DDoS and Application Security Threat
Network Layer (L3/L4) DDoS Attacks
Attack Trends: Surge in Mega-Scale Attacks, Annual Peak Exceeding 4 Tbps
From 2023 to 2025, large-scale traffic attacks exhibited a clear upward trend. The number of mega-scale attacks exceeding 300 Gbps grew more than 7-fold over the three-year period, and the annual peak traffic volume surged from 1.2 Tbps to 4.1 Tbps, an increase of 242%. Attackers are not only consuming defense resources through high-frequency small-scale attacks, but are also continuously enhancing the destructive power of individual attacks. The threat of large-scale traffic attacks continues to intensify.
High Attack Periods: Year-End Attack Intensity Hits Record Highs
Monthly peak attack data shows that November reached the annual high of 4.12 Tbps, with a significant increase in attack intensity toward year-end. Staged peaks also appeared in May and September, closely aligning with mid-year critical business periods. Attackers intensify their efforts during business settlement periods and commercial peak periods. Enterprises should pre-allocate protection resources ahead of critical business periods such as e-commerce promotions and fiscal year-end settlements to shorten emergency response times.
Divergence in Attack Strategies: High-Frequency Attrition and High-Intensity Breaches Coexist
Attack traffic peaks and attack frequency exhibit a clear inverse relationship. In March and April, the number of attacks exceeded 7,000, but peak volumes were only approximately 1.4–1.7 Tbps; in November, the peak reached a record high of 4.12 Tbps, while the attack count was lower than in March and April. This indicates that attackers employ differentiated strategies across different periods: on one hand, they use high-frequency sustained attacks to exhaust defense resources; on the other hand, they concentrate ultra-high-intensity attacks during specific periods to breach defensive lines.
Attack Types: UDP Flood Dominates; SYN Flood Gains Share in Mega-Scale Attacks
UDP Flood dominates across all attack scales, accounting for over 73% of attacks below 100 Gbps. SYN Flood accounts for 43% of mega-scale attacks exceeding 300 Gbps, demonstrating its significant role in high-intensity attacks. Attackers flexibly adjust their strategies based on attack scale, and enterprises need to establish differentiated protection mechanisms for different attack types.
Geographic Distribution of Attack Sources: Attack Origins Are Highly Globalized
The United States leads with 20.4%, followed closely by China (18.9%) and Russia (18.4%). Together, these three account for 57.7%, forming the core sources of global attack traffic. The broad geographic distribution of attack sources indicates that attack infrastructure has become globally distributed. Enterprises need to adopt a global perspective when deploying DDoS protection and implement precise traffic scrubbing strategies tailored to regional characteristics.
Industry Distribution: Gaming Industry Becomes the Primary Attack Target
The gaming industry ranks first with 78,000 attacks, accounting for over 23% of total attacks across all industries. Internet information technology services follow closely behind, with websites ranking third. Together, these three account for more than 54%. Due to its high demand for real-time performance and sensitivity to user experience, the gaming industry has become the preferred target for attacker extortion and competitive disruption. Notably, the big data and artificial intelligence industry is gradually becoming a new target for attackers.
HTTP/S Attacks
Shift in Attack Patterns: Small-Scale Probing Decreases; Mega-Scale Attacks Erupt Intensively
In 2025, HTTP/S DDoS attack strategies underwent a significant shift. The number of small-scale attacks below 100,000 QPS decreased substantially compared to 2024, while mega-scale attacks exceeding 300,000 QPS surged by 600%, with the annual peak soaring to 4.5 million QPS. Attackers are abandoning high-frequency, low-intensity probing in favor of a "medium-to-high intensity concentrated breakthrough" strategy, placing higher demands on the real-time response capabilities of application-layer protection.
