Executive summary

• The total number of L3-L4 DDoS attacks in Q2 2025 increased significantly compared to Q2 2024 (+43%).
• The largest share of L3-L4 DDoS attacks in Q2 targeted the “FinTech” (22.6%), “E-commerce” (20.6%), and “Information and communication technology” (16.1%).
• The most intense L3-L4 DDoS attack of Q2 reached a peak bitrate of 965 Gbps — just shy of last year’s record (1,140 Gbps). The attack targeted an organization in the “Betting shops” microsegment and was likely linked to Alexander Ovechkin setting a new NHL all-time scoring record.
• The longest L3-L4 DDoS attack of Q2 lasted just over four days (96.5 hours). For comparison, the 2024 record was 19 days (463.9 hours).
• The number of L7 DDoS attacks in Q2 2025 rose dramatically compared to Q2 2024 (+74%).
• The most frequent targets of L7 DDoS attacks in Q2 2025 were the “FinTech” (43.6%), “E-commerce” (22.6%), and “Information and communication technology” (18.2%) segments.
• At the microsegment level, the largest share of L7 DDoS attacks targeted “Banks” (24.7%), “Software services” (12.9%), “Food retail” (10.9%), “Payment systems” (8.5%), and “Online retail” (6.1%).
• The longest L7 DDoS attack in Q2 2025 lasted 65.5 hours.
• In Q2, we recorded an attack that involved the largest DDoS botnet to date, comprising 4.6 million devices. This is 3.5 times larger than the previous record set in Q1 (1.3 million) and 20 times larger than the biggest botnet we detected in 2024 (227,000 devices).
• The top three countries from which L7 DDoS attacks originated in Q2 2025 remained unchanged from 2024: “Russia” (17%), the “United States” (16.6%), and “Brazil” (13.2%), with Brazil’s share continuing to grow steadily over several consecutive quarters.
• Bad bot activity in Q2 2025 increased by 31% compared to the previous quarter, with most of the traffic surge occurring in April and May.
• This growth was primarily driven by a single prolonged attack targeting the “E-commerce” segment, which began in April and lasted for over a month, ending in May. As part of the mitigation efforts, we blocked approximately 2 billion bad bot requests — equivalent to an entire month’s worth of bot traffic.
• The number of unique autonomous systems involved in route leaks and BGP hijacks in Q2 2025 remained roughly in line with the levels observed over the previous several quarters.
• After a sharp decline recorded in the previous quarter, the number of global BGP incidents rose significantly in Q2 and set a new quarterly record. We observed 14 such incidents: 10 global route leaks and 4 global BGP hijacks.

Qrator Labs' findings on DDoS attacks, BGP incidents and bot activity in the 1st quarter of 2025.

Qrator Labs presents statistics on DDoS attacks, BGP incidents and bot activity in the 3rd quarter of 2024.

Dive into Q2 DDoS and BGP Incidents Statistics and Overview.

Learn about the distinct methodologies and impacts of layer 4 and layer 7 DDoS attacks, from SYN floods and UDP floods at the transport layer to HTTP floods and Slowloris attacks at the application layer. Understand how cybercrime services like booters facilitate these attacks and explore notable case studies, including the Dyn and GitHub incidents.

In our ongoing commitment to providing a convenient tool for everyday use, we are excited to announce a complete revamp of the UI/UX design of the Qrator.Radar web application. 

Our team enjoyed working to create a more user-friendly interface, improved navigation, and better data visualization.

These updates aim to improve our users’ experience and simplify the processes of connectivity troubleshooting and network anomaly analysis.

These and other interesting features await you on our updated Qrator.Radar website. 

 Dive in and explore all the changes we've made firsthand.

CHECK OUT THE NEW LOOK

https://radar.qrator.net

In August 2023, a vulnerability in the HTTP/2 protocol, known as CVE-2023-44487 or "Rapid Reset," was discovered. This article provides an in-depth understanding of how CVE-2023-44487 works, its impact on HTTP/2, and offers 4 mitigation strategies to defend against this vulnerability.

Discover how cybercriminals use fast flux to increase the resilience and takedown immunity of their malicious infrastructure. Understand the benefits of fast flux for attackers, the challenges it presents for security professionals, and the most effective strategies for combating this threat, such as domain seizures, botnet takedowns, and international cooperation.

Explore the history of DDoS attacks from their inception in 1994 to the sophisticated threats of the present day. Discover how bandwidth, processing speeds, and protection mechanisms have evolved, fueling the arms race between attackers and defenders. Understand the forces driving the evolution of DDoS tactics, from simple bandwidth overloads to complex amplification and application-layer attacks.