Executive Summary
The third quarter of 2025 was overshadowed by the Aisuru botnet—a Mirai variant commanding an estimated 1-4 million infected IoT devices globally. This 'apex of botnets' unleashed hyper-volumetric DDoS attacks routinely exceeding 1 terabit per second (Tbps) and 1 billion packets per second (Bpps), culminating in the world record-breaking 29.7 Tbps attack and a 14.1 Bpps attack that rewrote our understanding of botnet capabilities.
Cloudflare's 23rd DDoS Threat Report reveals the quarter's scope: 8.3 million DDoS attacks automatically detected and mitigated—a 15% increase quarter-over-quarter and 40% year-over-year. That translates to approximately 3,780 attacks per hour. With an entire quarter remaining in 2025, Cloudflare has already mitigated 36.2 million attacks—170% of the total 2024 volume.
This report analyzes the Q3 2025 DDoS landscape, examining Aisuru's dominance, the shift in attack types, emerging industry targeting patterns, and the geopolitical factors driving attack activity. The data reveals both the escalating threat and the evolving defensive capabilities needed to counter it.
Q3 2025 by the Numbers
DDoS attacks in Q3 2025
Largest DDoS ever recorded
Attack volume already exceeds 2024
Average attack frequency
The Aisuru botnet dominated Q3 2025 with an estimated **1-4 million infected hosts** globally. Since January 2025, Cloudflare has mitigated **2,867 Aisuru attacks**, with **1,304 hyper-volumetric attacks** in Q3 alone—a **54% QoQ increase**. These include the world record **29.7 Tbps UDP carpet-bombing attack** that bombarded an average of 15K destination ports per second, and a **14.1 Bpps packet-rate attack**. Aisuru has caused 'widespread collateral Internet disruption' in the US simply from the volume of botnet traffic routing through ISPs.
Attack Type Breakdown
The quarter saw a significant shift toward network-layer attacks, though HTTP DDoS remains a significant threat vector.
| Attack Type | Q3 2025 Volume | Share | QoQ Change | YoY Change |
|---|---|---|---|---|
| Network-Layer DDoS | 5.9 million | 71% | +87% | +95% |
| HTTP DDoS | 2.4 million | 29% | -41% | -17% |
| Attacks >100 Mpps | Significant | - | +189% | - |
| Attacks <10 min duration | Majority | 71-89% | - | - |
Q3 2025 Attack Characteristics
Network-Layer Dominance
Network-layer attacks accounted for 71% of Q3 attacks (5.9 million), increasing 87% QoQ and 95% YoY. This represents a shift from application-layer targeting.
Short, Intense Bursts
Most attacks remain brief: 71% of HTTP DDoS and 89% of network-layer attacks lasted less than 10 minutes. Intensity within these windows has dramatically increased.
Packet Rate Escalation
Attacks exceeding 100 million packets per second (Mpps) increased 189% quarter-over-quarter, indicating more powerful botnet infrastructure.
Botnet Attribution
Nearly 70% of HTTP DDoS attacks originated from known botnets. Aisuru specifically targeted telecommunications, gaming, hosting, and financial services.
Emerging Industry Targets
Q3 2025 revealed significant shifts in industry targeting, driven by both economic factors and geopolitical tensions. The most notable trend was the dramatic surge in attacks against AI companies—DDoS traffic increased by as much as 347% month-over-month in September 2025 as public concern and regulatory scrutiny of AI intensified.
Geopolitical factors also drove targeted campaigns. Escalating EU-China trade tensions over rare earth minerals and EV tariffs coincided with significant increases in attacks against the Mining, Minerals & Metals industry and the Automotive sector. These attacks appear designed to apply economic pressure during sensitive trade negotiations.
Geographic analysis shows seven of the ten top attack source locations were in Asia: Indonesia, Thailand, Bangladesh, Vietnam, India, Hong Kong, and Singapore. The most attacked countries included China, Turkey, Germany, Brazil, the US, Russia, Vietnam, Canada, South Korea, and the Philippines—a geographically diverse target list reflecting multiple ongoing conflicts and tensions.
AI Industry Under Attack
AI industry attack increase in September
During AI regulatory discussions
AI companies across all regions
2025 Year-to-Date Perspective
With Q4 2025 still underway, the year's attack volume has already dramatically exceeded 2024.
| Metric | 2025 YTD (Q1-Q3) | Full Year 2024 | Comparison |
|---|---|---|---|
| Total Attacks Mitigated | 36.2 million | 21.3 million | 170% of 2024 |
| Q1 2025 Attacks | 20.5 million | - | 358% YoY |
| Q3 2025 Attacks | 8.3 million | - | 40% YoY |
| Record Attack Size | 29.7 Tbps | 5.6 Tbps | 5.3x larger |
Attack Origin Analysis
Asia Dominance
7 of 10 top attack sources were Asian locations: Indonesia, Thailand, Bangladesh, Vietnam, India, Hong Kong, Singapore.
Top Targets
Most attacked countries: China, Turkey, Germany, Brazil, USA, Russia, Vietnam, Canada, South Korea, Philippines.
Sector Targets
Telecommunications, gaming companies, hosting providers, and financial services were primary Aisuru targets.
Geopolitical Context
Escalating disputes over rare earth mineral exports and electric vehicle tariffs coincided with increased DDoS activity against Mining, Minerals & Metals and Automotive industries in both regions. These attacks appear designed to apply economic pressure during trade negotiations.
Ongoing geopolitical conflicts continue to drive hacktivist DDoS activity. Attacks correlate with news events, military actions, and diplomatic developments, particularly affecting government, media, and critical infrastructure targets.
The 347% surge in attacks against AI companies in September 2025 correlated with increased regulatory proposals and public debate about AI safety and governance. Motivations may include protest, competitive disruption, or attempts to influence policy discussions.
Aisuru's attacks have caused 'widespread collateral Internet disruption' in the US, as reported by Krebs on Security. The sheer volume of attack traffic routing through ISPs affects uninvolved parties, raising infrastructure resilience concerns.
Defensive Implications
Prepare for Terabit-Scale Attacks
The 29.7 Tbps record demonstrates that terabit-scale attacks are now operational reality. Organizations must ensure their mitigation infrastructure can handle attacks of this magnitude.
Multi-Vector Defense
With network-layer attacks up 95% YoY and HTTP attacks still significant, organizations need comprehensive L3-L7 protection. Single-layer defenses are insufficient.
Rapid Response Capability
71-89% of attacks last under 10 minutes. Defenses must activate automatically and instantly—manual response is too slow for modern attack patterns.
Botnet Intelligence Integration
With 70% of HTTP attacks from known botnets, threat intelligence on botnet infrastructure provides actionable defense. Integrate feeds that track Aisuru and similar threats.
Industry-Specific Awareness
AI companies, automotive, mining, and traditionally targeted sectors (telecom, gaming, finance) should elevate their DDoS posture given documented targeting patterns.
Geopolitical Monitoring
Attack patterns correlate with geopolitical events. Organizations with exposure to affected regions or industries should heighten alertness during escalating tensions.
How TR7 Protects Against Modern DDoS
Terabit-Scale Capacity
TR7's DDoS protection platform is architected for hyper-volumetric attacks. Absorb terabit-scale attacks without service degradation.
L3-L7 Protection
Comprehensive multi-layer defense addresses both the 71% network-layer and 29% application-layer attack distribution seen in Q3 2025.
Botnet Detection
Identify and block traffic from known botnets including Aisuru. Behavioral analysis detects emerging botnet patterns.
Instant Mitigation
Automated detection and response in milliseconds. No manual intervention required for attacks lasting under 10 minutes.
Real-Time Analytics
Live attack visibility and trend analysis. Monitor attack patterns and correlate with threat intelligence.
Global Distribution
Geographically distributed infrastructure mitigates attacks at the edge, close to attack sources.
References & Sources
Primary source for Q3 2025 statistics, Aisuru botnet analysis, and attack trends. https://blog.cloudflare.com/ddos-threat-report-2025-q3/
Interactive data and visualizations for Q3 2025 DDoS trends. https://radar.cloudflare.com/reports/ddos-2025-q3
Details on the 29.7 Tbps record attack and Aisuru infrastructure. https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html
Q1 2025 baseline with 20.5 million attacks and 358% YoY increase. https://blog.cloudflare.com/ddos-threat-report-for-2025-q1/
Reporting on collateral internet disruption caused by Aisuru attack traffic volume.
Prepare for the Terabit Era
Q3 2025 redefined DDoS scale with record-breaking attacks exceeding 29 Tbps. TR7's DDoS protection platform provides the capacity, speed, and intelligence needed to defend against modern hyper-volumetric threats.
Explore DDoS Protection