+420-602-558-144 I'm under attack Log in Sign Up

2025 DDoS, bad bots, and BGP incidents statistics and overview

13 January 2026

2025 DDoS, bad bots, and BGP incidents statistics and overview


Executive summary

  • In 2025, DDoS attacks most frequently targeted the FinTech (26.6%), E-commerce (21.3%), Information and communication technology (13.4%), and Media (11.6%) segments. Together, these four segments accounted for nearly 75% of all recorded attacks.
  • At the microsegment level, the most frequently targeted sectors in 2025 were Payment systems (11.7%), Food retail (11.3%), Media, TV, radio, and bloggers (10.0%), Banks (7.7%), and Digital education (6.7%).
  • In December, we recorded two of the most intensive L3-L4 DDoS attacks of 2025. Both incidents targeted the Betting shops microsegment, with peak traffic rates reaching 3.06 Tbps and 3.51 Tbps — roughly three times higher than the 2024 record (1.14 Tbps).
  • The longest DDoS attack of 2025 lasted 119.2 hours, or nearly five days. For comparison, the 2024 record stood at 19 days (463.9 hours).
  • In 2025, we detected the largest DDoS botnet ever observed. Over the course of the year, it expanded from 1.33 million to 5.76 million infected devices, primarily located in Brazil, Vietnam, the United States, India, and Argentina.
  • The largest sources of L7 DDoS attacks in 2025 were Russia (16.82%), Brazil (15.92%), and the United States (11.99%). Compared to 2024, the most notable growth was observed in Brazil, Vietnam, and Argentina.
  • In our view, the emergence of DDoS botnets of this scale and the growing share of developing countries among sources of L7 DDoS attacks are driven by the rapid increase in vulnerable devices connected to high-speed Internet, as well as the active use of AI-based tools by attackers.
  • In 2025, the number of blocked bad bot requests increased by 30% year over year, averaging 2.2 billion requests per month.
  • The average “bot index” over the last nine months of 2025 was 2.1%.
  • The largest bad bot attack of 2025 lasted for approximately one month, during which more than 3.3 billion bot requests were blocked.
  • In 2025, the number of unique ASes responsible for route leaks remained at the same level as the year before. At the same time, the number of ASes involved in BGP hijacks decreased by 17% compared to 2024.
  • The number of global route leaks in 2025 was 37% lower than in 2024, while the number of global BGP hijacks remained exactly the same as in the previous year.


Prevalent DDoS attack vectors in 2025

Starting in Q2 2025, we revised our DDoS analysis methodology. Prior to this change, we analyzed network- and transport-layer attacks (L3-L4 DDoS) separately from application-layer attacks (L7 DDoS). We have since moved to a unified approach based on incidents, each of which may include multiple attacks via different vectors.

As before, we filter out L3-L4 DDoS attacks with an intensity below 1 Gbps, treating them as background noise. For L7 DDoS attacks, we also apply threshold criteria: at least 100 blocked IP addresses and a traffic rate of no less than 1,000 requests per second. Multiple attack waves are grouped into a single incident if the time gap between them does not exceed one hour.

Due to this methodological change, we analyze the distribution of DDoS attack vectors only for the last nine months of 2025. During this period, the majority of incidents were HTTP-based, that is, application-layer attacks, which accounted for 59.6% of all attacks we recorded. UDP flood ranked second (20.3%), followed by IP flood (10.2%).

The shares of TCP flood and SYN flood in Q2–Q4 2025 were negligible (1.1% and 0.8%, respectively). As for ICMP flood, we recorded only a single attack over the past nine months.

Under the revised analysis methodology, multi-vector attacks accounted for 8.0% of all DDoS incidents over the last nine months of 2025. In roughly half of these cases (3.6% of all incidents), a single incident combined both L3-L4 DDoS and L7 DDoS attacks.

Distribution of DDoS attacks by industry in 2025

In 2025, DDoS attacks most frequently targeted organizations in the FinTech (26.6%), E-commerce (21.3%), Information and communication technology (13.4%), and Media (11.6%) segments. Together, these four industries accounted for nearly three quarters of all DDoS attacks recorded in 2025.

At a more granular level, the most frequently targeted microsegments in 2025 were Payment systems (11.7%), Food retail (11.3%), Media, TV, radio, and bloggers (10.0%), Banks (7.7%), and Digital education (6.7%). Taken together, these five microsegments accounted for nearly half of all DDoS attacks recorded in 2025.

Duration of DDoS attacks in 2025

The longest DDoS attack recorded in 2025 targeted an organization in the Media, TV, radio, and bloggers microsegment and lasted nearly five days (119.2 hours). The second-longest attack of the year targeted the Betting shops microsegment and continued for approximately four days (96.5 hours). Third place was taken by an L7 attack against Payment systems, which lasted just under three days (71.4 hours).

Compared to the previous year, DDoS attack durations decreased significantly in 2025. The average attack duration nearly halved, dropping from 4,270 to 2,268 seconds, while the median duration declined from 150 to 120 seconds.

Intensity of L3-L4 DDoS attacks in 2025

Two of the most intensive L3-L4 DDoS attacks of 2025 occurred in the first half of December and targeted the Betting shops microsegment. Their peak traffic rates reached 3.06 Tbps and 3.51 Tbps — roughly three times higher than the previous record set in 2024 (1.14 Tbps).

Earlier in the year, the leading candidate for the annual record was an attack against the Online retail microsegment, which peaked at 1.15 Tbps in late August. Another terabit-scale attack was recorded in October, targeting the Media, TV, radio, and bloggers microsegment and reaching a peak intensity of 1.03 Tbps. As a result, while in 2024 we mitigated only a single attack with a peak rate exceeding 1 Tbps, in 2025 we had to contend with four such incidents.

Interestingly, the increase in L3-L4 DDoS attack intensity was observed not only in the largest incidents, but even more prominently in routine attacks, which make up the bulk of all DDoS activity. While the average bitrate of the most common UDP flood attacks in 2025 increased by about 15% year over year, the median value rose by as much as 57%.


The five microsegments targeted by the most intensive L3-L4 DDoS attacks in 2025 were Betting shops (3.51 Tbps), Online retail (1.15 Tbps), Media, TV, radio, and bloggers (1.03 Tbps), Cryptocurrency exchanges (668 Gbps), and Game platforms (460 Gbps).

When looking at peak packet rates, the most intense L3-L4 DDoS attacks in 2025 targeted the following microsegments: Payment systems (466.0 Mpps), Online retail (325.8 Mpps), Betting shops (177.9 Mpps), Oil&Gas (93.4 Mpps), and Hosting platforms (72.0 Mpps).

The largest DDoS botnet of 2025

Throughout 2025, we tracked the activity of a massive DDoS botnet that was first detected on March 26. Its initial attack targeted an organization in the Betting shops microsegment. During mitigation of this attack, we blocked 1.33 million IP addresses, primarily located in Brazil (51.1%), as well as in Argentina (6.1%), Russia (4.6%), Iraq (3.2%), and Mexico (2.4%).

On May 16, we mitigated another attack by the same botnet, this time targeting an organization in the Government resources segment. In this incident, approximately 4.6 million IP addresses were blocked. By that point, the botnet’s geography had changed noticeably: Brazil’s share declined from 51% to 29.7%, while the proportion of devices from the United States (12.1%), Vietnam (7.9%), and India (2.9%) increased sharply. Argentina (2.8%) dropped to fifth place.

On September 1, another large-scale attack by this botnet occurred, again targeting Government resources. During its mitigation, we blocked a total of 5.76 million IP addresses.

By the time of the third incident, the geographic distribution of IP addresses used by this DDoS botnet had shifted once again. Brazil remained the largest source, but its share declined to 24.5% of all blocked IP addresses. The top five also included Vietnam (11.5%), the United States (11.2%), India (7.1%), and Argentina (2.8%).

Geographic distribution of L7 DDoS attack sources in 2025

In Q4, the geographic distribution of countries most frequently acting as sources of application-layer DDoS attacks reflected the same overall trend observed throughout 2025: a rapid increase in the share of developing countries.

Brazil ranked first for the second consecutive quarter (17.64%), followed by Vietnam in second place (14.26%). Russia (10.08%) moved down to third, while the United States (7.87%) dropped to fourth. Argentina ranked fifth (3.81%), despite not appearing in the top 20 sources of L7 DDoS attacks just a year earlier.

Q4 also saw a notable number of new entrants in the ranking, including South Africa, Pakistan, Colombia, Ecuador, Venezuela, Bangladesh, and Iraq — with the latter two even making it into the top 10.

Over the full year of 2025, Russia (16.82%) retained first place, though with only a minimal lead over Brazil (15.92%), which ranked second. We expect Brazil to reach the top position in the ranking next year. The United States placed third (11.99%), while Vietnam moved up to fourth place (8.08%).

In terms of growth, Brazil was the fastest in 2025, increasing its share from 5.79% to 15.92% and moving from third to second place. Vietnam also saw a sharp rise, with its share jumping from 1.77% to 8.08%, lifting the country from 12th to fourth place. Argentina showed similarly strong momentum: after not appearing in the top 20 in 2024, it climbed to seventh place by the end of 2025.

Overall, we expect this trend to continue into 2026, with a further increase in the share of developing countries among sources of L7 DDoS attacks and their continued rise in the rankings.

We attribute this to two key factors. First, developing countries are seeing rapid growth in the number of devices connected to high-speed Internet, often combined with low levels of cybersecurity awareness and a high prevalence of vulnerabilities.

Second, attackers are increasingly using AI-based tools to automate the discovery and compromise of vulnerable devices, significantly accelerating the creation and scaling of DDoS botnets.

Bad bot protection statistics in 2025 — Qrator.AntiBot

To avoid confusion, by “bad bots” we mean automated systems that attempt to interact with websites while masquerading as legitimate users. Unlike destructive DDoS bots, bad bots do not aim to disrupt a site’s availability. Their typical objectives include data scraping, artificial inflation of various metrics, account brute-forcing, and other forms of unwanted activity.

In 2025, the number of blocked bad bot requests increased by 30% — the same growth rate as in the previous year. On average, Qrator.AntiBot blocked around 2.2 billion bot requests per month in 2025, compared to 1.69 billion per month in 2024.

In previous years, the number of blocked bot requests was distributed relatively evenly throughout the year. In 2025, however, we observed sharp spikes in activity. The first occurred in spring, and the second in autumn–winter. This pattern was driven by two particularly long-lasting and large-scale attacks, which we describe in more detail below.

In 2025, the largest share of bot attacks targeted the Online retail segment (41.1% of all bad bot activity). Unexpectedly, the Healthcare segment (24.9%) moved into second place, overtaking Online betting (17.4%). This shift was again driven by a single extremely long-lasting attack against an organization in the Healthcare segment, which was so large in scale that it significantly affected the annual results.

Starting in Q2 2025, we began analyzing the share of bot traffic relative to the total traffic to the resources we protect — a metric we refer to as the “bot index.” In Q4, this indicator reached 2.5%, while the average for the last nine months of 2025 stood at 2.1%.

As observed in previous quarters, the bot index varies significantly across industries. The four segments most exposed to bot traffic between Q2 and Q4 2025 were Healthcare (8.95%), EdTech (5.63%), Transport&Logistics (5.24%), and Online betting (4.86%). In all other segments, the bot index remained below the overall average.

It is important to note that Qrator.AntiBot allows customers to configure which pages and domains are protected. As a result, the bot index may not account for a significant portion of bot traffic that falls outside the enabled protection scope.

In 2025, the distribution of bot activity by type was as follows: script-based bots accounted for the majority (64.55%). API bots ranked second (31.31%), followed by browser bots (4.14%). The share of browser bots declined noticeably compared to 2024, when they accounted for 5.4%.

Starting in Q2 2025, we moved to a more granular classification, splitting the previously unified category of browser bots into two subcategories:

  • Puppeteer bots — bots that emulate a real user environment while being controlled through external automation.
  • Smart bots — bots that are aware of security checks and actively attempt to bypass them.

Under this updated methodology, the analysis covers the period from Q2 to Q4 2025. During this time, puppeteer bots accounted for 3.27% of bot activity, while smart bots represented 0.23%.

Most notable bad bot attacks in 2025

As noted above, in 2025 we observed two exceptionally long-running bot attacks that were so large in scale they affected the annual results. Each attack lasted for around a month, and the total number of bot requests blocked during the mitigation of each was comparable to the average monthly volume of all bot traffic across all resources protected by us.

The first of these attacks occurred in Q2 and targeted an organization in the E-commerce segment. Over the course of mitigating this attack, Qrator.AntiBot blocked a total of 1.9 billion bot requests.

The second attack took place in Q4 2025 and targeted an organization in the Healthcare segment. During its mitigation, our solution blocked a cumulative total of 3.3 billion bot requests.

The longest and most large-scale bad bot attack of 2025

We also highlight two of the most intensive bad bot attacks observed in 2025 in terms of request rate. The first was recorded in Q2 and targeted an organization in the E-commerce segment, reaching a peak of 441 thousand requests per second.

The second occurred in Q4, targeted an organization in the Online betting segment, and peaked at 329 thousand malicious requests per second.

BGP incidents in 2025

In 2025, the number of unique autonomous systems (ASes) responsible for route leaks remained at exactly the same level as in the previous year. On average, 1,966 ASes per month were involved in route leaks, compared to 1,977 in 2024.

At the same time, the number of unique ASes involved in BGP hijacks declined significantly in 2025 compared to 2024. The average monthly figure fell from 10,412 in the previous year to 8,587 in 2025 — a decrease of approximately 17%.

Global BGP incidents in 2025

Reminder: to identify global BGP incidents, the Qrator.Radar team applies a set of threshold criteria. These include the number of affected prefixes and autonomous systems, as well as the extent to which the anomaly propagates across routing tables.

The dynamics of global BGP incidents differed from those observed for ordinary incidents. In 2025, the number of global route leaks decreased by roughly one third compared to 2024, falling from 33 to 25. At the same time, the number of global BGP hijacks in 2025 remained exactly the same as in the previous year, totaling five incidents.

Detailed findings

  • Among DDoS attack vectors in Q2–Q4 2025, HTTP attacks predominated, accounting for 59.6% of all recorded incidents, followed by UDP flood (20.3%) and IP flood (10.2%).
  • The share of multivector attacks during this period amounted to 8.0%, and in 3.6% of cases, L3-L4 DDoS and L7 DDoS were combined within the same incident.
  • ICMP flood has effectively fallen out of favor among attackers — over the past nine months, it accounted for only a handful of incidents.
  • In 2025, DDoS attacks most frequently targeted the FinTech (26.6%), E-commerce (21.3%), Information and communication technology (13.4%), and Media (11.6%) segments. Together, these four industries accounted for nearly 75% of all DDoS attacks.
  • At the microsegment level, DDoS attacks in 2025 were primarily directed at Payment systems (11.7%), Food retail (11.3%), Media, TV, radio, and bloggers (10.0%), Banks (7.7%), and Digital education (6.7%). Together, these five microsegments accounted for approximately half of all DDoS attacks in 2025.
  • Among the most intensive L3-L4 DDoS attacks recorded in 2025 were two incidents targeting the Betting shops microsegment, with peak traffic rates reaching 3.06 Tbps and 3.51 Tbps — roughly three times higher than the 2024 record (1.14 Tbps). The third-highest attack of the year targeted the Online retail microsegment and peaked at 1.15 Tbps.
  • In 2025, not only record-breaking attacks but also routine ones became significantly more intense compared to 2024: while the average bitrate of UDP flood attacks, which dominate among L3-L4 DDoS attacks, increased by 15%, the median value rose by as much as 57%.
  • The longest DDoS attacks in 2025 targeted the Media, TV, radio, and bloggers (119.2 hours), Betting shops (96.5 hours), and Payment systems (71.4 hours) microsegments.
  • The largest DDoS botnet of 2025 consisted of 5.76 million devices — tens of times larger than the largest botnet observed in 2024 (approximately 227,000 devices). The majority of these devices were located in Brazil (24.5%), Vietnam (11.5%), the United States (11.2%), India (7.1%), and Argentina (2.8%).
  • In 2025, the largest sources of L7 DDoS attacks were Russia (16.82%), Brazil (15.92%), and the United States (11.99%). Brazil’s share increased significantly over the year, making it likely that the country will take first place in this ranking next year.
  • Vietnam also demonstrated particularly strong growth, moving from 12th to 4th place over the year, while Argentina made a notable leap to 7th place in 2025 after not appearing in the top 20 in 2024. We expect the share of developing countries among sources of L7 DDoS attacks to continue increasing in 2026.
  • We attribute the growth of DDoS botnets and the increasing share of developing countries among sources of L7 DDoS attacks to a combination of two factors. First, there is a rapid increase in the number of Internet-connected devices with low levels of security. Second, attackers are increasingly using AI-based tools that automate the discovery and compromise of such devices.
  • Bad bot activity in 2025 was significantly higher (+30%) than in the previous year, with an average of 2.2 billion blocked bot requests per month.
  • The largest share of bad bot attacks targeted the Online retail segment (41.1%), followed by Healthcare (24.9%) and Online betting (17.4%).
  • On average, bot traffic accounted for 2.1% of total traffic across protected resources between Q2 and Q4 2025. The highest “bot index” was observed in Healthcare (8.95%), EdTech (5.63%), Transport&Logistics (5.24%), and Online betting (4.86%).
  • The longest and most large-scale bad bot attack in 2025 occurred in Q4. It targeted the Healthcare segment, lasted for nearly a month, and resulted in more than 3.3 billion bot requests being blocked during its mitigation.
  • In 2025, the number of unique autonomous systems involved in route leaks remained largely unchanged compared to 2024. On average, we observed 1,966 such ASes per month, versus 1,977 a year earlier. At the same time, activity related to BGP hijacks declined noticeably: the average monthly number of unique ASes involved fell from 10,412 in 2024 to 8,587 in 2025, a decrease of 17%.
  • The dynamics of global BGP incidents differed from this overall pattern. In 2025, the number of global route leaks decreased from 33 to 25 incidents, representing a 37% decline compared to 2024. Meanwhile, the number of global BGP hijacks remained unchanged, with five incidents recorded over the year—the same as in the previous year.

Get your Report

Full name *
Work email *
Job Title *
Company name *

I acknowledge and agree to the terms and conditions set forth in Qrator Labs’ Privacy Policy.

Survey

Share your experience and expectations regarding DDoS protection. Your answers will help us tailor solutions to meet your cybersecurity needs.

Tell us about your company’s infrastructure and critical systems. This will help us understand the scope of protection you require.

Help us learn about how decisions are made in your company. This information will guide us in offering the most relevant solutions.

Let us know what drives your choices when it comes to DDoS protection. Your input will help us focus on what matters most to you.

1/4. Questions about Awareness and Needs Questions about Infrastructure Questions about Decision-Making Questions about Motivation
What is most important to you when choosing an Anti-DDoS solution? (select multiple options)
Who in your company makes decisions about cybersecurity solutions?
What is your company's average internet traffic volume?
Mb
Have you encountered DDoS attacks before?
What key risks do you want to minimize with DDoS protection?
When do you plan to consider a solution for DDoS protection?
Which systems are critical for your business to protect? (select multiple options)
Does your company have a solution to protect against DDoS attacks?
What is your company’s primary type of activity?
What level of DDoS protection do you consider sufficient?
Team size:
Thank you for completing the survey!
Your participation will help us produce better market analytics.
To main page
Thank you for staying with us!
If the document does not load, please click the "Download" button. Help us better understand the market and prepare better analytics, take the survey.
To main page
Qrator Labs uses cookies to improve your experience, deliver personalized content and analyze our traffic. By clicking “Accept All” you agree to the storing of cookies on your device to enhance website navigation and analyze usage, assisting in our marketing efforts and improving user experience. You may modify your cookies settings at any time, as explained in our Cookie notice.

Cookies Preference Center

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Detailed information about this category of cookies can be found in the Cookie Policy.
Performance/Analytics Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance. Detailed information about this category of cookies can be found in the Cookie Policy.
Targeting/Marketing Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. You may opt out of Targeting/Marketing cookies through the "Cookie settings" button. Detailed information about this category of cookies can be found in the Cookie Policy.
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalization. Company sets some functionality cookies, while third party providers whose services Qrator Labs added to the website set the rest of these cookies. If you do not allow functionality cookies, then services relying on functionality cookies may not function properly.
Your subscription successfully activated
To main page
Type
Name
Email
Phone Number
Write your message