Cloudflare blocked 7.3 million Distributed Denial of Service (DDoS) attacks in Q2 2025, a drop from Q1’s 20.5 million, but 44% higher year-over-year (YoY) compared to Q2 2024. While network-layer attacks dropped 81% quarter-over-quarter (QoQ), Hypertext Transfer Protocol (HTTP) attacks rose 9% from Q1, and a staggering 129% from Q2 2024, totaling 4.1 million, noted the 22nd edition of the Cloudflare DDoS threat report.
China became the most attacked country in Q2 2025, followed by Brazil, Germany and India. Russia and Vietnam saw dramatic leaps into the top 10 most attacked locations, jumping forty and fifteen places respectively.
Indonesia rose to the number one source of DDoS attacks, followed by Singapore and Hong Kong. Russia and Ecuador also made major climbs into the top 10.
Telecommunications, service providers and carriers topped the list of most attacked industries in Q2. The internet and IT sectors followed, while agriculture made a surprising 38-spot jump to eighth place.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
June was the busiest month for DDoS attacks in Q2, accounting for nearly 38% of all observed activity. One notable target was an independent Eastern European news outlet protected by Cloudflare, which reported being attacked following its coverage of a local Pride parade during LGBTQ Pride Month.
Overall, in Q2, hyper-volumetric DDoS attacks skyrocketed. Cloudflare blocked over 6,500 hyper-volumetric DDoS attacks, an average of 71 per day. Hyper-volumetric attacks include L3/4 DDoS attacks exceeding 1 Bpps or 1 Tbps, and HTTP DDoS attacks exceeding 1 million requests per second (Mrps).
A majority (71%) of respondents said they didn’t know who was behind the DDoS attacks they experienced in 2025 Q2. 29% claimed to have identified the threat actor, 63% pointed to competitors, a pattern especially common in the Gaming, Gambling and Crypto industries.
Another 21% attributed the attack to state-level or state-sponsored actors, while 5% each said they’d inadvertently attacked themselves (self-DDoS), were targeted by extortionists, or suffered an assault from disgruntled customers/users.
