DDoS Attacks Escalate in the First Half of 2025

Global Escalation and Impact of DDoS Attacks

DDoS attacks escalating: The first half of 2025 witnessed a significant escalation in Distributed Denial of Service (DDoS) attack activities, which are malicious attempts to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of Internet traffic. These attacks lead to a decrease in legitimate traffic, business losses, and reputational damage. New research by NetScout documented over eight million attacks globally during these six months. More than three million attacks were recorded across Europe, the Middle East, and Africa, underscoring the increasing regional pressure.

Terabit-per-second attacks: The findings also indicated that terabit-per-second DDoS attacks, once rare, have become almost routine, with peaks reaching 3.12 Tbps in the Netherlands and 1.5 Gbps in the United States. Distributed Denial of Service attacks are no longer mere sporadic disruptions but have become an established method for destabilizing critical networks, with geopolitical tensions remaining a primary driver for major attack campaigns. NetScout noted how conflicts between India and Pakistan led to widespread waves of hostile activity against Indian financial and governmental systems. Similarly, during confrontations involving Iran and Israel, over 15,000 strikes targeted Iranian infrastructure within a few days, while fewer than 300 targeted Israel. Even international forums were not spared, with events in Switzerland witnessing over 1,400 incidents in a single week.

The Role of Botnets in DDoS Attacks

Botnet networks: This large scale of DDoS attacks also relies on compromised devices acting as botnets. A botnet is a collection of Internet-connected devices that have been compromised by a malicious entity, such as computers, smartphones, or Internet of Things (IoT) devices, and are used to carry out large-scale attacks like DDoS. In March 2025 alone, attackers launched an average of 880 botnet-driven incidents daily, with a peak of 1,600. Compromised systems typically included routers, servers, and IoT devices, often relying on known flaws rather than undiscovered vulnerabilities. Despite years of security warnings, these weaknesses continue to be exploited, enabling short but impactful campaigns that disrupt critical services. For organizations relying solely on antivirus software or basic endpoint protection, this constant flow of botnet traffic presents challenges that overwhelm traditional safeguards.

Evolution of Attacks with Automation and Artificial Intelligence Technologies

Automation and Artificial Intelligence: Furthermore, the evolution of DDoS campaigns has accelerated due to automation and artificial intelligence. Multi-vector attacks and carpet bombing techniques now occur faster than defenders can respond, creating an asymmetrical pressure. NetScout also noted the emergence of "rogue Large Language Models" (LLMs), which provide hostile actors with easily accessible planning and evasion methods. Combined with DDoS-for-hire platforms, these tools have significantly lowered the barriers for inexperienced attackers, enabling high-capacity attacks with minimal technical depth. The result is that terabit-scale incidents have transformed from rare occurrences into persistent threats.

Prominent Attacker Groups and Defense Challenges

NoName057(16) Group: Among extremist groups, NoName057(16) continues to carry out the most frequent campaigns, far surpassing its rivals. In March, the group claimed over 475 attacks, primarily targeting government portals in Spain, Taiwan, and Ukraine. Their reliance on diverse flooding techniques indicates both coordination and persistence, suggesting ideological motives beyond opportunistic disruption. While new players like DieNet and Keymous+ have entered the arena with dozens of attacks across multiple sectors, their activity remains smaller compared to the scale of NoName057(16).

Expert Warning: Richard Hummel, NetScout's Threat Intelligence Director, stated that 'as extremist groups employ more automation, shared infrastructure, and sophisticated tactics, organizations must realize that traditional defenses are no longer sufficient.' 'The integration of AI-powered assistants and the use of Large Language Models (LLMs), such as WormGPT and FraudGPT, escalates this concern. While the recent shutdown of NoName057(16) temporarily reduced the group's botnet DDoS activities, preventing its future return to the forefront of extremist DDoS threats is not guaranteed.'

DDoS Attack Protection and Mitigation Strategies

Enhanced Protection: To enhance protection against these evolving attacks, organizations can resort to advanced DDoS attack mitigation strategies that include cloud-based solutions, such as DNS protection or reverse HTTP proxies. These solutions help filter malicious traffic away from the targeted network before it reaches it. Additionally, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can provide an additional layer of security by identifying and blocking known attack patterns. Good incident response planning and continuous updates to security infrastructure are crucial for countering the increasing threats of DDoS attacks.