← Back to posts
Networking

DDoS in 2025: Record Attacks, New Vectors, and What Defenders Must Know

By Travis · · 2 min read
#ddos#threat-intel#cloudflare#security

The Numbers Are Getting Worse

The first quarter of 2025 saw DDoS attacks reach scale that would have seemed impossible just three years ago. Multi-terabit attacks are no longer rare — they’re becoming routine for well-resourced threat actors.

Key trends from threat intelligence reports this quarter:

  • Volumetric attacks peaked above 4.2 Tbps in isolated incidents
  • HTTP/2 Rapid Reset exploitation continues at scale despite patches
  • AI-assisted botnet coordination is reducing attack ramp-up times
  • Carpet bombing (distributing attack across entire subnets) up 300% YoY

HTTP/2 Rapid Reset: Still Dangerous

The HTTP/2 Rapid Reset vulnerability (CVE-2023-44487) continues to be exploited well into 2025. Attackers abuse the stream cancellation mechanism to generate massive request floods from relatively small botnets.

If you haven’t already:

# Limit HTTP/2 streams per connection in NGINX
http2_max_concurrent_streams 128;
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/s;

Cloudflare, AWS CloudFront, and Google Cloud automatically mitigate this at their edge — another reason to put your origin behind a CDN with active DDoS scrubbing.

The AI Factor

Offensive AI is making botnets smarter. We’re now seeing:

  • Adaptive attack patterns that shift vectors when rate limiting kicks in
  • Target fingerprinting to identify weak points before the main attack
  • CAPTCHA solving pipelines for Layer 7 application attacks

On the defensive side, AI is equally valuable — anomaly detection models can identify attack signatures faster than human analysts and apply mitigation rules in real time.

Cloudflare’s Response

Cloudflare’s autonomous DDoS protection now handles hundreds of millions of attack events per day. Their Magic Transit product provides BGP-advertised DDoS scrubbing for on-premise networks — meaning even non-HTTP infrastructure gets protection.

For most organizations, the priority order should be:

  1. Put everything behind a CDN/scrubbing service — don’t expose raw IPs
  2. Enable BGP blackhole communities with your upstream for emergency use
  3. Deploy RTBH (Remotely Triggered Black Hole) for critical prefixes
  4. Test your runbook — a DDoS during an incident is the wrong time to figure out escalation

What To Watch

The vector that concerns defenders most right now is amplification via QUIC. QUIC’s connection establishment is being probed for reflection potential, and if viable amplification factors are found, the industry needs to be ready.

Stay sharp, patch fast, and make sure your upstream knows your emergency contact before you need it.

// Found this useful? Share it or start a conversation.
Y Hacker News 𝕏 X in LinkedIn 🦋 Bluesky r/ Reddit
// Related More on similar topics.
Cloudflare May 12, 2026

Cloudflare WAF Walkthrough: Monitor First, Block Later, Skip OWASP

A practical, opinionated walkthrough for rolling out Cloudflare's Web Application Firewall on a real domain — start in monitor mode, layer in protections, set up alerting on spikes, and why OWASP Core Ruleset is usually a mistake.
Cloudflare May 15, 2025

Implementing DNSSEC in Cloudflare: Parent Zones, Child Zones, and Getting the Order Right

A step-by-step guide to enabling DNSSEC on parent and child domains in Cloudflare — why order matters, how DS records connect the chain of trust, and why using Cloudflare as both your registrar and DNS provider makes this dramatically easier.
Cloudflare May 14, 2025

DNSSEC Explained: Why It Was Invented and How It Protects Your DNS

A clear, high-level breakdown of DNSSEC — the problem it solves, how cryptographic signing creates a chain of trust from the root zone down to your domain, and why every DNS owner should understand it.