Cloudflare says DDoS crews ended 2025 by pushing traffic floods to new extremes, while Britain made an unwelcome leap of 36 places to become the world's sixth-most targeted location.

The Q4 stats confirm it was a lively year for traffic floods, with Cloudflare claiming it had to swat away 47.1 million DDoS attacks, more than double 2024's count. Momentum picked up toward the end of the year, as Q4 volumes jumped 31 percent from the prior quarter and 58 percent over 2024.

Aisuru-Kimwolf, a botnet made up largely of malware-infected Android TVs, was behind the largest blast of the quarter, pushing traffic to a record-breaking 31.4 Tbps. The campaign, dubbed "The Night Before Christmas," kicked off on December 19 and targeted Cloudflare customers as well as Cloudflare's own dashboard and infrastructure in parallel.

"As the number of attacks increased over the course of 2025, the size of the attacks increased as well, growing by over 700 percent compared to the large attacks seen in late 2024," Cloudflare said. 

Scale isn't the only thing shifting, as Cloudflare reports that attackers are ditching long-haul floods in favour of smash-and-dash traffic spikes. Some incidents during the campaign wrapped up in well under two minutes yet still pushed traffic into the billions of packets per second, underscoring how sheer speed has become the real weapon.

Cloudflare attributes much of the surge to large botnets built from compromised internet-connected devices, including routers, cameras, and DVRs. The company also says attackers are increasingly abusing cloud-hosted virtual machines to generate large bursts of traffic, allowing them to scale attacks quickly.

The geographic shifts are equally notable. While China, Hong Kong, Germany, Brazil, and the United States remained among the most frequently targeted regions, the United Kingdom's sudden rise to number six stands out. 

• Don't underestimate pro-Russia hacktivists, warns UK's cyber crew
• RondoDox botnet fires 'exploit shotgun' at nearly every router and internet-connected home device
• Tens of thousands more ASUS routers pwned by suspected, evolving China operation
• Cloudflare broke itself – and a big chunk of the Internet – with a bad database query

Cloudflare doesn't attribute the UK's climb to any single campaign, though the country is in several well-known DDoS crosshairs. Financial services remain a favourite target, and geopolitical tensions are adding fresh fuel. Pro-Russian hacktivists NoName057(16), for example, have repeatedly claimed responsibility for attacks on UK government and public sector websites. Britain's dense telecoms and cloud infrastructure also make it a high-impact disruption target.

Attackers didn't stray far from their favourite punching bags. Telecom providers, IT service firms, and gambling and gaming sites once again absorbed a big slice of the DDoS noise, sectors where outages tend to trigger both lost cash and loud complaints. Most assaults also stuck to the lower plumbing of the internet, with Layer 3 and Layer 4 attacks leading the charge.

Cloudflare says the only realistic way to keep up is to let the machines handle it, with autonomous systems detecting and blocking massive, short-lived attacks in real time without human intervention. The logic is fairly simple: when traffic surges to record levels and then vanishes within a couple of minutes, humans will never react quickly enough. ®