Not "if", but "when". DDoS attacks are a certainty for most businesses with an online presence, having the potential to completely block critical infrastructures. In 2024, organizations increasingly felt the impact of these "online storms". According to the recent "Corero Network Security 2025 Threat Intelligence" report, last year, Corero's monitored clients were targeted by 11 DDoS attacks per day (most under 1Gbps), on average. We're talking about a 5% increase compared to the previous year, and this trend is not only maintained but intensifying in 2025. Just for info, M247 Global anti-DDoS solution is based on Corero technology.
In the first quarter of this year, Cloudflare blocked 20.5 million DDoS attacks, representing an explosive growth of 358%, compared to the same period in 2024, according to the "Cloudflare DDoS Threat Report for Q1 2025". Among these, nearly 700 were hyper-volumetric DDoS attacks, over 1 Tbps or 1 Bpps – that is approximately 8 per day. The numbers of DDoS attacks 2025 speak for themselves: attacks are becoming more frequent, more aggressive, and more sophisticated – from massive explosions that can bring down entire networks, to discrete attacks, hard to detect, but no less dangerous.
DDoS attacks 2025
The Corero report shows an important shift in attackers' strategy: since 2024, they have opted for small-scale but frequent and well-coordinated attacks, which represent over 82% of total recorded incidents. These under-1Gbps DDoS attacks are designed to test defense systems, consume resources, and reduce the vigilance of security teams. At the same time, the frequency of medium-sized attacks (1-5 Gbps) has decreased, reaching only 12.4% of the total (compared to 19.4% in 2019).
Meanwhile, large-scale attacks, over 10Gbps have increased to 2.9%, which is also the highest level recorded since 2018. What are the causes for this evolution? The growth of botnet capabilities and the level of DDoS attack automation, especially through the exploitation of vulnerable equipment, such as MikroTik routers and IoT devices infected with variants of Mirai malware. The frequency of application-layer (Layer 7) attacks is also increasing. These attacks have low traffic volume and are harder to detect due to encryption. They target APIs, authentication portals, shopping carts and other critical resources.
Current trends therefore indicate a polarization: we're either talking about very discrete attacks, under 1 Gbps, or about huge waves of traffic, meant to block infrastructures. And because even advanced cybersecurity platforms may need 10-30 seconds, or even more, to analyze traffic and begin mitigation, another trend observed by Corero specialists has been the increased frequency of multi-vector attacks, in which attackers change the protocol every 30–60 seconds to avoid rapid detection and force defense systems to react continuously and reactively, thus weakening proactive actions.
To these, we also add that most organizations are already facing difficulties in coordinating security teams, according to a survey conducted by Merrill Research, commissioned by Corero. 68% encounter challenges in justifying DDoS protection investments to management, even when they have modern security tools.
Anatomy of DDoS attacks in the first quarter of 2025
The "Cloudflare DDoS Threat Report for Q1 2025" confirms the trends signaled by Corero, such as the increased level of sophistication of DDoS attacks, the preference for multi-vector, and small-scale attacks. For example, among the 20.5 million DDoS attacks blocked by Cloudflare in the first quarter of 2025, one-third directly targeted Cloudflare's infrastructure, as part of a multi-vector campaign carried out over 18 days. 16.8 million were network-layer DDoS attacks, up 397% from the previous quarter.
In addition, although the number of hyper-volumetric attacks has increased, most attacks are small-scale: 99% of Layer 3/4 attacks were under 1 Gbps and 1 Mpps, and 94% of HTTP attacks had a volume of up to 1 million requests per second (rps). Moreover, their duration was less than 10 minutes – insufficient time for an efficient manual reaction.
The frequent DDoD attacks 2025 vectors identified by Cloudflare in Q1 2025 were SYN flood, DNS flood, attacks generated by the Mirai botnet, known botnets (HTTP), attacks with suspicious HTTP attributes, botnets that mimic browsers and cache busting attacks. In addition, there is also an increase in attacks of the type:
- CLDAP (Connectionless Lightweight Directory Access Protocol) reflection/amplification: Attackers send small queries to CLDAP servers with a spoofed source IP address (that of the attacked organization), generating responses in large volumes of data, which overwhelm the organization's infrastructure.
ESP (Encapsulating Security Payload) reflection/amplification: Attacks that abuse the ESP protocol from IPsec to amplify DDoS traffic through misconfigured/vulnerable systems.
DDoS protection: Risk mitigation recommendations from M247 & Corero
DDoS attacks under 1 Gbps are harder to detect, but easier to launch and can more efficiently degrade the overall quality of services. These can affect application functionality, can overload firewalls, or can trigger unnecessary scaling in cloud environments. Most of the time, they announce much larger DDoS attacks.
On the other hand, the increased frequency of attacks with traffic over 10 Gbps shows that attackers compromise more and more devices – routers, IoT equipment, surveillance cameras – which they incorporate into botnet networks. In addition, they use already compromised resources more efficiently.
At the same time, multi-vector DDoS campaigns are becoming increasingly sophisticated: attackers can quickly change attack vectors (for example, alternating SYN floods, DNS amplification or attacks that mimic HTTP traffic), or can launch short and intense waves of microburst traffic to avoid detection.
We recommend 8 DDoS protection measures you can take right now:
- Automate detection, response, and mitigation processes and improve detection so you can identify both short-duration anomalies and those under the 1Gbps threshold
- Optimize edge infrastructure to be able to absorb/deflect attacks with high frequency and low volume, without consuming valuable internal resources
- Adjust alert thresholds to include low-volume incidents as well
- Understand your organization's capacity limits. What the internet service provider can absorb and what the internal infrastructure can actually support are different things
- Test attack response efficiency by simulating large-scale volumetric and multi-vector incidents
- Use telemetry to identify rapid changes (every 30-60 seconds) in protocol type, packet size, or port targeting
- Label and flag anomalies in real-time
- Create SOC playbooks adapted according to attacker behavior
How M247 can help
M247, through its technological partnership with Corero, offers an enterprise-grade DDoS protection solution, with a network capacity exceeding 1 Tbps. The solution provides personalized, continuous protection, with real-time detection and response to a wide range of DDoS attack vectors, including UDP flood, SYN flood, ICMP flood, and application layer attacks, thus preventing critical service interruptions and associated financial risks.
In addition, we offer intelligent traffic filtering to allow only legitimate connections, but also real-time attack monitoring and scalability to handle attacks up to 100 Gbps. Ensuring 24/7 support and compliance with international standards such as GDPR and ISO 27001, M247 continuously protects businesses from sectors such as e-commerce, financial institutions, gaming, media, healthcare, and telecommunications, guaranteeing operational continuity and brand reputation, even in the face of the most sophisticated DDoS threats.