Cloudflare has released its Q3 2025 DDoS Threat Report, and the findings show how quickly the global threat landscape is changing. The biggest highlight of this quarter is the rise of Aisuru, a massive botnet with an estimated 1–4 million infected devices. It pushed DDoS attacks to new records, with traffic spikes touching 29.7 Tbps and 14.1 billion packets per second.
Cloudflare says it mitigated 8.3 million attacks in the third quarter alone. That means the company blocked almost 3,800 attacks every hour. DDoS activity grew 15% quarter-over-quarter and 40% year-over-year. With one quarter still left in 2025, Cloudflare has already mitigated 36.2 million attacks, which is 170% of all attacks seen in 2024.
Aisuru dominated the quarter with frequent hyper-volumetric attacks. Cloudflare recorded 1,304 Aisuru attacks in Q3, up 54% from the previous quarter.
The 29.7 Tbps attack was a UDP carpet-bombing event that hit 15,000 ports every second. Cloudflare notes that the attack tried to evade detection by randomising packet attributes, but their autonomous system handled it without interruption.
Aisuru is also being broken into smaller “chunks” and sold as botnet-for-hire, allowing anyone to launch attacks for a few hundred dollars. Cloudflare warns that such attacks can disrupt ISPs, emergency services, and even military networks if protection is weak.
One of the most important insights this quarter is the sharp rise in attacks on AI companies. HTTP DDoS traffic aimed at leading AI platforms surged by 347% in September 2025. Public concern around AI, new regulations, and debates on ethics seem to be fueling this trend.
Global events had a visible impact on cyberattacks this quarter. Rising EU–China tensions over rare earth minerals and EV tariffs led to a jump in attacks on the Mining, Metals, and Automotive industries. The Automotive sector saw the biggest jump, rising 62 spots to become the sixth most attacked industry worldwide. China, Turkey, and Germany remained the top three most attacked countries. The United States climbed 11 spots to enter the top five.
Network-layer attacks made up 71% of all DDoS events in Q3. These attacks jumped 87% QoQ, driven mainly by Aisuru’s UDP floods. DNS floods, SYN floods, and ICMP floods followed. HTTP DDoS attacks, however, dropped 41% QoQ. Cloudflare says short attacks are becoming more dangerous. Around 89% of network-layer attacks and 71% of HTTP attacks ended within 10 minutes, often too fast for on-demand services or manual responses. Even if the attack lasts seconds, recovery can take far longer.
The report shows that modern DDoS attacks are now too fast and too large for old on-premise appliances or manual mitigation. Cloudflare says its global network and automated systems blocked every hyper-volumetric attack this quarter without human involvement.
