Netscout DDoS Threat Intelligence Report 2025

Keypoints

• Annual threat intelligence reports like this typically begin with an executive summary or key findings section, followed by regional attack statistics, thematic analysis of major trends, profiles of notable threat actors, methodology, and vendor guidance or defensive recommendations.
• The introduction usually frames the overall threat landscape, highlights headline figures, and explains why the findings matter for defenders and network operators.
• Regional or “state of DDoS” sections generally break down attack counts, peak volumes, common vectors, and the highest-intensity attacks by geography, helping readers understand where pressure is concentrated.
• Trend-focused sections often connect attack activity to external drivers such as geopolitical conflicts, major public events, or hacktivist campaigns, showing how DDoS is used as a tool of influence and disruption.
• Actor profile sections usually examine specific groups, their tactics, infrastructure, target sets, and how they fit into the broader threat ecosystem.
• Methodology sections explain data sources, collection scope, telemetry coverage, and analytical limitations so readers can interpret the statistics correctly.
• The final sections often translate findings into practical defense guidance, mapping vendor capabilities or best practices to the observed threat environment.
• This report recorded 8,062,971 global DDoS attacks in 1H 2025, underscoring that attack volume remains extraordinarily high despite changes in tactics and target selection.
• EMEA was the most heavily affected region with 3,268,863 attacks, followed by APAC with 1,846,922, NAMER with 1,306,278, and LATAM with 1,070,492.
• The most intense attacks reached 3.12 Tbps in the Netherlands and 1.5 Gpps in Germany, showing that both bandwidth-heavy and packet-rate-heavy attacks continue to escalate.
• Attack vectors remained diverse, with common use of TCP ACK, TCP SYN, DNS, CLDAP amplification, L2TP amplification, NTP amplification, NetBIOS amplification, SNMP amplification, and HTTP/2 POST activity.
• Geopolitical events were a major driver of attack surges, especially during the World Economic Forum in Switzerland, political tensions in Italy, the India-Pakistan conflict, and Operation Rising Lion in the Iran-Israel conflict.
• Switzerland saw more than 1,400 attacks during the WEF period, roughly double comparable periods in December, showing how global conferences attract coordinated disruption attempts.
• Italy experienced sustained targeting across February and March, with public-sector entities at regional and local levels appearing frequently among the reported victims.
• India faced heavy DDoS pressure during tensions with Pakistan, with groups such as SYLHET GANG-SG, Keymous+, and AnonSec claiming attacks against government, defense, and financial targets.
• The Iran-Israel conflict produced more than 15,000 attacks against Iran versus 279 against Israel, highlighting the scale imbalance and the cross-border nature of modern DDoS campaigns.
• Botnet-driven attacks were especially prominent in March 2025, averaging about 880 incidents per day and peaking at more than 1,600 attacks on March 10.
• The report emphasizes that attackers often did not need new exploits; instead, they relied on known vulnerabilities and existing botnets to launch sustained, multi-vector campaigns.
• Average attack duration increased to 18 minutes and 24 seconds, giving attackers enough time to inflict operational disruption even when mitigation eventually succeeds.
• NoName057(16) remained the most active familiar threat actor, claiming more than 475 attacks in March alone and focusing heavily on government sites in Spain, Taiwan, and Ukraine.
• Newer groups are lowering the barrier to entry through DDoS-as-a-service infrastructure, with DieNet launching in March 2025 and conducting more than 60 attacks, and Keymous+ confirming 73 attacks across 28 sectors in 23 countries.
• A recurring theme throughout the report is that DDoS is increasingly a strategic, politically timed weapon rather than only a nuisance or brute-force availability attack.
• Another major takeaway is that attacker accessibility is rising because of shared infrastructure, botnets, automation, and DDoS-for-hire services, making sophisticated disruption available to more actors.
• The report also shows that critical sectors such as government, transportation, energy, medical systems, finance, and digital commerce remain prime targets for collateral disruption.
• Overall, the report portrays a rapidly evolving global DDoS environment in which scale, automation, geopolitical timing, and reusable infrastructure are reshaping the threat landscape.