AI-fuelled DDoS attacks surge past eight million globally

NETSCOUT reported more than eight million distributed denial-of-service (DDoS) attacks worldwide in the second half of 2025, with the largest reaching 30 terabits per second. It attributed the surge to coordinated botnets, compromised internet-connected devices and a growing market for DDoS-for-hire services.

In its DDoS Threat Intelligence Report, NETSCOUT said it identified attacks across 203 countries and territories. The data suggests broader participation in DDoS activity as services that sell access to attack infrastructure lower barriers for less skilled actors.

NETSCOUT also noted shifts in how attacks are assembled and run, including greater use of multiple attack vectors within the same incident, increased reliance on compromised internet of things hardware and customer equipment, and stronger coordination among threat actors.

Multi-vector tactics

About 42% of DDoS attacks used two to five distinct attack vectors, according to the report. Some shifted tactics mid-incident, complicating detection and mitigation for organisations that rely on static filtering and basic thresholds.

The report highlighted direct-path attacks originating from compromised devices connected to access networks. Outbound floods exceeding 1 Tbps can be generated by infected IoT devices and customer-premises equipment, creating risk for broadband and mobile operators.

These outbound events can disrupt service providers even when they are not the direct target. Large traffic surges can congest networks, increase customer complaints and raise questions about security controls and abuse handling.

Critical services hit

Critical internet services, including network time protocol and domain name system infrastructure, remain under sustained pressure, NETSCOUT said. Attackers often target these services because they can be abused for amplification and because disruption can cascade across dependent systems.

The report also described concentrated pressure on government, finance and transportation services during coordinated events. NETSCOUT cited a surge of more than 20,000 botnet-driven attacks in July 2025 as an example of how quickly a campaign can overwhelm defences.

Takedowns of DDoS-for-hire platforms have not removed the underlying supply of compromised devices or the motivation of hacktivist groups, the report said. NETSCOUT described botnets and politically motivated collectives as resilient, with the ability to regroup or shift infrastructure.

AI in the mix

Artificial intelligence is now in routine use among cybercriminal communities, NETSCOUT said. It described large language models being used on dark web channels to support vulnerability exploitation and botnet expansion.

NETSCOUT also reported a 219% increase in mentions of malicious AI tools on underground forums. The report cited Keymous+ as an example of threat-actor partnerships and said such collaboration has increased available bandwidth by nearly fourfold.

While security teams increasingly discuss AI use by defenders, the report framed attacker adoption as a driver of efficiency, enabling faster reconnaissance, quicker iteration of attack playbooks and more scalable campaigns through shared tooling.

Measurement approach

NETSCOUT said it maps DDoS activity through passive internet vantage points and bases its reporting on directly observed attack traffic. It does not aggregate multiple alerts or geographically distributed events into composite peak values.

According to its methodology, peak metrics represent single-second maximum rates for bits-per-second and packets-per-second at defined mitigation and monitoring points. NETSCOUT said this approach keeps results comparable across reporting periods.

NETSCOUT said it protects two-thirds of routed IPv4 space and monitors tens of thousands of daily DDoS attacks by tracking multiple botnets and DDoS-for-hire services. In the second half of 2025, it said its visibility covered 376 industry verticals and 12,698 autonomous system numbers, with global peak traffic on monitored edges exceeding 800 Tbps.

Beyond volume, the report framed the challenge as changing attacker behaviour. Modern incidents often include reconnaissance and adaptive evasion as well as traffic floods, increasing the burden on defenders trying to distinguish malicious traffic from legitimate demand.

Richard Hummel, director of threat intelligence at NETSCOUT, said organisations that lag on DDoS readiness face greater exposure as attackers increase the scale and complexity of incidents.

"Threat actors identify organizations that haven't invested in the right defenses to stay ahead of sophisticated and coordinated DDoS attacks to take down critical infrastructure," Hummel said. "Traditional security defenses are no longer working, and with attackers hitting new attack size and complexity ceilings, implementing automated and proactive defenses has become a business-level risk mandate - not just a technical concern for security professionals."

NETSCOUT said DDoS-for-hire services, botnet coordination and compromised-device infrastructure will continue to shape the threat landscape as attackers refine multi-vector techniques and expand the pool of available resources.