Nexusguard reported a 69% increase in the average size of attacks, which reached 1.35 Gbps, and 27% more UDP fragmentation attacks, an evasive technique that exploits how systems reconstruct fragmented packets. Additionally, there was an explosive 876% growth in DNS attacks and the consolidation of HTTPS Flood as the dominant vector, responsible for 21% of attacks.
Although volumetric attacks quickly make the news, the truth is that the vast majority — more than 85% — are low volume and high frequency. This type of offensive seeks to evade traditional detection mechanisms and consume resources silently but constantly. Additionally, 89% of attacks targeting the network layer and 75% of HTTP attacks end in less than 10 minutes, with many concluding in just 35 seconds. The short duration of these attacks makes any effective manual response difficult, making it essential to have automated defense systems that are always active and capable of real-time inspection.
Technical characteristics of current DDoS attacks
Distributed denial-of-service (DDoS) attacks have evolved into a much more precise, automated, and devastating form of digital aggression. It is no longer just about saturating bandwidth with massive traffic for hours, as current attacks are shorter, more powerful, and harder to detect. According to recent data, 89% of network layer (L3/L4) attacks and 75% of HTTP (L7) attacks last less than 10 minutes, and many of the most disruptive barely exceed 35 seconds. The short duration of these attacks does not reduce their impact: in just a few seconds, these attacks can collapse routers, interrupt essential services, and saturate applications negatively affecting user experience, which can lead to severe economic impacts and reputational damage lasting several days.
This new attack profile—fast, automated, and multivector—renders manual escalation processes ineffective, such as on-demand activation of scrubbing centers or intervention by analysts specialized in these types of attacks. In practice, organizations without autonomous, always-on mitigation systems with deep inspection of encrypted traffic are completely exposed.
Attackers have refined the use of classic vectors and incorporated new evasive techniques. According to Cloudflare, the main attack vectors at the network layer (L3/L4) during the first quarter of 2025 were:
- SYN Flood (30.7%): saturation of the TCP connection queue through forged SYN packets, generating semi-open connections that exhaust server resources.
- DNS Flood (18.5%): massive sending of DNS queries to overload resolvers or authoritative servers.
- Mirai botnets and variants (18.2%): attacks generated from compromised IoT devices, with distributed and highly parallel traffic patterns.
At the application layer (L7), over 60% of HTTP attacks come from known botnets, and there has been sustained growth in evasive techniques such as:
- Fake or headless browsers: user agents that mimic legitimate browsers (like Chrome or Firefox) to bypass signature-based filters.
- Manipulated HTTP requests: anomalous headers, URI variations, and query patterns designed to evade caches and WAFs.
The sophistication of attacks is also reflected in the rise of less common but highly effective vectors that exploit weaknesses in underutilized or misconfigured protocols:
- CLDAP Amplification (+3488% increase): UDP reflection using misconfigured connectionless LDAP servers (port 389) to send amplified responses to the victim, overwhelming their network with excessive traffic.
- ESP Flood (IPSec) (increase of +2301%): saturation through packets encapsulated in the IPSec ESP protocol, exploiting vulnerable configurations to saturate infrastructure and cause disruptions.
- SYN-ACK Flood (increase of +1457%): flooding with false TCP responses, without the need to complete the handshake.
- Direct DNS attacks (increase of +946%): malicious DNS traffic without reflection, with direct volume from botnets.
- Mirai and variants (constant): zombified IoT devices that remain a persistent source of attacks.
These vectors present a high evasion capability, as many of them do not generate obvious volumetric patterns, making detection difficult for traditional solutions based on thresholds or superficial traffic analysis. Additionally, their distributed and asynchronous execution allows fragmenting the attack into multiple small flows, further complicating identification.
The evolution of DDoS attacks towards shorter, automated, and multivector forms demands a profound rethinking of defensive strategies. It is no longer enough to have bandwidth capacity or perimeter firewalls: a defense architecture based on threat intelligence, real-time detection, encrypted traffic inspection, and autonomous mitigation at a global level is required. Resilience against DDoS is no longer a technical option but an operational requirement.
On the other hand, the analyzed HTTP DDoS traffic shows a worrying pattern: a large majority of attacks originate from autonomous systems (ASNs) belonging to legitimate cloud and hosting service providers.
This phenomenon evidences a systematic abuse of cloud environments through compromised accounts, poorly secured test environments, or default configurations. The ease of scaling, relative anonymity, and global availability of these platforms make them ideal vectors for launching large-volume distributed attacks.
Most attacked sectors
The sectoral analysis of the first quarter of 2025 reveals a substantial shift in DDoS attackers' priorities, with an increasingly broad and strategic focus. The Betting and Casinos sector tops the ranking as the most attacked industry, followed by Telecommunications, Technology and IT, and Video Games, all sectors with high digital exposure, critical real-time services, and a strong dependence on continuous availability.
The most significant aspect, however, is the prominent presence of sectors traditionally less exposed to this type of threat. Cybersecurity, Aerospace and Aviation, and Manufacturing, Engineering, and Industrial Technology rank within the top 10 most attacked industries, indicating a clear tactical diversification by cybercriminals.
This pattern suggests that attackers are prioritizing targets with critical infrastructures, complex operational environments, and high levels of digital interdependence, where even a brief disruption can generate cascading effects at operational, financial, and reputational levels. Additionally, many of these sectors handle sensitive data or industrial control systems, making them attractive targets both for denial-of-service attacks and for distraction or covert sabotage campaigns.
In this context, DDoS protection can no longer be considered an exclusive measure for mass consumer sectors or web services, but a transversal necessity for any industry with exposed digital assets or critical processes connected to the Internet. All of this also has direct implications within the framework of European regulatory compliance. Both the NIS2 Directive and the DORA Regulation require organizations—especially those classified as essential or important entities—to implement appropriate technical and organizational measures to ensure digital operational resilience against threats such as these DDoS attacks.
Conclusions
The current landscape has made it clear that protecting the infrastructure edges is not enough: traditional defense is outdated. The speed, volatility, and sophistication of current DDoS attacks demand a complete transformation of the cyber protection model. It is no longer enough to set up a scrubbing center or filter known ports; now it is about responding in real time, with precision and full visibility of encrypted traffic.
Modern protection must be based on five essential principles:
- Have autonomous and instantaneous mitigation that reduces or eliminates any need for human intervention during an incident and acts within milliseconds.
- Deploy always-on, multi-layer protection where network firewall, secure DNS, WAF, layer 7 mitigation, and global telemetry work in a coordinated manner.
- Incorporate behavior-based detection that allows identifying anomalous patterns even when no volume increase is detected.
- Conduct drills and internal stress tests, because a team that has not trained under real conditions will hardly be able to react to an effective attack.
- Establish active partnerships with network and cloud providers, facilitating the neutralization of the attack from its origin before it reaches the perimeter.
In the next installment, we will analyze in detail how this evolution of DDoS manifests in the network layers (L3/L4), exploring the most used vectors and how to anticipate them with effective detection mechanisms.
