Massive attack capacity: Demonstration attacks peaked at 30Tbps and 4 gigapackets per second, primarily launched by Internet of Things (IoT) botnets such as Aisuru and TurboMirai variants.AI integration: The use of AI, including dark-web large language models (LLMs), moved from emerging trend to operational reality, making sophisticated attacks accessible to a wider range of threat actors.Persistent threat actors: Despite international law enforcement efforts, hacktivist groups and commodity botnets maintained high pressure. For example, NoName057(16) claimed more than 200 attacks in July alone, showing resilience even after infrastructure seizures.Critical infrastructure under pressure: DNS root servers and Network Time Protocol (NTP) services faced relentless attacks, with more than 45,000 NTP-related alerts. Well-architected systems proved resilient, but the persistence of threats was clear.Targeted sectors and regions: Government, finance, telecom, transportation, and hospitality were the most targeted sectors. Regionally, EMEA led with 3.3 million attacks, followed by APAC, North America, and Latin America.The latter half of 2025 was not just an evolutionary step, but a fundamental shift in who can launch sophisticated DDoS attacks, how quickly they adapt, and the scale of impact they can achieve.Key findings1. Global scale and attack volume
More than 8 million DDoS attacks were recorded across 203 countries and territories, highlighting the persistent and growing operational risk for digitally connected organizations worldwide.The attack count remained stable compared to the first half of the year, but the nature and sophistication of attacks changed dramatically.2. Rise of IoT botnets and outbound risk
Massive direct-path attacks in 2025 demonstrated that compromised customer-premises equipment (CPE) can generate outbound floods exceeding 1Tbps, creating significant liability and service-availability risks for broadband providers.The TurboMirai class of IoT botnets, including Aisuru and Eleven11 (RapperBot), emerged as a major force, capable of launching attacks up to 30Tbps and 4Gpps. Eleven11 alone was linked to more than 3,600 DDoS events between 2021 and mid-2025.3. AI-enhanced DDoS-for-hire services
DDoS-for-hire platforms are now integrating dark-web LLMs and conversational AI, lowering the technical barrier for launching complex, multivector attacks.Even unskilled threat actors can now orchestrate sophisticated campaigns using natural-language prompts, increasing risk for all industries.4. Threat actor collaboration and scale
July 2025 saw a surge of more than 20,000 botnet-driven attacks, with coordinated threat activity overwhelming defenses and disrupting essential services in government, finance, and transportation.Groups such as Keymous+ demonstrated how partnerships between threat actors can amplify attack power, with collaborative events reaching up to 44Gbps.5. Critical infrastructure under sustained pressure
High-value services such as DNS root servers and NTP faced continuous attack pressure. At least 38 significant DNS root events were recorded, including a 21Gbps flood against the A root server.More than 45,000 NTP-related attack alerts were generated, underscoring the need for resilient, globally distributed architectures and robust mitigation strategies.6. Geographic and sectoral targeting
The most targeted sectors were government agencies, financial services, telecommunications, transportation, and hospitality.Regionally, EMEA led with 3.3 million attacks, followed by APAC (1.9 million), North America (1.27 million), and Latin America (1.01 million).7. Multivector and carpet-bombing attacks
More than half of all attacks were multivector, with 42 percent using two to five vectors. Carpet-bombing attacks increased, averaging between 750 and 830 per day in the latter half of 2025.Attackers frequently blended methods such as DNS amplification, SSDP, SNMP, mDNS, memcached, CLDAP, and mixed TCP floods to maximize disruption.8. Defensive successes and ongoing challenges
Well-architected systems, especially those using anycast-based defenses, demonstrated resilience and maintained high availability despite continuous attack pressure.However, the persistence of vulnerable devices and the rapid adaptation of threat actors mean that organizations must remain vigilant and proactive in their defense strategies.ConclusionThe DDoS threat landscape in late 2025 was defined by sustained global attack volume, increasingly capable IoT botnets, sophisticated threat-actor campaigns, and a decisive move toward AI-enhanced DDoS-for-hire operations. Although the largest attacks remain rare, they continue to shape defensive strategies. The average attack is now short, intense, and multisector, targeting a wide range of industries and geographies.Organizations must recognize that the democratization of attack tools, especially with AI integration, has lowered the barrier to entry for cybercriminals. Defending against these threats requires not just robust infrastructure, but also adaptive, intelligence-driven strategies that can keep pace with the evolving tactics of adversaries.To learn more, read NETSCOUT’s 2H 2025 DDoS Threat Intelligence Report
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4155927/how-botnet-driven-ddos-attacks-evolved-in-2h-2025.html
