rss_feed
calendar_today April 16, 2025, 1:11 p.m.
Q1 2025 DDoS, bots and BGP incidents statistics and overview
Reports

Executive summary

  • The total number of L3-L4 DDoS attacks in Q1 2025 more than doubled compared to Q1 2024 (+110%).
  • The largest number of L3-L4 DDoS attacks targeted the “IT&Telecom” (26.8%), “Fintech” (22.3%), and “E-commerce” (21.5%) segments.
  • The most powerful L3-L4 DDoS attack of Q1 2025 peaked at just 232 Gbps — a fraction of the previous year’s record of 1,140 Gbps.
  • Despite this, there’s no indication that attack intensity is declining — median bitrate and packet rate values are significantly higher than those recorded last year.
  • In the first quarter, we discovered a massive DDoS-botnet made up of 1.33 million devices. For comparison, the largest botnet we identified in 2024 contained “only” 227,000 devices.
  • The longest L3-L4 DDoS attack of the quarter lasted just 9.6 hours. For comparison, the 2024 record was set by an attack that ran for almost 19 days.
  • In Q1 2025, L7 DDoS attacks most frequently targeted the “Fintech” (54%), “E-commerce” (14.4%), and “IT&Telecom” (8.1%) segments.
  • At the microsegment level, the primary targets of L7 DDoS attacks were “Banks” (31.6%), “Payment Systems” (12.2%), and “Online Retail” (7.1%).
  • The longest L7 attack in Q1 lasted approximately 30 hours.
  • The top sources of L7 DDoS attacks in Q1 2025 were the same as last year: Russia (28.2%), the United States (14.4%), and Brazil (6.1%).
  • Average bad bot activity in the first quarter was in line with last year’s levels. However, March saw a sharp increase — up 28% compared to February.
  • March saw both the largest and fastest bad bot attacks, along with an attempted attack via a CDN that we successfully blocked.
  • The number of autonomous systems responsible for BGP hijacks dropped by 17.6% compared to Q1 2024. Meanwhile, the number of ASes involved in route leaks remained nearly unchanged (–1.6%).
  • The number of global BGP incidents dropped sharply: throughout the entire first quarter, we recorded only 3 global BGP route leaks and not a single BGP hijack. For comparison, in 2024 we observed an average of 3.6 global incidents per month.

DDoS attacks targeting the network and transport layers (L3-L4)

The number of L3-L4 DDoS attacks exceeding 1 Gbps is growing at an accelerating pace: in Q1 2025, we recorded a 110% increase compared to the same period in 2024. As a reminder, since the beginning of last year, we have been excluding incidents below 1 Gbps from our statistics, considering them noise.

The absolute number of multivector attacks in Q1 2025 also grew significantly compared to the same period last year (+20.8%). However, this increase lagged behind the overall increase in L3-L4 attacks. As a result, the share of multivector attacks dropped almost by half — from 22.8% to 11.7%.


Excluding mixed-vector attacks, the distribution of “pure” attack vectors in Q1 2025 was as follows: UDP flood remained the most common, accounting for over half of all L3-L4 DDoS attacks (56.5%). It was followed by IP fragmentation flood (26.2%), TCP flood (11.5%), and SYN flood (5.8%). Interestingly, we didn’t record a single ICMP flood attack throughout the entire first quarter.

L3-L4 DDoS attacks duration

In terms of duration, DDoS attacks in the first quarter of 2025 were relatively modest. The longest incident lasted just 9.6 hours — a UDP flood targeting an organization in the “Industrial” segment, specifically the “Oil&Gas” microsegment.
The average duration of attacks dropped from 71.7 minutes last year to just 11.5 minutes this quarter. The median fell as well — from 150 seconds to 90 seconds.

This trend currently runs counter to the hypothesis we outlined in the 2024 annual report, where we linked longer attack durations to the growing use of massive botnets made up of vulnerable devices in developing countries.
While these botnets are indeed getting larger (we’ll return to this topic later), the attacks themselves remain relatively short. Still, it’s too early to draw firm conclusions — the year has only just begun.


L3-L4 DDoS attacks bitrate and packet rate

The most intense attack in Q1 2025 peaked at 232 Gbps. It was a UDP flood targeting the “Betting shops” segment. Compared to last year’s records, this figure is notably lower. For reference, the most powerful attack in Q1 2024 reached 882 Gbps, while the highest-intensity attack of the entire year peaked at 1,140 Gbps.


The same goes for packet rate: the Q1 2025 peak of 65 Mpps looks unimpressive compared to the 2024 record of 179 Mpps — which, incidentally, was also set in the first quarter.

At the same time, it’s important to note that there’s no overall decline in the intensity of L3-L4 DDoS attacks. While Q1 2025 didn’t set any new records for peak attack power, the median bitrate and packet rate both increased compared to 2024.

For instance, UDP flood attacks — which accounted for more than half of all cases in Q1 — saw a 190% increase in median bitrate and a 75% increase in packet rate.

L3-L4 DDoS attacks distribution by industry segment

In Q1 2025, most network- and transport-layer DDoS attacks were directed at the “IT&Telecom” (26.8%), “FinTech” (22.3%), and “E-commerce” (21.5%) segments. Altogether, these three accounted for 70% of all L3-L4 attacks recorded during the quarter.

At the microsegment level, the top targets were “Software services” (22.8%), “Online retail” (10.8%), “Banks” (9.4%), “Classified ads” (5.5%), and “Media, TV, radio, bloggers” (5.0%). Combined, these five microsegments represented more than half of all L3-L4 attacks in the past quarter.

L3-L4 DDoS attacks duration by industry segment

The five longest DDoS attacks in the first quarter were relatively short. Leading the list was an attack on the “Oil&Gas” microsegment, which lasted 9.6 hours. Next came an attack on “Classified ads” (5 hours), followed by incidents targeting “Telecom operators” (2.2 hours), “InsurTech” (1.5 hours), and “Media, TV, radio, bloggers” (1.3 hours).

For comparison, the longest attack in 2024 targeted the “Online retail” microsegment and lasted nearly three weeks — 463.9 hours. Against this backdrop, the Q1 2025 figures appear rather modest.

L3-L4 DDoS attacks bitrate and packet rate by industry segment

The top five microsegments hit by the most powerful L3-L4 DDoS attacks in Q1 2025 were led by “Betting shops” (232 Gbps), followed by a significant gap: “InsurTech” (134 Gbps), “Entertainment portals” (132 Gbps), “Classified ads” (129 Gbps), and “Online retail” (117 Gbps).

The top five microsegments by peak packet rate look quite different. “Banks” led with 65 Mpps, followed by “Betting shops” (54 Mpps), “Payment systems” (33 Mpps), “InsurTech” (28 Mpps), and “Hosting platforms” (17 Mpps).

As mentioned earlier, these are relatively low values — both compared to 2024 as a whole and specifically to its first quarter.

The largest DDoS botnet

On March 26, 2025 — just before the end of the first quarter — we detected an attack from a massive DDoS botnet that broke previous records by a wide margin. The DDoS botnet included 1.33 million devices, nearly six times larger than the biggest one seen in 2024 (227,000 devices) and almost ten times the size of the 2023 record (136,000 devices).

The attack targeted the “Betting shops” microsegment and lasted approximately 2.5 hours. The botnet was primarily composed of devices located in Brazil (51.1%), Argentina (6.1%), Russia (4.6%), Iraq (3.2%), and Mexico (2.4%). It might seem that such attacks with a high concentration of sources in a single country can be easily mitigated using geo-blocking. However, in practice, bot operators are usually prepared for this and can quickly switch to IP addresses from other regions.

This botnet closely resembles the largest one we detected last year. It fits perfectly into the trend we highlighted in our 2024 report: the rise of massive DDoS botnets built from devices located in developing countries.

We attribute this trend to the slow pace of replacing outdated devices that no longer receive security updates, combined with steadily improving connectivity. These conditions are especially prevalent in developing regions due to economic constraints.

The result is a perfect storm: millions of vulnerable devices with fast internet access form an ideal foundation for large botnets — which are increasingly being used to launch high-scale DDoS attacks.

DDoS attacks targeting the application layer (L7)

The number of L7 DDoS attacks in Q1 2025 remained roughly the same as in the first quarter of the previous year. The most common attack class was Request Rate Patterns (34.6%) — attacks characterized by request frequency that deviates from the expected behavior of legitimate users.

In second place were Rotating Client Secondary Attributes attacks (22.9%) with unusual sets of headers in the request. Third were Abnormal URL Traversal attacks (16.7%), which involve actions that legitimate users often wouldn’t be able to perform at all.

L7 DDoS attacks distribution by industry segment

The largest share of L7 DDoS attacks targeted the “FinTech” macrosegment, which saw rapid growth throughout the previous year — its share rose from 22.6% of all attacks in Q1 2024 to 54.0% in Q1 2025.
“E-commerce” ranked second with 14.4%, followed by “IT&Telecom” with 8.1%.

Among microsegments, the most frequently targeted was “Banks,” which also saw a sharp increase — from 13.7% to 31.6% over the year. It was followed by “Payment systems” (12.2%), “Online retail” (7.1%), “Microfinance organizations” (5.4%), and “Software services” (4.2%).

L7 DDoS attacks duration

The two longest application-layer attacks in Q1 2025 targeted an organization in the “Cryptocurrency exchanges” microsegment. The first one began on February 12 and lasted 22 hours. Just a few hours after it ended, a second attack followed on February 13, lasting approximately 30 hours.

The third-longest attack of the quarter hit the “Software services” microsegment. It started on February 24 and continued for 18.7 hours. For comparison, the longest application layer attack in 2024 lasted about 49 hours. In that context, Q1 2025 has not set any new records so far.

Geographical distribution of L7 DDoS attack sources

The top three source countries for L7 DDoS attacks in Q1 2025 remained unchanged from 2024: Russia (28.2%), the United States (14.4%), and Brazil (6.1%).

Rounding out the top 10 were the Netherlands (4.6%), Germany (4.3%), Singapore (2.8%), the United Kingdom (2.4%), France (2.3%), China (2.2%), and India (2.0%). Combined, these countries accounted for approximately 70% of all blocked IP addresses.

Bad bot protection statistics — Qrator.AntiBot

To avoid confusion, it’s important to clarify that “bad” bots refer to automated systems that mimic real users when interacting with websites. Unlike DDoS bots, their goal isn’t to disrupt service but to carry out activities like data scraping, manipulating metrics, brute-forcing login credentials, and other forms of abuse.

In Q1 2025, the number of blocked bad bot requests showed moderate growth compared to both the previous quarter (+5.7%) and Q1 2024 (+3.9%).

Following the quiet winter months, bad bot activity increased noticeably in March — the number of blocked requests jumped by 28%.

The majority of bad bot attacks this quarter targeted the following segments: “Online retail” (40.7% of all bot activity), “Online betting” (13%), “Real estate” (8.2%), “Pharma” (4.8%), “Logistics” (3.3%), and “Finance” (0.6%). Together, these six segments accounted for over two-thirds of all bad bot attacks we recorded.

Bad bot types were distributed as follows: the majority were script-based bots (53.5%), followed by API bots (39.8%) and browser bots (6.7%).

Most notable bad bot attacks

The largest bad bot attack of the quarter was recorded on March 21 and targeted the “Online betting” segment. During mitigation, 14,333,475 bot requests were blocked. The attack maintained an average rate of 166 rps, peaking at 594 rps.
The fastest bot attack of the quarter occurred on March 9 and targeted the “Online retail” segment. It peaked at 56,500 rps in the second minute of the attack. Lasting around five minutes, the attack resulted in 12,585,661 blocked requests, with an average rate of 41,952 rps.

During the attack, traffic was directed to an online store’s homepage and popular sections of its product catalog. It combined an L7 DDoS attack using primitive bots with more advanced bot activity designed to mimic real users’ web browsers.

In total, over 8,000 IP addresses were blocked for generating malicious traffic. The top five source countries for this mixed attack were the United States (14%), Indonesia (11%), Russia (7%), Singapore (6%), and Germany (5%).

In March, another notable bad bot attack targeted the application of a major airline. From March 13 to 19, more than 2,500 bots simulated the behavior of real users, requesting flight search results and ticket prices for popular destinations. The traffic originated from both residential IP addresses and proxies located in Russia, the U.S., Singapore, Germany, and Canada. The intensity was relatively low, peaking at 60 rps.

What made this attack unusual was its vector: the malicious traffic was directed not to the main application host, but to a domain used for serving static content such as images, videos, and scripts. The attackers likely assumed that requests routed through a content delivery network (CDN) would be treated as trusted and bypass security checks. However, the anomaly was quickly detected, and the malicious activity was blocked.

 

The number of unique autonomous systems (ASes) responsible for BGP route leaks in Q1 was roughly the same as a year earlier (–1.6%). Meanwhile, the number of ASes responsible for BGP hijacks in Q1 2025 dropped significantly compared to Q1 2024 (–17.6%).

 

This decline is most likely due to the continued large-scale adoption of the RPKI ROA security mechanism, which effectively helps prevent BGP hijacks. In contrast, protection mechanisms against route leaks are still far from widespread implementation and therefore have little impact on the number of such incidents.

Global BGP incidents

Note: The Qrator.Radar team identifies global BGP incidents using a set of threshold criteria. These include the number of affected prefixes and autonomous systems, as well as the extent of the anomaly’s propagation across routing tables.

Regarding global BGP incidents, after a rather active 2024, the first quarter of 2025 was unexpectedly quiet. We recorded only three global incidents — all of them BGP route leaks, with not a single BGP hijack.

For comparison, the average in 2024 was 3.6 global incidents per month. In Q1 of that year alone, we detected 12 global BGP route leaks and 1 case of global BGP hijacking.


Detailed findings

  • The total number of DDoS attacks in Q1 2025 increased by 110% compared to Q1 2024.
  • In absolute terms, the number of multivector attacks also increased (+20%), but their share dropped significantly — accounting for just 11.1% of all L3-L4 DDoS attacks.
  • UDP flood attacks were the most common, making up 56.5% of all cases. Notably, we did not record a single ICMP flood attack throughout the entire quarter.
  • L3-L4 DDoS attacks most often targeted the “IT&Telecom” (26.8%), “Fintech” (22.3%), and “E-commerce” (21.5%) segments.
  • At the microsegment level, the primary targets were “Software services” (22.8%), “Online retail” (10.8%), and “Banks” (9.4%).
  • The most intense L3-L4 attack was recorded in the “Betting shops” microsegment, with a peak bitrate of just 232 Gbps — 80% lower than the 1,140 Gbps record set last year.
  • At the same time, there’s no indication of an overall decline in attack intensity. For example, median bitrate and packet rate for the most common UDP flood attacks increased by 190% and 75%, respectively.
  • The largest DDoS botnet we detected in Q1 2025 consisted of 1.33 million devices (compared to around 227,000 for the biggest botnet of 2024). We attribute this rapid growth in botnet size to the increasing number of outdated and vulnerable devices in developing countries.
  • The longest L3-L4 DDoS attack of the quarter lasted just 9.6 hours. For comparison, the 2024 record was set by an attack that ran for almost 19 days.
  • In Q1 2025, the majority of L7 DDoS attacks targeted the “Fintech” (54%), “E-commerce” (14.4%), and “IT&Telecom” (8.1%) macrosegments.
  • At the microsegment level, the most frequent targets were “Banks” (31.6%), “Payment systems” (12.2%), and “Online retail” (7.1%).
  • The longest L7 attack recorded in the quarter lasted roughly 30 hours.
  • The top sources of L7 DDoS attacks in Q1 2025 were the same as last year: Russia (28.2%), the United States (14.4%), and Brazil (6.1%).
  • Bad bot activity in the first quarter remained roughly in line with last year’s average levels. However, this was largely due to the relative quiet of the winter months — in March, the number of bot attacks rose sharply, jumping 28% compared to February.
  • The largest bad bot attack of the quarter (a total of 14,333,475 blocked bot requests) occurred on March 21 and targeted the “Online betting” segment.
  • The fastest bad bot attack was recorded on March 9 and targeted the “Online retail” segment. At its peak, it reached a speed of 56,500 rps.
  • In March, we also blocked an attempted bad bot attack via a CDN: over the course of seven days, around 2,500 bots targeted the application of a major airline, sending requests through a domain used to serve static content.
  • The majority of bad bot attacks in Q1 2025 targeted the “Online retail” segment (40.7%), followed by “Online betting” (13%), “Real estate” (8.2%), “Pharma” (4.8%), “Logistics” (3.3%), and “Finance” (0.6%).
  • The number of ASes responsible for BGP hijacks dropped by 17.6% year-over-year — we attribute this to the adoption of RPKI ROA, a mechanism designed to prevent such incidents.
  • Meanwhile, the number of ASes involved in route leaks remained almost unchanged compared to Q1 2024 (–1.6%).
  • The number of global BGP incidents dropped sharply in the first quarter: we observed only 3 route leaks and not a single BGP hijack. For comparison, in the first quarter of last year, we recorded 12 global route leaks and 1 BGP hijack, with an average of 3.6 global incidents per month throughout 2024.