DDoS Attack Statistics for 2026: Record Sizes, Hyper-Volumetric Attacks, and the Botnets Behind Them

Distributed denial-of-service attacks more than doubled in 2025 and broke every previous size record on the way. The Cloudflare 2025 Q4 DDoS Threat Report counted 47.1 million DDoS attacks mitigated across its network, up 121% year over year, and confirmed a record 31.4 terabits per second (Tbps) attack that lasted 35 seconds, fueled by the Aisuru-Kimwolf botnet. Hyper-volumetric attacks grew by more than 700% compared with late 2024. The NetScout 2H 2025 DDoS Threat Intelligence Report tracked more than 8 million attacks across 203 countries in the second half of 2025 alone, and financial services took the brunt of the volumetric load, with Akamai and FS-ISAC reporting a 245% year-over-year surge in APAC. These are the DDoS attack statistics that IT, security, and compliance teams should be watching in 2026.

Key DDoS attack statistics at a glance

• 47.1 million DDoS attacks were mitigated by Cloudflare in 2025, more than double the 2024 total. Network-layer attacks tripled to 34.4 million, per the Cloudflare 2025 Q4 DDoS Threat Report.
• 5,376 DDoS attacks were mitigated every hour on average in 2025, with 3,925 network-layer attacks and 1,451 HTTP attacks per hour, per Cloudflare.
• 31.4 Tbps is the largest publicly disclosed DDoS attack on record, blocked by Cloudflare in December 2025 and lasting just 35 seconds, per the Cloudflare 2025 Q4 DDoS Threat Report. The same attack reached 14.1 billion packets per second.
• 700% is the growth in hyper-volumetric attack size during 2025 versus late 2024, per Cloudflare. Hyper-volumetric attacks alone grew 40% quarter over quarter in Q4 2025.
• 1 to 4 million Android TVs, routers, and other IoT devices are estimated to be enrolled in the Aisuru-Kimwolf botnet, the driver of most 2025 record-breaking attacks, per Cloudflare.
• 8 million+ DDoS attacks were observed across 203 countries in the second half of 2025, with EMEA leading at 3.3 million, per the NetScout 2H 2025 Threat Intelligence Report.
• 34% of layer-3 and layer-4 DDoS attacks targeted the financial services sector in 2025, ahead of gaming (18%) and high tech (15%), per Akamai. The median attack duration on financial services rose 738% from 2024.
• 245% was the year-over-year surge in volumetric DDoS attacks against the APAC financial sector in 2024, with APAC firms taking 38% of all L3/L4 attacks against banks globally, per Akamai and FS-ISAC.

$22,000 per minute is the average cost of DDoS-driven downtime in 2025, with small businesses spending roughly $120,000 to recover and large enterprises facing losses above $1 million, per the MazeBolt 2025 Annual Trends Report.

‍

Attack volume and frequency reached unprecedented levels in 2025

The biggest story in DDoS is the sheer count of attacks. The Cloudflare 2025 Q4 DDoS Threat Report put the 2025 total at 47.1 million attacks mitigated, a 121% increase over 2024 and a 236% jump from 2023. Network-layer DDoS attacks did the heavy lifting, growing from 11.4 million in 2024 to 34.4 million in 2025, more than triple. Cloudflare mitigated an average of 5,376 attacks every hour during the year.

NetScout’s ATLAS sensor network saw a parallel pattern. The NetScout 2H 2025 DDoS Threat Intelligence Report recorded more than 8 million DDoS attacks worldwide between July and December 2025 across 203 countries. EMEA absorbed 3.3 million, APAC 1.9 million, North America 1.27 million, and Latin America 1.01 million. Some attacks peaked at 30 Tbps, putting NetScout’s telemetry in the same neighborhood as Cloudflare’s.

The fourth quarter alone showed how compressed the growth curve has become. Per Cloudflare, Q4 2025 DDoS attacks were up 31% over the previous quarter and 58% over Q4 2024, with network-layer attacks accounting for 78% of the total. Q3 was already record-breaking: Cloudflare’s 2025 Q3 DDoS Threat Report counted 5.9 million network-layer attacks in a single quarter, up 87% quarter over quarter and 95% year over year.

Hyper-volumetric attacks and the 31.4 Tbps record

Hyper-volumetric DDoS attacks (those exceeding 1 Tbps, 1 billion packets per second, or 1 million requests per second) defined the 2025 threat landscape. The Cloudflare 2025 Q4 DDoS Threat Report found that hyper-volumetric attacks grew 40% quarter over quarter in Q4 and more than 700% over the largest attacks seen in late 2024. The single largest event of the year reached 31.4 Tbps and 14.1 billion packets per second, then ended after 35 seconds.

The 31.4 Tbps attack was part of a coordinated campaign Cloudflare named "The Night Before Christmas," running from December 19, 2025. Per Cloudflare, Cloudflare mitigated 902 hyper-volumetric DDoS attacks during the campaign (384 packet-intensive, 329 bit-intensive, and 189 request-intensive), averaging 53 hyper-volumetric attacks a day. The mean attack measured 3 Bpps, 4 Tbps, and 54 Mrps; the peak hit 9 Bpps, 24 Tbps, and 205 Mrps simultaneously.

To put 205 million requests per second into perspective, Cloudflare compared it to the combined populations of the United Kingdom, Germany, and Spain all hitting "enter" on a web request in the same second. Each one of these peaks would have toppled most legacy on-premise scrubbing centers, and Cloudflare reports that its autonomous DDoS defense detected and mitigated all of them without human intervention.

Application-layer attacks broke ceilings too. The Imperva blog reported mitigating an early-2025 attack that approached 6 million requests per second by combining HTTP/2 Rapid Reset with traditional flood techniques, leveraging amplification through misconfigured services and a globally distributed botnet.

Aisuru-Kimwolf and the rise of IoT-driven DDoS botnets

Behind almost every 2025 record sits the same actor. Cloudflare attributes the year’s largest attacks to the Aisuru-Kimwolf botnet, an estimated 1 to 4 million infected hosts dominated by compromised Android TVs and other consumer IoT devices. The botnet runs bandwidth-heavy and packet-rate attacks simultaneously over both TCP and UDP, and grows by exploiting undisclosed zero-day vulnerabilities in connected devices.

Aisuru’s growth curve is what makes it dangerous. Cloudflare’s 2025 Q3 DDoS Threat Report counted 1,304 hyper-volumetric attacks from Aisuru in Q3 alone (54% quarter-over-quarter growth) at an average of 14 hyper-volumetric attacks daily. Cloudflare reports that Aisuru’s potential attack size grew more than 700% in a single year. Chunks of the botnet are reportedly offered as a service for a few hundred to a few thousand US dollars, which puts hyper-volumetric DDoS capacity within reach of low-skilled attackers.

Aisuru is not alone. The NetScout 2H 2025 Threat Intelligence Report attributes more than 3,600 high-volume DDoS events since 2021 to the Eleven11 (RapperBot) botnet, with single attacks exceeding 1 Tbps in outbound floods from compromised customer-premise equipment and IoT devices.

The original Mirai code base also continues to spawn variants. Akamai security research documented active exploitation of two GeoVision command-injection vulnerabilities (CVE-2024-6047 and CVE-2024-11120) by an LZRD Mirai variant in early 2025, and tracked the "Murdoc" Mirai variant operating roughly 1,300 compromised AVTECH cameras and Huawei HG532 routers. Earlier Mirai-derived botnets were responsible for a 5.6 Tbps UDP attack against an East Asian ISP in October 2024 that originated from more than 13,000 IoT devices.

Most-targeted industries and countries

Financial services has remained the single most attacked sector at the network layer for two consecutive years. Per Akamai and FS-ISAC, financial services took 34% of layer-3 and layer-4 DDoS attacks globally, ahead of gaming (18%) and high technology (15%). The median attack duration against financial services rose 738% from 2024 to 2025, and the maximum attack size jumped 236% year over year. APAC banks alone saw a 245% surge in volumetric attacks year over year, and APAC accounted for 38% of all L3/L4 financial-sector attacks in 2024 (up from 11% in 2023).

Cloudflare’s broader Q4 ranking shows a partial shift. Per the Cloudflare 2025 Q4 DDoS Threat Report, Telecommunications, Service Providers, and Carriers became the most-attacked industry overall, displacing Information Technology and Services. Gambling and Casinos came in third and Gaming fourth, with Computer Software and Business Services both climbing several spots quarter over quarter.

Geopolitical events sent shockwaves through the sector mix as well. Cloudflare’s 2025 Q3 DDoS Threat Report tied a sharp increase in DDoS attacks against the Mining, Minerals, and Metals industry and the Automotive industry to EU-China trade tensions over rare earth minerals and EV tariffs. DDoS traffic against generative AI companies surged as much as 347% month over month in September 2025 as public concern over AI regulation grew.

On the country side, China, Germany, Brazil, and the United States held the top four most-attacked positions per Cloudflare. Hong Kong jumped 12 places to number two, and the United Kingdom rose 36 places to become the sixth most-attacked country worldwide. NetScout’s sensor data corroborates the trend: EMEA absorbed 3.3 million attacks in the second half of 2025, more than any other region, per the NetScout 2H 2025 Threat Intelligence Report.

Attack duration, vectors, and the multi-vector trend

Most DDoS attacks are still short. Per the NetScout 2H 2025 Threat Intelligence Report, the majority of attacks are "hit and run" assaults under 10 minutes, and 93% of network-layer attacks under 500 Mbps last less than ten minutes. The record-setting 31.4 Tbps attack ran for just 35 seconds. Short does not mean safe: Akamai found that median attack duration against financial services rose 738% from 2024, with some bank outages stretching across multiple days as part of layered campaigns.

Vectors have become more layered. Per the Imperva blog, early-2025 attacks were primarily UDP-driven, with attackers introducing TCP components to escalate complexity. DNS amplification (where attackers spoof a victim IP and abuse open resolvers to multiply traffic), HTTP/2 Rapid Reset, and combined reflection/amplification floods are the dominant techniques. The same Imperva research describes mitigating an attack approaching 6 million requests per second using HTTP/2 Rapid Reset alongside traditional methods.

Cloudflare’s data shows the multi-vector campaigns are increasingly automated. The Cloudflare 2025 Q4 DDoS Threat Report describes an 18-day Q1 2025 attack against Cloudflare Magic Transit infrastructure that combined SYN flood, Mirai-generated traffic, and SSDP amplification across 13.5 million distinct attack events. Telcos, cloud providers, and AI companies are now the most heavily targeted because they sit at the bottlenecks attackers can exploit for amplification.

Ransom DDoS and extortion-driven attacks

Ransom DDoS (where attackers extort a target by threatening or executing an attack) is back. Cloudflare’s 2025 Q3 DDoS Threat Report tracks ransom DDoS through a customer survey, and reported a sharp June 2025 spike: around a third of surveyed customers said they had been threatened or hit by a ransom DDoS attack in that month. Quarter over quarter, ransom DDoS reports rose 68% from Q1 to Q2 2025, with a smaller 6% bump year over year.

Attribution remains difficult. Per the same Cloudflare survey, 71% of victims said they did not know who attacked them. Of the 29% that did identify a threat actor, 63% pointed to competitors, 21% to state or state-sponsored actors, and 5% each to extortionists and disgruntled users. The takeaway is that DDoS has shifted from being mostly hacktivist-driven to being commercially weaponized.

The cost of DDoS downtime in 2026

Downtime is where DDoS turns into a balance-sheet event. The MazeBolt 2025 Annual Trends Report puts the average cost of DDoS downtime at roughly $22,000 per minute, or $1.32 million per hour. Small businesses pay an average of around $120,000 to recover from a DDoS attack, while large enterprises routinely lose more than $1 million per incident before recovery, regulatory, and reputational costs are added.

Industry verticals diverge sharply. Per MazeBolt, manufacturers face roughly $260,000 per hour of downtime, and automotive plants can lose $2.3 million per hour. Medium hospitals report EHR outage costs near $1.7 million per hour, and large hospitals roughly $3.2 million per hour. Online retailers and SMBs sit in a wider band of $8,000 to $74,000 per hour, depending on transaction volume.

Emerging DDoS trends in 2026

AI-driven DDoS-for-hire is collapsing the skill ceiling. Per the NetScout 2H 2025 Threat Intelligence Report, DDoS-for-hire services are integrating conversational AI and illicit large language models so unskilled actors can launch sophisticated multi-vector attacks through a simple prompt interface. Cloudflare’s reporting that pieces of Aisuru rent for a few hundred dollars reinforces the same trend.

IoT and consumer routers are the new attack engine. Aisuru-Kimwolf draws from 1 to 4 million infected Android TVs and routers per Cloudflare. Akamai’s tracking of the LZRD and Murdoc Mirai variants per Akamai security research confirms that unpatched cameras, DVRs, and consumer-grade routers continue to feed the largest botnets.

Hyper-volumetric attacks are now a regular occurrence, not a freak event. The Cloudflare 2025 Q4 DDoS Threat Report counted 902 hyper-volumetric attacks during a single 30-day campaign, averaging 53 a day. Defenders cannot treat 1 Tbps as the boundary of "very large" anymore; it is now a common rate, not a record.

Telecommunications has overtaken IT as the most-attacked industry. Per Cloudflare, Telcos took the number one spot in Q4 2025, reflecting attackers’ growing interest in the upstream infrastructure that downstream businesses depend on. Financial services remains the most attacked sector specifically by L3/L4 volumetric attacks per Akamai and FS-ISAC.

Geopolitics is reshaping target lists in real time. Per Cloudflare’s 2025 Q3 DDoS Threat Report, EU-China trade tensions over rare earth minerals and EV tariffs coincided with a sharp Q3 spike in DDoS attacks against mining, minerals, metals, and automotive. The United Kingdom climbed 36 places in the most-attacked country ranking in a single quarter.

Generative AI services are now first-tier DDoS targets. Per Cloudflare, DDoS traffic against AI companies surged by as much as 347% month over month in September 2025. AI inference endpoints are expensive to serve and difficult to scale defensively, which makes them an attractive target for both extortion and hacktivism.

For broader context on the trends above, see our cyber attack statistics and hacking statistics roundups.

How swif.ai helps

swif.ai gives IT and security teams a single console to enforce device, identity, and compliance controls across the macOS, Windows, and Linux endpoints behind the numbers above. Explore swif.ai unified endpoint management to see how it works.