Cloudflare Experiences Record 31.4Tbps DDoS Attack in Q4 2025: Lasted Only 35 Seconds, Android TV "Bot" Becomes Main Force of Zombie Network

Cloudflare Reveals 2025 DDoS Attack Trends

On February 5, local time, Cloudflare disclosed its DDoS attack landscape for Q4 2025 and the full year.

The report indicates that in 2025, both the scale and frequency of DDoS attacks hit new records: a total of 47.1 million attacks, up 121% year-over-year. Cloudflare automatically mitigated an average of 5,376 DDoS attacks per hour.

Additionally, 2025 saw the known “largest-scale” publicly reported DDoS attack — peaking at 31.4 Tbps, but lasting only 35 seconds.

The report shows that in 2025, DDoS attacks totaled 47.1 million. Compared to 2023, the cumulative attack volume from 2023 to 2025 increased by 236%. Cloudflare mitigated an average of 5,376 attacks per hour in 2025, including 3,925 network-layer attacks and 1,451 HTTP DDoS attacks.

From a growth perspective, network-layer attacks were the largest contributor to the increase in 2025. Cloudflare stated that it mitigated 34.4 million network-layer DDoS attacks in 2025, compared to 11.4 million in 2024 — more than doubling year-over-year, with a growth trend exceeding three times.

Cloudflare disclosed that about 13.5 million of these network attacks targeted its protected global internet infrastructure (including Cloudflare Magic Transit customers and Cloudflare’s own infrastructure). These attacks were part of an 18-day large-scale DDoS campaign in Q1 2025.

Of these, 6.9 million targeted Magic Transit customers, and 6.6 million directly targeted Cloudflare. The campaign involved multi-vector attacks, including SYN Floods, Mirai-based DDoS, and SSDP amplification attacks.

Cloudflare stated that its systems automatically detected and mitigated these attacks, and it only became aware of the campaign’s scale when preparing the Q1 2025 report.

The report shows that DDoS attacks in Q4 2025 increased 31% quarter-over-quarter and 58% year-over-year. During this quarter, 78% of attacks were at the network layer. While the number of HTTP DDoS attacks remained stable, their scale significantly increased.

Cloudflare noted that these attacks reached the highest intensity since the surge of HTTP/2 Rapid Reset attacks in 2023, mainly driven by the Aisuru-Kimwolf botnet.

The Q4 2025 intense attack was dubbed “The Night Before Christmas.” It began on December 19, 2025, when the Aisuru-Kimwolf botnet launched a massive HTTP DDoS attack against Cloudflare’s customers and infrastructure, peaking at over 20 million requests per second (20 Mrps).

Cloudflare said this botnet mainly consisted of infected Android TV devices, estimated to number between 1 million and 4 million, capable of paralyzing critical infrastructure, overwhelming traditional cloud DDoS defenses, and even disrupting entire national networks.

During this campaign, Cloudflare’s automated systems detected and mitigated 902 super-large DDoS attacks (average of 53 per day), including:

• 384 packet-based attacks
• 329 bandwidth-based attacks
• 189 request-based attacks

Cloudflare also disclosed that the average intensity of these large-scale attacks was:

• 3 billion packets per second (Bpps)
• 4 Tbps
• 54 million requests per second (Mrps)

Peak values reached:

• 9 Bpps
• 24 Tbps
• 205 Mrps

The number of massive DDoS attacks continued to rise in 2025, with a 40% increase in Q4 compared to the previous quarter.

Cloudflare stated that as attack numbers increased, their intensity also surged rapidly. Compared to large attacks at the end of 2024, the scale of attacks in 2025 grew by over 700%. One attack peaked at 31.4 Tbps and lasted only 35 seconds. Cloudflare confirmed that its automated DDoS defense systems detected and mitigated this attack as well.

Industry-wise, Cloudflare reported that in 2025, the most targeted sectors were:

• Telecommunications, Service Providers, and Carriers

This replaced the long-standing top spot held by the Information Technology & Services sector.

Additionally, Gambling & Casinos and Gaming ranked third and fourth, respectively. The report also noted that clients offering generative AI services experienced large-scale attacks.

Cloudflare stated that the most attacked regions globally in Q4 2025 included China, Germany, Brazil, and the US — long-standing hotspots. Hong Kong’s ranking rose 12 places to become the second most attacked region worldwide; the UK moved up 36 places to sixth; Vietnam ranked seventh, Azerbaijan eighth, India ninth, and Singapore tenth.

Regarding attack source countries/regions, Cloudflare noted:

• Bangladesh became the largest source of DDoS attacks in Q4 2025
• Ecuador rose to second place
• Indonesia dropped from first to third (having been the top for a year)
• Argentina surged 20 places to become the fourth-largest attack source

At the ASN (Autonomous System Number) level, Cloudflare observed that many DDoS attacks originated from IP addresses associated with cloud platforms and providers such as DigitalOcean, Microsoft, Tencent, Oracle, Hetzner, and others.

The report suggests this reflects a strong link between attackers and the availability of “easily rent-able virtual machine resources.” Meanwhile, traditional telecom networks also accounted for a significant portion, mainly from the Asia-Pacific region. Cloudflare emphasized that modern DDoS attacks often involve thousands of different ASNs, indicating a highly globalized distribution of botnet nodes.

To assist hosting providers, cloud platforms, and ISPs in identifying and de-listing malicious IPs/accounts, Cloudflare offers a free DDoS Botnet Threat Feed. The report states that over 800 networks worldwide have joined this threat intelligence initiative, achieving some success through community collaboration.

Cloudflare stressed that the scale and complexity of DDoS attacks are rapidly increasing, surpassing previous expectations. Organizations relying on on-premise hardware or traditional scrubbing centers may need to reassess their defenses. Cloudflare reaffirmed its commitment to providing all customers with free, unmetered DDoS protection, regardless of attack size, duration, or traffic volume.