UNDER ATTACK? CALL US

THANK YOU FOR YOUR INTEREST IN NSFOCUS REPORTS​

2025 Global DDoS Attack Landscape Report

In 2025, fueled by the rapid evolution of AI agents and LLMs, DDoS attacks are undergoing a paradigm shift from traditional volumetric, bandwidth-heavy confrontations to intelligent warfare centered on cognitive speed, strategic precision, and decision-making efficiency. Attack methodologies have evolved from blunt traffic suppression to highly targeted precision strikes, resulting in a marked increase in both stealth and destructive impact.

Simultaneously, the DDoS ecosystem is experiencing accelerated fragmentation: while established threat actors continue to consolidate their dominance, emerging groups are rising swiftly by leveraging automation and intelligent capabilities, making the overall threat landscape increasingly complex.

Key Findings:

  • AI-driven DDoS platforms entered active use, exemplified by Nullsec Philippines’ vire.cc. By automating optimal strategy generation and parameter configuration, these platforms significantly enhance attack precision and efficiency.
  • DDoS attacks exceeding 500Gbps surged by 115.72% year-over-year, with a record peak of 2.6Tbps in May (up from 1.9Tbps in 2024). This data highlights a strategic shift from “high-frequency bursts” to “high-load amplification.” By increasing per-packet data volume, attackers are achieving more targeted, high-intensity impact.
  • DDoS attacks are becoming increasingly surgical, with strikes timed to exploit geopolitical conflicts, major events, and elections. While critical sectors like government, finance, and telecoms remain primary targets, the rise of AI and digital transformation has turned APIs into the new frontline for precision attacks.
  • The DDoS ecosystem remains dominated by veteran families, with XorDDoS (48.99%) and Mirai (31.52%) leading the pack. However, new threats like httpbot, NutsBot, and chachatea—all discovered by NSFOCUS  in 2025—have already cracked the top ten. These new botnets primarily target HTTP/HTTPS, signaling a shift from volumetric traffic exhaustion to application-layer resource depletion.