Netscout report identifies over 8 million DDoS attacks in H2 2025

Netscout Systems has released its Distributed Denial-of-Service (DDoS) Threat Intelligence Report for the second half of 2025, highlighting increased coordination among threat actors, resilient botnet activity and the continued exploitation of compromised Internet of Things (IoT) devices. According to the report, more than eight million DDoS attacks were recorded globally during the period, with some attacks reaching volumes of up to 30 terabits per second (Tbps).

The report indicates that the expansion of DDoS-for-hire services is enabling a wider range of actors to conduct large-scale attacks, increasing operational risks for organisations that rely on digital infrastructure. It also notes that attackers are adopting more advanced reconnaissance techniques and adaptive evasion strategies, which can challenge traditional network defence systems.

Richard Hummel, Director of Threat Intelligence at Netscout, said organisations that lack adequate protection measures remain particularly vulnerable to increasingly sophisticated and coordinated attacks. He added that the scale and complexity of recent incidents highlight the need for automated and proactive defence strategies.

Key Findings From the Report

The report recorded more than eight million attacks across 203 countries and territories during the second half of 2025. Approximately 42% of these incidents involved multi-vector attacks, in which two to five different attack techniques were used simultaneously or sequentially to complicate detection and mitigation.

The analysis also highlighted the role of compromised IoT devices and customer-premises equipment in generating large volumes of outbound attack traffic. In some cases, these devices produced attack floods exceeding 1 Tbps, creating potential service, operational and reputational risks for broadband and mobile network providers.

Critical internet infrastructure services, including Network Time Protocol and Domain Name System, continued to face sustained attack pressure. The report notes that these services require resilient and distributed network architectures to maintain service availability during large-scale attacks.

Netscout also identified increased collaboration among threat actors. For example, more than 20,000 botnet-driven attacks were recorded in July 2025 alone, demonstrating how coordinated activity can rapidly overwhelm network defences and disrupt sectors such as government, finance and transport.

The report further observed that the use of artificial intelligence is becoming more prominent in cyber-criminal operations. Large language models (LLMs) available on underground forums are reportedly being used to assist with vulnerability discovery and botnet expansion. Mentions of malicious AI tools on these forums increased by 219%, and some threat groups, including Keymous+, have reportedly expanded their operational capacity through collaboration with other actors.

Netscout stated that its analysis is based on passive monitoring across multiple internet vantage points, allowing direct observation of attack traffic. The company said it tracks tens of thousands of daily DDoS incidents and monitors botnets and DDoS-for-hire services that rely on millions of compromised or misused devices.

According to the company, its monitoring systems covered network segments carrying global peak traffic exceeding 800 Tbps and observed activity across 376 industry sectors and 12,698 Autonomous System Numbers (ASNs) during the second half of 2025.