Distributed denial-of-service (DDoS) attacks are spreading across the global internet infrastructure without regard to industry or country, and Korea has been reported as the fifth most affected in the world. The intensity and frequency of DDoS threats have increased, including the occurrence of the largest attack ever recorded at 7.3 terabits per second (Tbps).
Cloudflare announced in its '2025 second quarter DDoS threat report' released on the 16th that 38% of all DDoS attacks occurred in June alone. During this period, a news outlet in Eastern Europe faced a large-scale attack following coverage of an LGBTQ pride event.
In this quarter, the largest attack size that Cloudflare automatically blocked reached 7.3 Tbps, setting a new record. An average of 71 incidents per day, totaling 6,500 massive volumetric attacks were blocked, and HTTP DDoS attacks increased by 129% compared to the previous year.
On the other hand, layer 3 and layer 4 attacks decreased by 81% compared to the previous quarter; however, the total number of DDoS attacks increased by 44% year-on-year. Notably, the massive volumetric attacks that unleashed over 100 million packets per second increased by 592% compared to the previous quarter, and attacks exceeding 1 Tbps also more than doubled.
The industries most affected by attacks were telecommunications, service providers, and carriers. The internet, information technology, and gaming industries followed, while the agriculture industry rose 8 places to 8th compared to the previous quarter, becoming a new target.
By country, attacks were concentrated in China, Brazil, and Germany, with Korea ranking 5th, climbing 4 places compared to the previous quarter. Russia and Azerbaijan surged 40 and 31 places respectively, indicating a shift toward being threat actors or target countries.
The top origins of attacks included Indonesia, Singapore, and Hong Kong, while Russia and Ecuador saw significant rises in ranks. Cloudflare explained that the statistics reflect the location of botnet nodes or proxy servers rather than the actual physical location of the attackers.
The primary sending networks for HTTP DDoS attacks were A1 Telekom Austria, DigitalOcean in the United States, and Hetzner in Germany. Many of these are cloud or virtual machine (VM)-based service providers, with the spread of VM-based botnets identified as a major cause of the increase in DDoS attacks.
In layer 3 and layer 4 attacks, DNS (Domain Name System), SYN (synchronization signal), and UDP (User Datagram Protocol) were majorly utilized as vectors. Notably, DNS-based attacks accounted for about one-third of all layer 3 and layer 4 attacks.
The report also noted a rapid increase in new types of attacks exploiting old or non-standard protocols such as Teeworlds, RIPv1, Remote Desktop Protocol (RDP), DemonBot, and VxWorks. Teeworlds-based attacks surged 385% compared to the previous quarter.
According to the report, 94% of all DDoS attacks were small-scale at under 500 Mbps, but it warned that they could significantly impact unprotected servers. Six percent of HTTP DDoS attacks made 1 million requests per second, while 0.05% of layer 3 and layer 4 attacks exceeded 1 Tbps.
The duration of attacks was mostly short, with the largest recorded attack of 7.3 Tbps lasting only 45 seconds. Cloudflare analyzed that these 'short and strong' attacks are a strategy to evade detection and maximize disruption before defenses can be activated.
Cloudflare emphasized that 'DDoS defense is no longer an option but a necessity,' stating that 'only a continuous and automated real-time response system can effectively respond to such high-intensity and high-speed attacks.'