Germany Most Targeted Country in Q1 2025 DDoS Attacks

Cloudflare’s Q1 2025 DDoS Threat Report: DDoS attacks surged 358% YoY to 20.5M. Germany hit hardest; gaming and telecom were among the top targets.

The digital world faced an unprecedented onslaught of Distributed Denial of Service (DDoS) attacks in the first quarter of 2025, according to Cloudflare’s latest threat report. The sheer volume of these malicious attempts to disrupt online services reached a staggering 20.5 million, marking an astounding 358% increase compared to the same period last year.

Cloudflare’s report shows a concerning 198% QoQ increase in attack numbers this year with the number of blocked DDoS attacks reaching 96% in the first three months of 2025, compared to the entire year of 2024. These findings corroborate the latest Link11 European Cyber Report, which also found DDoS attacks increasing substantially in 2025.

Around 6.6 million of these malicious attacks directly targeted Cloudflare’s network infrastructure in an 18-day multi-vector campaign, using techniques like SYN floods, Mirai botnet attacks, and SSDP amplification. This highlights the vulnerability of security service providers themselves to sophisticated attempts to overwhelm their defences, highlighting the need for continuous security measures.

Furthermore, the report highlighted a disturbing trend in the rise of hyper-volumetric DDoS attacks, those exceeding the massive threshold of 1 Terabit per second (Tbps) or 1 Billion packets per second (Bpps). In the first quarter alone, Cloudflare successfully mitigated over 700 of these colossal attacks, averaging about eight such events every single day.

In Q1 2025, Germany became the most attacked country, followed by Turkey and China whereas Hong Kong became the top source of DDoS attacks followed by Indonesia and Argentina.

The gambling and casinos industry claimed the top spot, while Telecommunications, Service Providers, Carriers, Cyber Security, Airlines, Aviation & Aerospace industries were among the most targeted industries in DDoS attacks. Major cloud computing and hosting providers like Hetzner, OVH, and DigitalOcean consistently appeared as significant sources of HTTP DDoS attacks.

Moreover, Cloudflare observed and blocked “dozens of hyper-volumetric DDoS attacks” in the latter half of April. These included record-breaking events, with one attack peaking at an astonishing 4.8 Bpps, a 52% increase over the previous record. Separately, they defended against a massive 6.5 Tbps flood, matching the highest bandwidth attack ever publicly reported.

Interestingly, most targeted customers didn’t know the attackers’ identities, but those who had some insight cited competitors (39%) as key threats, particularly in the gaming and gambling sectors. Other identified threat actors included state-level actors (17%), disgruntled users or customers (11%), and self-inflicted DDoS attacks (11%).

Network layer attacks were dominated by SYN floods, followed by DNS floods. A significant shift saw Mirai botnet attacks rise to the third most common, pushing UDP floods down. In HTTP attacks, over 60% originated from known botnets, highlighting their continued effectiveness.

The report also identified major emerging threats with substantial quarter-over-quarter growth: CLDAP reflection/amplification surged by 3,488%, and ESP reflection/amplification increased by 2,301%.

While large attacks get attention, most DDoS attacks in Q1 2025 were small: 99% of Layer 3/4 attacks were under 1 Gbps/1 Mpps, and 94% of HTTP attacks were below 1 Mrps. The report stresses that even these “small” attacks can overwhelm unprotected systems. Additionally, most attacks are brief: 89% of Layer 3/4 and 75% of HTTP attacks lasted under 10 minutes, necessitating always-on, automated mitigation.