Hyper-Volumetric DDoS Attacks: The Threat Reaches a New Scale

Hyper-volumetric DDoS attacks have established themselves as one of the major trends of 2025. They now combine unprecedented volumes, extreme speed, and real-time adaptability, making defense significantly more complex.

According to the 23rd edition of Cloudflare’s quarterly report, published in the third quarter of 2025 and dedicated to Distributed Denial of Service (DDoS) threats, DDoS attacks are rising sharply. By the end of Q3 2025, Cloudflare had already mitigated 36.2 million DDoS attacks—170% of the total number of DDoS attacks recorded throughout the whole of 2024. During the third quarter of 2025 alone, Cloudflare handled 8.3 million DDoS attacks, representing a 15% increase compared to the previous quarter and a 40% year-over-year increase.

DDoS attacks by year and by type © Cloudflare

Two Levels of DDoS Attacks: Network Infrastructure and HTTP

There are two types of DDoS attacks that operate at different levels. Network-layer DDoS attacks aim to saturate the Internet connection by sending extremely large volumes of data, eventually preventing any access to the service, even for legitimate users. These attacks primarily target layers 3 and 4 (L3/L4) of the OSI model, namely the network and transport layers. HTTP DDoS attacks, on the other hand, target the functioning of the website or application itself. They send web requests that appear legitimate, but in excessive quantities, until server resources are exhausted. These attacks mainly occur at layer 7 of the OSI model, where business logic is executed. In the first case, the service becomes inaccessible because the network is saturated. In the second, it becomes unavailable because the application can no longer respond.

In Q3 2025, network-layer DDoS attacks accounted for 71% of all DDoS attacks handled by Cloudflare, representing 5.9 million incidents. Their volume increased sharply, with an 87% rise compared to the previous quarter and a 95% increase year over year. Conversely, HTTP DDoS attacks, which represented 29% of attacks during the period (2.4 million events), declined. They fell by 41% quarter over quarter and by 17% compared to the previous year, reflecting a temporary rebalancing of the threat in favor of attacks directly targeting network infrastructure.

DDoS attacks by quarter and by type © Cloudflare

Another major characteristic of hyper-volumetric DDoS attacks is their timing. Unlike other scenarios, they provide no warning, strike abruptly, reach their peak within seconds, and then disappear after a period ranging from one to ten minutes. “There are no weak signals detectable upstream. For weeks or even months, nothing may happen before a very large-scale attack suddenly occurs,” explains Bruno Caille, General Manager France at Cloudflare. This brevity represents a major operational challenge. Within such a short time frame, any human intervention becomes marginal, making fully automated defense mechanisms essential—capable of reacting instantly and without delay.

Aisuru, a DDoS Botnet Built on 1 to 4 Million “Zombie” Devices

To explain the sharp global increase in DDoS attacks, Cloudflare first points to changes in the economic model behind these operations. “Access to the necessary technical means has become significantly more democratized, as have automation capabilities. This allows an ever-growing number of malicious actors to take action,” adds Bruno Caille. These developments must also be viewed within an increasingly tense geopolitical context. “This context is marked by the return of openly asserted power struggles by certain major powers. This logic of confrontation encourages destabilization strategies targeting both states and economic players, with the ability to mobilize substantial resources to achieve these objectives,” notes Bruno Caille.

The third quarter of 2025 was notably marked by the activities of Aisuru, a hyper-volumetric DDoS botnet capable of launching extremely short but highly intense attacks. Aisuru relies on a very large number of compromised connected devices—between 1 and 4 million worldwide—including routers, IP cameras, and digital video recorders. Once infected, these devices are turned into remotely controlled “zombies” at the service of cybercriminals. The number of attacks originating from Aisuru jumped by 54% compared to the previous quarter, with an average of 14 volumetric attacks per day. Their power regularly exceeded one terabit per second (Tb/s) and one billion packets per second (Gp/s). One attack even peaked at 29.7 Tb/s and 14.1 Gp/s. During this operation, described as a “carpet bombing,” Aisuru targeted an average of 15,000 destination ports per second for 69 seconds, setting an absolute record for this type of operation.

Characteristics of the record attack recorded by Cloudflare
(29.7 Tb/s and 14.1 Gp/s) © Cloudflare

Targets Chosen for Their Leverage Effect

Hyper-volumetric DDoS attacks do not target organizations at random. They primarily focus on entities whose failure creates a systemic effect. “If you take down an operator, you take down many others behind it,” summarizes Bruno Caille. This logic particularly applies to telecommunications, public services, and logistics players.

The example of La Poste, attacked at the end of December 2025, illustrates this strategy. On December 22, 2025, La Poste and La Banque Postale were hit by a large-scale DDoS attack. The attack caused the unavailability of several online services, including the institutional website, parcel tracking, and certain digital banking services. Physical delivery operations were largely maintained, but the economic and operational impact was significant due to the peak activity period. The attack, claimed by a pro-Russian group, did not result in any known data theft.

“The attack did not target the public website, but internal technical components, particularly servers and APIs that handle exchanges between applications. This targeting disrupted internal flows required for orders and transactions, rendering critical services unavailable. This choice reveals prior reconnaissance and a good understanding of the internal architecture, as well as a level of protection likely lower than that of publicly exposed sites, as suggested by the recovery time,” analyzes Benoit Grünemwald, Director of Public Affairs at ESET.

DNS Infrastructure as a Potential DDoS Target

For Stéphane Bortzmeyer, Network and Systems Architect at AFNIC (the French Network Information Centre), DDoS attacks are a lasting phenomenon, intrinsic to how the Internet functions. He emphasizes the absence of a universal solution, particularly in the face of hyper-volumetric attacks, where sheer capacity remains decisive. “Relying on large protection providers is technically effective, but it raises a major strategic issue. We can compare this situation to a feudal logic, where security depends on a few dominant actors, at the cost of strong dependency. This dependency is especially problematic for small organizations, NGOs, or associations that have no credible alternative. There is also a political risk linked to this concentration, particularly when protection providers are subject to foreign jurisdictions,” he explains.

Stéphane Bortzmeyer also highlights DNS as a strategic target that is often overlooked. “While most attackers focus on websites, some understand that an attack against DNS infrastructure can cause much broader damage. Even if they remain less frequent, attacks have already targeted authoritative servers,” he notes. Fortunately, the widespread deployment of anycast has profoundly transformed the resilience of the global DNS. “This technique allows the load to be distributed across many physical instances responding to the same IP address. All root servers and almost all TLDs (.fr, .de, .uk, for example) now use this model,” he explains. He cites the example of the .fr domain, whose name servers give the illusion of a small number of instances while actually relying on hundreds of machines distributed worldwide.

Beyond sheer volume, Stéphane Bortzmeyer warns of far more discreet yet equally dangerous attacks based on software vulnerabilities. “Some vulnerabilities allow a server to be taken down with a single specially crafted packet. This is particularly dangerous when a company or organization practices software monoculture, without real diversity in its technical environments. This scenario, already observed in the past, could cause massive outages without requiring significant resources—especially if patches are not applied quickly,” he concludes.