In 2025, fueled by AI and LLMs, DDoS attacks are shifting from volume-based tactics to intelligent, high-precision warfare. This evolution, marked by increased stealth and a bifurcated ecosystem of veteran and AI-driven actors, is deconstructed in NSFOCUS 2025 Global DDoS Landscape Report.
Key Opinions
1. AI-driven DDoS platforms entered active use, exemplified by Nullsec Philippines’ publicizing of vire.cc. By automating optimal strategy generation and parameter configuration, these platforms significantly enhance attack precision and efficiency. As AI continues to lower the barrier to entry, the global threat level is escalating rapidly.
2. In 2025, DDoS attacks exceeding 500Gbps surged by 115.72% year-over-year, marking a sharp rise in high-intensity threats. The year’s peak hit 2.6Tbps in May—a significant jump from the 1.9Tbps record in 2024. While the average peak bandwidth rose by approximately 30Gbps, the average peak packet rate actually declined. This divergence indicates that attackers are increasing per-packet data volume to maximize impact—marking a strategic pivot from “high-frequency bursts” to “high-load amplification.”
3. DDoS attacks are evolving toward precision targeting, with tactics refined for maximum impact. Attackers now synchronize strikes with business peaks or product launches to mask malicious traffic, while exploiting geopolitical conflicts and major elections to hit government, finance, and telecom sectors. As AI adoption grows, APIs have emerged as a primary target. A key example is the DeepSeek-R1 incident, where attackers targeted specific API and chat interfaces during peak user hours, demonstrating a highly sophisticated, scenario-based offensive strategy.
4. The DDoS ecosystem remains dominated by veteran families, with XorDDoS (48.99%) and Mirai (31.52%) maintaining a firm lead. However, new threats are rapidly gaining ground. Emerging botnets discovered by NSFOCUS FuYing Lab in 2025—including httpbot, NutsBot, and chachatea—have already broken into the top ten. These newcomers primarily feature HTTP/HTTPS capabilities, marking a strategic shift from volumetric floods toward session and application-layer resource exhaustion.
Our Prediction
Based on current observations, NSFOCUS predicts two defining trends for the future of DDoS landscape:
- AI-Amplified Complexity: Continuous integration of AI and automation will refine attack methodologies, escalating defense complexity and response difficulty while increasing overall security pressure.
- Geopolitical Weaponization: As cyber and physical conflicts merge, DDoS attacks will increasingly serve as strategic state tools or instruments of geopolitical leverage, posing deeper threats to social and economic stability.
