DDoS in 2025: The year automation took the wheel

If you still picture a DDoS attack as a long, noisy flood that gives your teams time to react, 2025 breaks that mental model. Over the past 12 months, we've seen DDoS shift from "big traffic" to something more unsettling: automated, multi-step campaigns that probe your defenses, adapt in real time, and move on before anyone's joined the bridge call. 

The headline is simple: speed became the weapon. According to our latest data, 78% of attacks ended within 5 minutes, and 37% within 2 minutes. That's why we also see a hard operational truth: if your DDoS protection can't detect and mitigate at the network edge within a minute, you'll miss most modern attacks entirely. 

Below are the DDoS trends that defined 2025—and what they mean for anyone who runs networks people depend on.

Trend 1: Short attacks, high impact

In 2025, attackers traded duration for intensity. DDoS became "hit fast, hit hard," often with little warning. At the same time, the ceiling didn't just rise—it accelerated. In September 2025, we observed the first attack over 10 Tbps. Then 22 Tbps. By October, 33 Tbps. Three records in six weeks. 

Terabit-scale attacks are no longer milestones; they're the baseline. 

This changes how you measure readiness. It's not enough to ask, "Can we handle a DDoS peak?" You also need to ask, "Can we react in seconds, repeatedly, all day long?"

Trend 2: Multi-target and multi-vector are now the default

DDoS in 2025 is less about a single pipe being filled and more about pressure everywhere at once. We saw 52% of attacks hit multiple hosts simultaneously (often called carpet bombing), and 58% combined two or more attack vectors. 

Even more telling is that attackers don't just choose multiple vectors; they sequence them. In one 2025 sample from our DDoS library, the campaign executed four distinct attacks in three minutes—TCP carpet bombing, UDP flood, DNS amplification, and a high-rate SYN flood—adjusting after each defender response and increasing bandwidth at every step. 

This isn't chaos. It's reconnaissance.

Trend 3: Residential proxy networks became DDoS infrastructure

One of the most important shifts we recorded is in the source of attack traffic.

Residential proxy networks—once mostly tied to smaller fraud schemes—have become a mainstream infrastructure risk. We estimate that 100 to 200 million IPv4 endpoints are covertly retransmitting traffic from everyday consumer devices. The distribution matters too: roughly a quarter appear to be in Brazil, with just over ten million in the United States. 

What looks like a messy underground market is surprisingly concentrated. Our research indicates that a single wholesale broker may channel around 70% of the global pool of these IP addresses. And the scale is staggering; aggregate (global) capacity now exceeds 250 Tbps, enough to strain many national backbones. 

We also documented a repeatable "two-phase" pattern: compromised IPs start as "clean" proxy exits, then later flip into hyper-volumetric DDoS roles once their reputations degrade. In hotspots such as Brazil and China, residential proxies account for roughly 10% of observed DDoS traffic.

For defenders, this breaks the model. You can't firewall household traffic. The traffic is legitimate—it just happens to be an attack. This blurs traditional assumptions about "good" vs. "bad" traffic. The traffic can look like normal household traffic because it comes from households. Still, it is malicious and remotely controlled by botmasters who could be thousands of kilometers away. 

Trend 4: IoT botnets returned with hyper-volumetric attacks

IoT botnets didn't disappear. They evolved.

We tracked new generations of Mirai-family variants, including Eleven11bot/RapperBot and Aisuru, targeting devices many people still have at home and at work (DVRs, cameras, and gateway devices). The Nokia Deepfield Emergency Response Team (ERT) first observed this campaign in late February 2025, with an infrastructure-level scale of over 30,000 compromised IoT devices. 

These aren't "slow ramp" floods. The telemetry shows 30 Tbps volumetric capacity, with packet-intensity spikes approaching 15 Gpps and a time-to-peak of 1–3 minutes. Yes, it's 1-3 minutes!

And the depressing part is we know exactly why this keeps happening: fragmented IoT supply chains where nobody owns the CVE, and update mechanisms that get quietly disabled to reduce support costs. The devices ship insecure and stay insecure. 

And when one botnet gets disrupted, others move in fast. After the U.S. takedown of one of the most powerful botnets in August 2025, we observed rapid re-enlistment: IoT devices were snatched into other botnets and engaged in new attack sets within days. 

Trend 5: DDoS orchestration became algorithmic

The most defining change in 2025 is that human orchestration gave way to algorithmic automation. Attackers now use systems that continuously monitor defender timing and thresholds, systematically switch vectors, escalate when countermeasures activate, and even re-queue bot traffic to find gaps in coverage. 

The implication is clear and uncomfortable: defense must move at algorithmic speed, too, or attackers keep the advantage. 

Trend 6: Hacktivism stayed low-tech—and still effective

Not every disruptive DDoS campaign is advanced. The "Operation Eastwood" case study shows how groups with minimal technical sophistication—cut-and-paste scripts on rented servers, tunneled through free VPNs—can still generate headlines by targeting under-resourced sites with weak controls. Even when infrastructure is taken down, rebuilding can be trivial. 

This is a reminder: resilience isn't only for "Tier 1" targets. The weakest public-facing services often define your public reputation.

What 2025 taught DDoS security teams

Real-world operator data makes the story practical. Bite Latvija reported just under 4,000 DDoS attempts detected and blocked (in 2024), with a peak of 280 Gbps, average duration under 15 minutes, and 69% multi-vector events. And globally, many floods aren't huge in bandwidth—82% stay below 50 Gbps—but they still disrupt because the tempo is so high. 

None of this is comfortable reading. But it does clarify what matters. So, what should you do?

• Design for sub-minute response at the edge, because most attacks are over before manual processes begin.
• Assume blended campaigns (multi-target + multi-vector) and build detection that understands the context and sequences, not just single events.
• Plan for both extremes: frequent targeted gigabit attacks and occasional multi-terabit spikes.
• Move from reactive to self-defending architectures: adaptive, automated, high-capacity mitigation integrated with real-time intelligence. 

At Nokia, we're focused on exactly this direction—helping you absorb and neutralize attacks across the spectrum with AI-driven DDoS security, terabit-class filtering, and support from teams who see DDoS campaigns as they unfold. 

Because the goal isn't just "staying up." It's about keeping trust, keeping services running smoothly, and ensuring uninterrupted connectivity even when attackers try to drown it out.

Learn more about the most important DDoS trends in 2025 and other network security trends in our Nokia Threat Intelligence Report 2025. Note that some stats have changed since the Report was published; the updated figures are reflected in this blog post.