This week, Cloudflare released its quarterly report on Distributed Denial of Service (DDoS) threats, unveiling a startling increase in such cyber attacks. The report indicates that Cloudflare thwarted an astounding 20.5 million attacks in the first quarter of 2025 alone, marking a staggering 358% increase compared to the same period in 2024 and a 198% rise from the previous quarter.
The trend suggests that 2025 is on track to shatter all previous records, as the total number of attacks mitigated already amounts to 96% of the entire year’s tally for 2024, which was 21.3 million incidents. Notably, Cloudflare itself was not spared, facing 6.6 million attacks over an 18-day malicious campaign that employed multiple vectors.
“In just this past quarter, we blocked 96% of what we blocked in 2024” Cloudflare emphasized in the report, highlighting the unprecedented escalation of these cyber threats.
Record-Breaking Attacks and Network-Layer Surge
The report reveals that the network-layer attacks were the primary driver of this growth, accounting for 16.8 million incidents — a 509% year-on-year explosion. HTTP attacks, while fewer in number, also saw a significant 118% increase from the same period in 2024.
A particularly concerning development is the proliferation of “hyper-volumetric” attacks, which exceed 1 Terabit per second (Tbps) or 1 billion packets per second (Bpps). Cloudflare recorded over 700 such attacks in the first quarter, averaging 8 per day, with only 4 in every 100,000 network-layer attacks reaching this intensity level.
These massive but brief attacks, lasting between 35 to 45 seconds, underscore the need for automated defenses, as manual intervention is rendered ineffective by their speed and intensity. Incidents originated from 147 different countries, targeting multiple IP addresses and ports of a protected hosting provider.
Gaming Servers Under Siege
Online gaming servers remain a prime target for attackers due to the significant impact their disruption has on gaming communities. The report highlights a specific case of a U.S. hosting provider, which offers servers for popular Valve games like Counter-Strike 2 and Team Fortress 2, being subjected to multiple hyper-volumetric attacks aimed at port 27015, commonly used by Source engine-based games.
One of these attacks peaked at an astounding 1.5 billion packets per second and was automatically thwarted by Cloudflare’s systems. The gaming and gambling industry topped the list of most attacked sectors this quarter, climbing four positions from the last quarter. Attackers are primarily competitors (39% of identified cases), followed by state actors or state-sponsored entities (17%), and disgruntled users or customers (17%).
Amplification Tactics on the Rise
Cloudflare’s report also flags a worrying increase in two reflection/amplification attack techniques that have gained traction in early 2025.
CLDAP (Connectionless Lightweight Directory Access Protocol) attacks surged by an astonishing 3,488% quarter-over-quarter. This variant of the LDAP protocol uses UDP instead of TCP, bypassing connection confirmation processes and allowing attackers to spoof the source IP address to reflect massive traffic volumes onto their targets.
ESP (Encapsulating Security Payload) attacks, meanwhile, grew by 2,301% this quarter. This method exploits incorrect configurations in systems using this IPsec security protocol to redirect and amplify malicious traffic.
Both techniques involve sending small queries with a spoofed source IP (the victim’s IP), causing servers to flood the victim with large responses, overwhelming their systems.
Proactive Measures Imperative for Defense
Given the evolving threat landscape, Cloudflare stresses that organizations must move away from reactive security measures. With most DDoS attacks being of short duration — 89% of network-layer attacks and 75% of HTTP attacks concluding in under 10 minutes — manual mitigation or on-demand solutions are no longer viable.
Cloudflare advises companies to:
- Adopt always-on, automated DDoS protection instead of reactive solutions.
- Ensure that their security solution can handle both legitimate and malicious traffic volumes simultaneously.
- Continuously monitor network traffic for anomalous patterns.
- Keep all systems updated to minimize attack surfaces.
For service providers, Cloudflare offers the DDoS Botnet Threat Feed free of charge. This threat intelligence feed is already utilized by over 600 organizations worldwide to identify and neutralize abusive accounts within their networks.
The report concludes that “The current threat landscape leaves no time for human intervention. Detection and mitigation should be always-on, in-line and automated — with sufficient capacity and global coverage to handle the attack traffic along with legitimate peak time traffic” This underscores that DDoS protection has become a fundamental necessity for any online presence in 2025.
Source: Cloudflare blog
