The case of mysterious BGP session resets caused by a malformed OTC attribute

We recently ran into an unusual issue: BGP sessions were resetting with no obvious explanation shortly after routers received new routes. To understand what was happening, we collected and analyzed the BGP UPDATE messages that consistently triggered the errors.

It quickly became clear that all problematic routes had one thing in common: they carried a malformed OTC attribute. The real root cause, however, was not just the presence of a bad attribute, but the way different routers reacted to it. Before looking at that behavior, it helps to recap what OTC is and how it is supposed to work.

Executive summary

• On average, global resilience continued to improve, but at a modest pace — from 25.7% in 2023 to 24.79% in 2024 (lower is better).
• In 2024, Brazil ranked first in both the IPv4 resilience ranking (0.98%) and the IPv6 resilience ranking (2.15%).
• The Netherlands and Germany took second and third place in both rankings in 2024, with results of 2.54%/3.4% and 2.54%/3.6% respectively.
• The adoption of IPv6 continues to slow down. Partial IPv6 connectivity also remains an issue — some Tier-1 operators still do not peer with each other.
• The current resilience ranking of national Internet segments is available here.

Recent years have seen distributed denial-of-service (DDoS) attacks grow larger and happen more often than ever before. In just the first three months of 2025, the number of DDoS attacks worldwide increased by 110% compared to the same period the year before.

One late-March incident involved a botnet of 1.33 million compromised devices, almost six times larger than the biggest botnet observed the year prior. That botnet blitzed an online betting platform, and over half of the attacking devices originated from a single country (Brazil). In the following quarter, its size grew to 4.6 million devices, and by the next quarter, it reached 5.76 million.

Executive summary

• The largest number of DDoS attacks in Q3 2025 targeted the FinTech (26.1%), E-commerce (22.0%), Media (15.8%), and Information and communication technology (14.5%) segments. Together, these four accounted for nearly 80% of all recorded attacks.
• Among microsegments, the most frequently targeted in Q3 were Media, TV, radio, and bloggers (14.1%), Payment systems (13.9%), Food retail (13.0%), Digital education (7.2%), and Hosting platforms (6.6%).
• The most intensive L3-L4 DDoS attack of Q3 targeted an organization in the Online retail microsegment, reaching a peak bitrate of 1.15 Tbps — slightly higher than the 2024 record of 1.14 Tbps.
• The longest DDoS attack in Q3 lasted more than nine days (225.9 hours). For comparison, the 2024 record was 19 days (463.9 hours).
• In Q3, we recorded another attack launched by a multi-million-device DDoS botnet that we have been tracking for the past six months. This time, the attack involved 5.76 million infected devices, primarily from Brazil, Vietnam, the United States, India, and Argentina.
• In Q3, Brazil became the largest source of L7 DDoS attacks (19%), surpassing Russia (18.4%) and the United States (10.3%).
• We attribute the emergence of such large-scale DDoS botnets and the growing share of developing countries among L7 DDoS sources to the rapid increase in the number of vulnerable devices connected to high-speed Internet and the active use of AI-powered tools by attackers.
• After a sharp increase in bad bot activity in Q2 2025 — mainly driven by a single, exceptionally long-lasting attack — the figures dropped significantly quarter over quarter in Q3 (-37%).
• At the same time, the bot index declined noticeably: the share of bot traffic in the total traffic to protected resources decreased from 2.34% to 1.36%.
• In Q3 2025, the number of unique ASes responsible for route leaks remained almost unchanged compared to previous periods. However, the number of ASes involved in BGP hijacks was lower than usual due to a noticeable decline in July.
• After a significant increase in Q2 2025, the number of global BGP incidents dropped sharply. In Q3, we recorded only five such incidents — four global route leaks and one global BGP hijack.

On September 1, 2025, Qrator.AntiDDoS detected and mitigated another large-scale attack carried out by the largest L7 DDoS botnet observed to date. The target was an organization in the government sector. In total, 5.76 million IP addresses were blocked during the incident.

DDoS attacks are still one of the most dangerous types of cyber threats, and they are getting bigger and more complicated. In 2024, there were more than 15 million DDoS attacks reported around the world. Our most recent study estimates application-layer DDoS attacks are up 74% compared to last year. But many businesses still don't know how to keep themselves safe from these kinds of threats. In this article, we'll talk about seven of the most common myths about protecting against DDoS attacks

Executive summary

• The total number of L3-L4 DDoS attacks in Q2 2025 increased significantly compared to Q2 2024 (+43%).
• The largest share of L3-L4 DDoS attacks in Q2 targeted the “FinTech” (22.6%), “E-commerce” (20.6%), and “Information and communication technology” (16.1%).
• The most intense L3-L4 DDoS attack of Q2 reached a peak bitrate of 965 Gbps — just shy of last year’s record (1,140 Gbps). The attack targeted an organization in the “Betting shops” microsegment and was likely linked to Alexander Ovechkin setting a new NHL all-time scoring record.
• The longest L3-L4 DDoS attack of Q2 lasted just over four days (96.5 hours). For comparison, the 2024 record was 19 days (463.9 hours).
• The number of L7 DDoS attacks in Q2 2025 rose dramatically compared to Q2 2024 (+74%).
• The most frequent targets of L7 DDoS attacks in Q2 2025 were the “FinTech” (43.6%), “E-commerce” (22.6%), and “Information and communication technology” (18.2%) segments.
• At the microsegment level, the largest share of L7 DDoS attacks targeted “Banks” (24.7%), “Software services” (12.9%), “Food retail” (10.9%), “Payment systems” (8.5%), and “Online retail” (6.1%).
• The longest L7 DDoS attack in Q2 2025 lasted 65.5 hours.
• In Q2, we recorded an attack that involved the largest DDoS botnet to date, comprising 4.6 million devices. This is 3.5 times larger than the previous record set in Q1 (1.3 million) and 20 times larger than the biggest botnet we detected in 2024 (227,000 devices).
• The top three countries from which L7 DDoS attacks originated in Q2 2025 remained unchanged from 2024: “Russia” (17%), the “United States” (16.6%), and “Brazil” (13.2%), with Brazil’s share continuing to grow steadily over several consecutive quarters.
• Bad bot activity in Q2 2025 increased by 31% compared to the previous quarter, with most of the traffic surge occurring in April and May.
• This growth was primarily driven by a single prolonged attack targeting the “E-commerce” segment, which began in April and lasted for over a month, ending in May. As part of the mitigation efforts, we blocked approximately 2 billion bad bot requests — equivalent to an entire month’s worth of bot traffic.
• The number of unique autonomous systems involved in route leaks and BGP hijacks in Q2 2025 remained roughly in line with the levels observed over the previous several quarters.
• After a sharp decline recorded in the previous quarter, the number of global BGP incidents rose significantly in Q2 and set a new quarterly record. We observed 14 such incidents: 10 global route leaks and 4 global BGP hijacks.

Qrator Labs' findings on DDoS attacks, BGP incidents and bot activity in the 1st quarter of 2025.

Qrator Labs presents statistics on DDoS attacks, BGP incidents and bot activity in the 3rd quarter of 2024.

Dive into Q2 DDoS and BGP Incidents Statistics and Overview.