Distributed denial of service (DDos) attacks present a devastating threat to business operations when executed successfully. This hostile methodology involves overwhelming a service with internet traffic from multiple sources, allowing attackers to take websites offline, disrupt critical infrastructure, and cause widespread operational damage.
In recent years, the scale and frequency of DDoS attacks have escalated dramatically. In 2025, Cloudflare reported mitigating over 20 million DDoS attacks in Q1 alone – a figure that nearly surpasses the total for all of 2024.
Hyper-volumetric attacks exceeding 1 Tbit/sec are no longer rare, and new tactics are making mitigation increasingly complex, even for capable IT departments.
As attack volumes surge and tactics evolve, DDoS has become more than just a blunt instrument of disruption. The past five years have seen an explosion in both the size and sophistication of these attacks – from record-breaking multi-terabit floods to targeted strikes at the application layer.
For businesses and public services alike, the need for robust, adaptive defences has never been more urgent.
How do DDoS attacks work?
At the most basic level, a DDoS attack attempts to render a website, server, or online service inaccessible by overwhelming it with traffic. Unlike traditional denial of service attacks that come from a single source, DDoS campaigns enlist thousands – sometimes even millions – of devices to flood a target simultaneously.
These devices often form part of a botnet, a network of compromised machines often including Internet of Things (IoT) such as smart cameras, routers, and even printers. Compromised devices can be used without the knowledge of their owners.
There are several types of DDoS attack, each targeting different layers of a system’s infrastructure: volumetric, protocol, and application-layer.
Volumetric attacks focus on saturating bandwidth by sending vast amounts of data to the network, while protocol attacks, such as SYN floods or ping of death, exploit weaknesses in networking protocols to exhaust server resources.
Meanwhile, application-layer attacks mimic legitimate user behaviour – such as HTTP GET or POST requests – to overwhelm a service from within, often bypassing traditional perimeter defenses.
Increasingly, attackers are combining these methods in multi-vector attacks, which strike multiple layers at once. These attacks are particularly hard to mitigate, requiring layered and automated defences that can filter traffic in real time.
Another challenge lies in the rise of amplification and reflection techniques, where attackers send small requests to misconfigured servers (like open DNS resolvers or NTP servers) that then “reflect” much larger responses to the victim. This enables threat actors to amplify their attack volume by up to 70 times, according to Cloudflare’s Q4 2024 DDoS threat report.
DDoS trends over the past five years
The past five years have seen DDoS attacks grow from blunt-force disruptions into highly targeted, strategic threats.
Attack volumes dipped slightly in 2021, with Nexusguard recording a 13% drop in attack count and a 50% decrease in average size. But this decline masked a tactical shift. Rather than relying on volume, attackers increasingly used multi-vector approaches that blended volumetric, protocol and application-layer techniques – making them harder to mitigate.
By 2022, the threat had intensified. Nexusguard observed a 75% jump in attack frequency in the first half of the year, while 2023 saw Cloudflare mitigate over 26 trillion malicious requests. HTTP-based attacks doubled, often targeting APIs and login systems. Attackers were now focusing on disruption with precision, not just scale.
In 2024, Cloudflare recorded a total of 21.3 million DDoS attacks – blocking 4,870 per hour. Halloween 2024 brought the largest yet: a 5.6Tbit/sec flood powered by a Mirai-variant botnet using 13,000 devices. Between Q3 and Q4 that year, attacks exceeding 1 Tbit/sec grew by 1,885%.
Across 2025, DDoS attacks have only worsened. Cloudflare now mitigates 5,376 DoS attacks each hour, and measured over double the number seen the previous year, for a total of 47.1 million DDoS attacks. Over the course of the year, telcos became the most-attacked industry, with the Asia-Pacific particularly heavily-targeted.
As more attacks breach the 1Tbps mark and application-layer strikes grow in intensity, the DDoS threat is more sophisticated – and relentless – than ever. In the future, researchers warn attackers could use AI to launch even larger DDoS attacks. Alarmingly, there are growing signs that threat actors may already be doing so.
What is the business impact of DDoS attacks?
It’s clear DDoS attacks are reaching new levels of scale and intensity, something that IT departments across the world are tracking closely.
On 19 December 2025, Cloudflare mitigated a record-breaking assault powered by the Aisuru-Kimwolf botnet. This is formed from an estimated 1-4 million Aisuru infected IoT devices, network devices, and virtual machines (VMs), paired with Android devices including mobile phones and smart TVs infected with the Kimwolf botnet.
The attack, launched against Cloudflare itself as well as its customers, involved 20 million requests per second and a total of 902 hyper-volumetric attacks.
Campaigns like this are designed not just to disrupt websites, but to exhaust backend systems and degrade performance silently over time.
The financial impact can be steep.
Industry estimates suggest that sustained attacks can cost mid-to-large organisations hundreds of thousands of pounds per hour, depending on the sector. In one notable case from 2023, a UK fintech firm suffered over £2 million in losses following a 12-hour outage, with costs spanning downtime, compensation, and legal recovery.
But the longer-term effects often prove more disruptive. Rebuilding trust, investigating weaknesses, and reconfiguring systems all take time – and resources. As DDoS-for-hire services proliferate and attackers refine their methods, robust mitigation is no longer optional – it’s essential.
DDoS attacks have become a constant in today’s threat landscape. No longer just blunt-force disruptions, they’ve grown in frequency, complexity and impact. while it was dealing with one.
It’s therefore more important than ever that businesses know how to effectively recover from a DDoS attack.
For businesses, the fallout goes far beyond downtime. Even brief outages can disrupt transactions, damage customer trust, and trigger lasting operational headaches. As reliance on cloud platforms grows, so does the risk of wider service interruptions and revenue loss.
This rising threat has prompted greater scrutiny from both regulators and insurers. In sectors like finance and healthcare, DDoS resilience is increasingly seen as a compliance issue. Insurers, too, are demanding proof of preparedness before underwriting risk.
Ultimately, DDoS defence now demands a proactive mindset. Scalable, layered mitigation must be built into infrastructure – not bolted on after the fact. As attackers become more agile, so too must defenses.
Why leaders need to build resilience to avoid AI burnout
How practical-based learning for AI can close the digital skills gap
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public services
Cyber experts have been warning about AI-powered DDoS attacks – now they’re becoming a reality
Critical networks face unprecedented threat as DDoS attacks are getting shorter and more intense
Think DDoS attacks are bad now? Wait until hackers start using AI assistants to coordinate attacks, researchers warn
Application layer DDoS attacks are skyrocketing – here's why
DDoS attackers are pouncing on unpatched vulnerabilities
Europol just took down 27 DDoS-for-hire sites
