The latest Gcore Radar report analyzing attack data from Q1–Q2 2025, reveals a 41% year-on-year increase in total attack volume. The largest attack peaked at 2.2 Tbps, surpassing the 2 Tbps record in late 2024. Attacks are growing not only in scale but in sophistication, with longer durations, multi-layered strategies, and a shift in target industries. Technology now overtakes gaming as the most attacked sector, while the financial services industry continues to face heightened risks.
Key takeaways: the evolving DDoS landscape
Here are five key insights from the Q1–Q2 2025 Gcore Radar report:
- Attack volumes are rising. Total attacks climbed from 969,000 in H2 2024 to 1.17 million in H1 2025, a 21% increase over the previous two quarters and 41% YoY growth.
- Attack size continues to grow. The peak attack of 2.2 Tbps demonstrates the increasing scale and destructive potential of modern DDoS campaigns.
- Attacks are becoming longer and more sophisticated. Extended durations and multi-layered tactics allow threat actors to bypass defenses and maximize disruption.
- The industries targeted are shifting. Technology overtakes gaming as the top target, while financial services is being increasingly targeted.
- Application-layer attacks are on the rise. Multi-vector assaults targeting web applications and APIs now account for 38% of total attacks, up from 28% in Q3–Q4 2024.
DDoS attack frequency has surged
Gcore Radar highlights a continued upward trajectory in DDoS activity. Compared to H2 2024, attack volumes rose 21%, while YoY growth reached 41%, underscoring a long-term escalation trend. Several factors contribute to this rise:
- Accessible attack tools: Cheap DDoS-for-hire services empower more threat actors.
- Vulnerable IoT devices: Unsecured devices are hijacked into large-scale botnets, amplifying attack volumes.
- Geopolitical and economic tensions: Global instability drives more frequent and targeted attacks.
- Advanced attack techniques: Multi-vector and application-layer attacks increase both complexity and impact.
The largest attack reached 2.2 Tbps
The peak assault in Q1–Q2 2025 hit 2.2 Tbps, surpassing late 2024’s 2 Tbps attack. While attacks exceeding 1 Tbps remain rare, their frequency is rising, highlighting attackers’ growing ambition to overwhelm networks, applications, and services. Even smaller attacks can incapacitate unprotected systems.
Industries targeted are shifting
Technology now represents 30% of all DDoS attacks, overtaking gaming (19%). Hosting providers supporting SaaS, e-commerce, gaming, and financial clients are particularly vulnerable, as a single attack can trigger ripple effects across multiple dependent businesses.
Financial services account for 21% of attacks. Banks and payment systems are prime targets due to high disruption potential, regulatory sensitivity, and ransomware risk.
Gaming continues to face significant threats, but improved defenses and strategic attacker shifts reduced its share from 34% in H2 2024 to 19% in H1 2025. Key drivers of ongoing attacks include competitive advantage and revenue impact.
Telecommunications now make up 13% of attacks, reflecting their role as critical internet infrastructure.
Media, entertainment, and retail see more moderate attack levels, with media at 10% and retail at 5–6%.
Attack duration and tactics
Recent data shows a shift toward longer, more sustained assaults. Attacks under 10 minutes decreased by roughly 33%, while 10–30 minute attacks nearly quadrupled. Maximum attack duration slightly decreased, from five hours to three, indicating a focus on concentrated, high-impact campaigns.
Short bursts remain preferred. Despite longer attacks gaining prevalence, brief attacks remain highly disruptive, evading automated defenses and often serving as smokescreens for multi-stage cyberattacks.
Attack vectors
In terms of network-layer attack vectors, UDP flood attacks remain dominant, accounting for 56% of network-layer attacks, followed by SYN floods (17%), TCP floods (10%), ACK floods (8%), and ICMP (6%). Multi-vector approaches allow attackers to mask malicious activity as legitimate traffic.
ACK flood attacks continue to rise, now making up 8% of network-layer traffic, highlighting their ability to bypass detection.
Application-layer attack vectors
L7 UDP floods dominate (62%), followed by L7 TCP floods (33%), with other attack types at 5%. Attackers increasingly exploit business logic and APIs to disrupt operations beyond traditional network overload.
Geographical trends
The United States and the Netherlands remain top sources for network-layer attacks. Hong Kong emerges as a new significant source, contributing 17% of network-layer and 10% of application-layer attacks.
These findings highlight the need for proactive, geographically aware defenses.
Multi-layered attacks highlight the critical role of WAAP
Attackers are increasingly targeting web applications and APIs, exploiting inventory systems, payment flows, and customer interaction points. These attacks often combine volumetric disruption with manipulation of economic logic, affecting sectors such as e-commerce, logistics, online banking, and public services.
Gcore DDoS Protection: defending against evolving threats
Gcore DDoS Protection leverages 200+ Tbps filtering capacity across 210+ PoPs worldwide, neutralizing attacks in real time. Integrated Web Application and API Protection (WAAP) combines DDoS mitigation, bot management, and API security to protect critical assets while maintaining performance.
