Full Report
The number of DDoS attacks more than doubled in 2025. The network layer is under particular threat as hyper-volumetric attacks grew 700%.
Analysis Summary
# Incident Report: 2025 Annual Surge in Hyper-Volumetric DDoS Attacks
## Executive Summary
The year 2025 witnessed an unprecedented surge in Distributed Denial of Service (DDoS) activity, with the total number of attacks more than doubling compared to previous years. The network layer was under severe threat, characterized by a 700% growth in hyper-volumetric attacks. This culminated in Q4 with the "Night Before Christmas" campaign, launched by the Aisuru-Kimwolf botnet, which peaked near 31.4 Tbps and utilized infected Android TVs to launch sophisticated HTTP assaults exceeding 200 million requests per second (rps).
## Incident Details
- Discovery Date: Attacks were ongoing throughout 2025, with major campaigns detected in Q1 and Q4.
- Incident Date: Primary focus on major events in Q1 2025 and the culmination event in Q4 2025 (starting December 19, 2025).
- Affected Organization: Cloudflare customers and Cloudflare's own network/dashboard infrastructure.
- Sector: Telecommunications (Telcos emerged as the most-attacked industry).
- Geography: Global infrastructure, with Hong Kong and the United Kingdom showing significant increases in being targeted.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2025, with a major spike starting December 19, 2025.
- **Vector:** Infection of IoT devices, primarily Android TVs, forming the Aisuru-Kimwolf botnet (estimated 1-4 million hosts). Network layer attacks also heavily utilized open protocols.
- **Details:** Botnet was leveraging infected Android TVs to launch HTTP DDoS attacks and sophisticated network-layer attacks against infrastructure.
### Lateral Movement
*Not explicitly detailed for the botnet hosts, as this is a direct-to-target attack, but the botnet itself achieved massive scale by infecting heterogeneous IoT/end-user devices.*
### Data Exfiltration/Impact
*The primary impact was the disruption of service availability (Denial of Service) rather than data exfiltration.*
- **Impact:** Crippled critical infrastructure and caused potential downtime for affected customers. Record network traffic volumes (up to 31.4 Tbps).
### Detection & Response
- **How it was discovered:** Mitigation was largely automated. The Q1 campaign was only discovered/analyzed during the preparation of the Q1 threat report, highlighting the effectiveness of automated mitigation systems. The Q4 campaign was automatically detected and mitigated due to its scale.
- **Response actions taken:** Automated detection and mitigation of extreme volumetric attacks across the Cloudflare network, protecting all customers unmetered.
## Attack Methodology
- **Initial Access:** Compromise and infection of IoT devices (primarily Android TVs) forming the Aisuru-Kimwolf botnet.
- **Persistence:** Devices remained active members of the botnet, ready to serve attack commands.
- **Privilege Escalation:** Not applicable in the typical sense; attacks leveraged the existing access/control over compromised endpoint devices.
- **Defense Evasion:** Attacks were massive and multi-vector, requiring sophisticated, scalable infrastructure to bypass traditional defenses.
- **Credential Access:** Not the primary goal; the attack focused on volumetric denial of service.
- **Discovery:** Reconnaissance was implicit in coordinating the large botnet prior to launching coordinated volumetric assaults.
- **Lateral Movement:** N/A (Botnet commanded disparate/external hosts).
- **Collection:** N/A (Focus was on generating traffic, not harvesting data).
- **Exfiltration:** N/A.
- **Impact:** Hyper-volumetric Layer 3/4 (Network) and Layer 7 (HTTP) saturation attacks designed to overwhelm target capacity.
## Impact Assessment
- **Financial:** Not explicitly quantified, but significant operational costs for organizations relying on on-premise or on-demand scrubbing centers that struggled to cope with the volume increase (121% overall rise in attacks).
- **Data Breach:** None reported; the incident type was DoS.
- **Operational:** Extreme service degradation or outages for targeted networks, particularly Telcos, which were the most-attacked industry. Record volumetric pressure on global internet infrastructure.
- **Reputational:** Potential reputational risk for targeted entities if mitigation failed, though Cloudflare emphasized automated, unmetered protection.
## Indicators of Compromise
*As this summary is synthetic based on a threat report, IOCs are generalized based on attack types.*
- **Network indicators (Defanged):** High volume SYN flood traffic patterns; SSDP amplification traffic originating from compromised IoT addresses.
- **File indicators:** N/A (Focus is on network signature/behavior).
- **Behavioral indicators:** Sustained HTTP request rates exceeding 200 Mrps; coordinated multi-vector network attacks involving Mirai variants; traffic sourced predominantly from compromised Android TVs.
## Response Actions
- **Containment measures:** Automated, cloud-scale DDoS mitigation enacted across the network edge.
- **Eradication steps:** For Cloudflare, neutralization occurred instantly via mitigation protocols. Customers relying on legacy systems required immediate defense strategy review.
- **Recovery actions:** Restoration of service availability following mitigation of the traffic floods.
## Lessons Learned
- The sheer scale of network-layer DDoS attacks continues to grow exponentially, more than tripling year-over-year (34.4 million in 2025).
- IoT devices, specifically Android TVs, are a significant and growing source of large-scale botnet infrastructure (Aisuru-Kimwolf).
- Hyper-volumetric HTTP attacks are reaching modern-era historical highs, requiring defenses capable of handling sustained high rps rates.
## Recommendations
- Organizations should re-evaluate on-premise mitigation appliances or on-demand scrubbing centers, as they may fail to cope with hyper-volumetric attacks exceeding 31 Tbps.
- Adoption of always-on, globally distributed network protection (like Cloudflare's) is critical to absorb and mitigate massive Layer 3/4 and Layer 7 assaults automatically.
- Continuous monitoring and hardening of IoT device ecosystems must be prioritized given their role in botnet proliferation.