In the first half of 2025, there were 8,062,971 DDoS attacks worldwide, with EMEA taking the brunt at 3.2 million attacks, according to Netscout. Peak attacks reached speeds of 3.12 Tbps and 1.5 Gpps.
These attacks have moved beyond simple disruption tools and are now precision instruments of geopolitical influence. They can target critical infrastructure at the most sensitive moments.
Geopolitical events drive global DDoS trends
Major political events triggered significant spikes in attacks. During the World Economic Forum, Switzerland experienced more than 1,400 attacks, double the normal rate for similar periods in December. Italy faced sustained targeting during political discussions.
Meanwhile, the India-Pakistan conflict saw hacktivist groups such as SYLHET GANG-SG and Keymous+ target Indian government and financial sectors. In the Iran-Israel conflict, Iran faced over 15,000 attacks compared to just 279 against Israel.
The surge is being driven by the growing accessibility of attack tools. Readily available DDoS-for-hire services have removed the barriers to entry, allowing even novice actors to launch sophisticated campaigns. This ease of access is further amplified by new technologies. AI-enhanced automation, multi-vector attacks, and carpet-bombing techniques can now overwhelm traditional defenses with ease.
Botnets and hacktivists ramp up attacks
Attackers didn’t need new exploits to drive more than 27,000 botnet-driven DDoS attacks in March 2025. Instead, they relied on previously known vulnerabilities to carry out more and long-lasting campaigns, targeting service providers with an average of one attack every two minutes.
March 2025 saw 880 bot-driven DDoS attacks per day, peaking at 1,600 incidents. Attack durations also increased, averaging 18 minutes and 24 seconds, with threat actors using complex multi-vector strategies and exploiting vulnerabilities in IoT devices.
The hacktivist group NoName057 maintained its dominance in both claimed operations and actual attack activity. The group used techniques such as TCP ACK floods, TCP SYN floods, and HTTP/2 POST requests, primarily targeting government websites in Spain, Taiwan, and Ukraine.
Meanwhile, the newly formed hacktivist group DieNet orchestrated more than 60 DDoS attacks, going after critical infrastructure from U.S. transit systems to Iraqi government websites. Their targets included transportation, energy, medical systems, and digital commerce.
“As hacktivist groups leverage more automation, shared infrastructure, and evolving tactics, organizations must recognize that traditional defenses are no longer sufficient,” stated Richard Hummel, director, threat intelligence, Netscout. “The integration of AI assistants and the use of large language models (LLMs), such as WormGPT and FraudGPT, escalates that concern. And, while the recent takedown of NoName057(16) was successful in temporarily reducing the group’s DDoS botnet activities, preventing a future return to the top DDoS hacktivist threat is not guaranteed. Organizations need intelligence-driven, proven DDoS defenses that can deal with the sophisticated attacks we see today.”
Source link
