Cloudflare’s latest Q3 2025 DDoS Threat Report is basically a warning label for anyone still treating DDoS as a “basic” problem. The headline: the Aisuru botnet has dragged DDoS into a new era of nation-scale disruption, with attack volumes and frequency that older, on-prem or on-demand mitigation models are simply not built to handle.
Across the quarter, Cloudflare’s autonomous systems blocked 8.3 million DDoS attacks, a 15% jump QoQ and 40% YoY, with total 2025 mitigations already at 36.2 million – 170% of the entire 2024 volume, and the year isn’t over yet.
Aisuru: Hyper-Volumetric DDoS as a Commodity
Aisuru is the centre of gravity in this report. Cloudflare estimates it controls between 1–4 million infected hosts globally and routinely launches hyper-volumetric attacks:
Frequent bursts exceeding 1 Tbps and 1 billion packets per second (Bpps)
Peaks hitting 29.7 Tbps and 14.1 Bpps
54% QoQ surge in hyper-volumetric attacks, averaging 14 such attacks per day
One 29.7 Tbps UDP carpet-bombing attack sprayed traffic across ~15,000 destination ports per second, randomizing packet attributes to evade static filters. Cloudflare still handled it autonomously, but the point is clear: this is not “take down a website” traffic, this is “stress parts of an ISP’s backbone” traffic.
Worse, “chunks” of Aisuru are sold as botnet-for-hire, meaning anyone with a few hundred or thousand dollars can launch Internet-scale disruption without nation-state resources.
Attack Trends: Faster, Bigger, More Targeted
Key structural shifts in Q3:
Network-layer DDoS made up 71% of attacks (5.9M), up 87% QoQ and 95% YoY
HTTP DDoS accounted for 29% (2.4M), down 41% QoQ
Attacks above 100 Mpps grew 189% QoQ
Attacks above 1 Tbps grew 227% QoQ
71% of HTTP and 89% of network-layer attacks ended in under 10 minutes
That last point is critical. Short, brutal bursts that last seconds or a few minutes are too fast for manual response or on-demand scrubbing. Even if the attack stops, recovery of distributed systems and data consistency takes much longer than the attack window itself.
Who’s Under Fire? AI, Automotive, Mining, and Telcos
The report shows a clear link between geopolitics, trade tensions, and DDoS activity:
AI companies: HTTP DDoS traffic against leading generative AI providers spiked up to 347% MoM in September 2025, aligning with rising public concern and regulatory scrutiny around AI.
Mining, Minerals & Metals: Attacks surged as EU–China tensions over rare earths and EV tariffs escalated, pushing the sector up 24 ranks globally.
Automotive: Jumped 62 spots to become the 6th most attacked industry, reflecting EV and supply chain politics.
Cybersecurity vendors themselves climbed into the top-attacked segments.
By industry, Information Technology & Services, Telecommunications, and Gambling & Casinos were the most attacked. By geography, China remained the top target, followed by Turkey and Germany, with the US jumping 11 spots to fifth. The Maldives, France, and Belgium saw huge spikes tied to domestic protest movements and political unrest.
Why Legacy DDoS Defences Are Out of Their Depth
Cloudflare is blunt about one thing: legacy DDoS models are not built for this environment. Appliances sitting in a single DC and on-demand scrubbing approaches break down when:
Attacks exceed Tbps scale
Bursts last seconds to minutes
Attack sources are globally distributed and constantly shifting
Botnets like Aisuru are rented “as a service”
In Q3, UDP floods, DNS floods, SYN floods and ICMP floods accounted for just over half of all network-layer attacks, with variants of the Mirai botnet still responsible for ~2% of activity nearly a decade later. On the HTTP side, nearly 70% of attacks came from known botnets, meaning intelligence sharing and global telemetry still matter.
For CISOs and infra leaders, the takeaway is simple, not comforting: if your DDoS strategy still assumes manual intervention, ticket-based activation, or hardware-bound capacity, you are designing for a threat landscape that doesn’t exist anymore.
The new baseline is always-on, autonomous, globally distributed mitigation that can absorb dozens of hyper-volumetric bursts per day without human touch – and that’s what Aisuru just forced everyone to admit.
