The internet stayed busy, brittle, and under constant pressure in 2025. Cloudflare’s annual Radar Year in Review offers a wide view of how traffic moved, where attacks clustered, and what failed when systems were stressed.
Cloudflare, which operates a large global network and publishes aggregated internet measurements through its Radar research program, based the report on traffic observed across its infrastructure throughout the year. The findings focus on trends rather than individual incidents, giving security teams context for what changed and what stayed stubbornly familiar.
“The Internet isn’t just changing, it’s being fundamentally rewired. From AI, to more creative and sophisticated threat actors, everyday is different. While we celebrated several Internet milestones this year, we also blocked attacks that redefined what ‘scale’ means, and witnessed the traditional business model of online content creation face stark challenges,” said Matthew Prince, CEO at Cloudflare.
Traffic kept growing, but unevenly
Global internet traffic increased again in 2025, continuing a long-running trend. Growth was not evenly distributed across the year. Traffic spikes aligned with major news events, large software releases, and outages at popular platforms.
Mobile traffic continued to take a larger share of overall usage. Cloudflare observed that mobile devices accounted for more than half of global web traffic for much of the year, with mobile usage climbing during regional holidays and major live events. Desktop traffic remained stable but did not grow at the same rate.
Encrypted traffic dominated the picture. HTTPS accounted for over 95 percent of observed requests by the end of the year. Plain HTTP traffic continued to decline, reinforcing the idea that unencrypted web traffic is becoming marginal at scale.
DDoS attacks reached new highs
DDoS attacks remained one of the most visible threats. Cloudflare reported record-breaking attack volumes in 2025, including several attacks that exceeded previous size benchmarks measured in terabits per second.
The frequency of large attacks increased, not just their size. Short bursts lasting under a minute became more common, suggesting attackers were testing defenses or trying to slip past automated mitigation. Longer attacks still occurred, but the data showed more emphasis on speed and repetition.
Network layer attacks remained the most common category, though application layer attacks also grew. HTTP-based floods targeted APIs, login endpoints, and dynamic content more often than static pages. Cloudflare noted that many of these attacks used simple techniques at scale rather than novel methods.
Bots shaped much of the traffic mix
Automated traffic continued to account for a large share of internet activity. Cloudflare classified a significant portion of requests as bot-driven, including both benign and malicious automation.
Search engine crawlers, monitoring tools, and uptime checks made up a steady baseline of good bots. At the same time, Cloudflare observed growth in scraping, credential stuffing, and inventory hoarding activity.
The line between good and bad bots blurred in some cases. Some automated traffic used residential IP addresses and realistic browser signatures, making classification harder. The report showed that bot traffic patterns shifted faster than in previous years, with operators rotating infrastructure and tactics more often.
Outages exposed dependencies
Major internet outages again highlighted how dependent services are on a small number of providers and protocols. Cloudflare tracked multiple large-scale disruptions tied to routing issues, DNS failures, and software bugs.
BGP-related incidents continued to cause widespread impact. Route leaks and misconfigurations disrupted access to popular services across multiple regions at once. The data showed that even short routing errors could ripple globally within minutes.
Application outages also stood out. Failures at widely used SaaS platforms led to visible drops in traffic, followed by sharp rebounds once service returned. Cloudflare’s measurements showed how quickly users shifted behavior during outages, often refreshing or retrying connections at scale.
Country-level disruptions remained common
Internet shutdowns and disruptions at the country level persisted in 2025. Cloudflare observed traffic drops tied to elections, protests, exams, and government actions.
In several cases, traffic declined by more than 50 percent within hours. Some disruptions were brief, while others lasted days. The report showed that shutdowns did not always involve complete blackouts. Throttling and selective blocking were more common than total disconnection.
These events had measurable effects beyond national borders, especially when countries hosted popular services or transit infrastructure. Traffic shifts appeared quickly in neighboring regions when routes changed or services became unreachable.
Security incidents tracked in real time
The report highlighted how quickly attacks and failures now appear in global measurements. Cloudflare’s data showed spikes in malicious traffic within minutes of vulnerability disclosures and public exploit releases.
Security teams increasingly reacted to events as they unfolded, rather than after the fact. The year’s data suggested that attackers monitored the same news and advisories as defenders, moving fast once an opportunity appeared.
Cloudflare also noted that mitigation responses scaled fast. Even during the largest attacks, traffic often stabilized within seconds, showing how automated defenses have become standard at the network edge.