Reports

2025
DDoS Trends Report

Predictions Based on MazeBolt Research into DDoS Attacks

DOWNLOAD THE PDF

Executive Summary

Why does the risk of Distributed Denial-of-Service (DDoS) attacks continue to rise?

DDoS attacks surged almost a third (30%) in the first half of 2024 compared to the same period in the previous year. Moreover, DDoS attacks on critical infrastructure increased by 55% in the last four years.

Hacktivist groups motivated by political and ideological agendas are driving the current growth in DDoS attacks. Moreover, today’s DDoS attacks may utilize advanced botnets to implement sophisticated attack methods that ensure that they are harder to detect and neutralize.

As the DDoS risk increases, awareness of why DDoS attacks persist is a key challenge. Security leaders need to promote an understanding that the main reason DDoS attacks still succeed is due to the existence of unidentified DDoS vulnerabilities. Therefore, the only way to mitigate the risk of attack is through a process of continuous testing, vulnerability identification, timely remediation, and validation.

This type of ongoing, proactive approach is crucial to maintaining DDoS resilience and supporting the business continuity of online services.

This report provides insight into MazeBolt’s DDoS predictions for 2025, based on our own research and reports in the media during 2024.

DDoS Attack Trends for 2025

Based on MazeBolt’s internal and market research, we can expect to see the following DDoS attack trends continuing throughout 2025:

Threat to Democratic Elections

Politically motivated hackers can be expected to continue targeting countries undergoing election cycles. The attacks are likely to be both in the months leading up to elections as well as after the polls have opened. These types of attacks may be successful in causing downtime of electoral websites and infrastructure, and they can undermine the public confidence in election results.

Greater Enforcement of Compliance Requirements

Companies will continue to invest in adapting their cybersecurity processes to meet the more stringent regulations that came into effect recently, avoid stiff fines.

In-Depth Reporting

Companies will need to provide in-depth, timely DDoS resilience and attack reports, to meet the regulations, and this will create a greater need for the ongoing visibility and 

Companies will need to provide in-depth, timely DDoS resilience and attack reports, to meet the regulations, and this will create a greater need for the ongoing visibility and attack prevention capabilities provided by continuous DDoS vulnerability testing.

attack prevention capabilities provided by continuous DDoS vulnerability testing.

Industries at Greater Risk

Companies in the industries of banking and financial services, insurance, healthcare, and transportation are expected to continue being targeted more than other industries throughout 2025.

DDoS-for-Hire Services

DDoS-for-Hire gives less technically proficient threat actors an easy way into the hacking industry, by making it easier to launch DDoS attacks. The increase in DDoS-for-Hire tools is particularly notable in Asia and is connected to the rising risk of DDoS attacks across multiple sectors. DDoS-for-Hire gives users the ability to carry out an unwarranted performance, on a network.

2024 DDoS Attack Analysis

A closer look at recently reported DDoS attacks shows that new DDoS attack techniques and emerging vulnerabilities are creating significant challenges for organizations that are trying to protect their digital services. Here are the most significant attack trends that emerged based on the data from recent DDoS attacks.

The Threat to Democratic Elections

2024 was a landmark year in electoral politics, with 50 countries plus the European Union – representing a total of over 2 billion voters – holding elections. Politically motivated DDoS attacks took place in countries in the months leading up to elections as well as after the polls opened.

In some cases, the DDoS attacks were successful in disrupting critical election infrastructure, causing downtime, and undermining the confidence of the public in the reliability of election results. DDoS attacks peaked around critical dates, indicating a coordinated effort to disrupt electoral processes.

Funding for the work of the threat actors, including both criminal groups and hacktivists, allegedly was provided by nation-states.

Examples of DDoS attacks during election cycles include:

US

What is a DDoS Attack? Elon Musk Claims Cyberattack Delayed Trump Interview

France

First Round of French Election: Party Attacks and a Modest Traffic Dip

Venezuela

Venezuela’s Election as seen in Cyberspace

More Stringent Compliance Regulations

With the DORA and NIS2 Directive regulations in the EU, and new SEC regulations in the US, 2024 has seen a significant shift in the stringency of DDoS testing. One of the key aspects of the regulations involves more in-depth, transparent, and timely reporting requirements – and continuous DDoS testing is essential to complying with these requirements.

Enterprises doing business in Europe and the US must enhance their cybersecurity processes to meet the new regulations and avoid hefty fines. The DORA regulations, for example, are based on the following five pillars:

High-Profile Arrests of Perpetrators of DDoS Attacks

Law enforcement officials are also making the headlines – with a number of instnaces in which the authorities have taken steps to detain groups responsible for high-profile DDoS attacks. In some cases, the arrest led to a new rash of DDoS attacks in response. For example, after the arrest of Telegram’s CEO Pavel Durov, several hacking groups launched a #FreeDurov DDoS campaign against online services in France. Here are some of the stories covered in the media:

US

Two Sudanese Nationals Indicted for Alleged Role in Anonymous Sudan Cyberattacks on Hospitals, Government Facilities, andother Critical Infrastructure in Los Angeles and Around the world

France

Telegram’s CEO & Founder Durov Under Arrest: Cybercriminals React

UK

17-Year-Old Linked to Scattered Spider Cybercrime Syndicate Arrested in UK

Spain

Spanish Police Arrest Three Suspects Linked to Pro-Moscow NoName057(16) Hackers

Japan

International Investigation of DDoS Leads to Oita Man’s Arrest

Cambodia

Anti-government Hackers Arrested After Attacks on Cambodian Official Websites

A Shift in DDoS Public Awareness?

DDoS attacks on big name brands such as Disney+ in France, KFC in Italy, and Starbucks in the US were discussed in online forums and on social media. While these attacks were not confirmed publicly as DDoS attacks, the headlines associating them with DDoS are indicative of an increase in public awareness of DDoS dangers.

Top DDoS Targets: Breakdown by Industry

The following industries were the worst hit by DDoS attacks:

Finance

Disrupted online services and availability,
causing financial
and reputational damages

Healthcare

Targeted the patient management systems and telemedicine platforms used by healthcare providers

Government

Often coincided with political events; aimed to erode public trust and disrupt administrative functions

Transportation

Disrupt airlines and railway booking systems; exposed or blocked access to sensitive data; and impacted supply chains

While many organizations try to hide cyber breaches, the information that did become public made it clear that the most frequently attacked organizations provide financial services.

These include banks, payment processors, and other financial organizations. After financial services, the industries most targeted include healthcare, government organizations, and transportation.

The Most Prevalent Types of DDoS Attacks

The impact of a DDoS attack depends on several factors, including the scale of an attack, the nature of the attack, and the ability of the target system to handle the attack. While the frequency of DDoS attacks continues to rise, the attacks are also evolving in complexity and scale. For example, sophisticated DDoS attack methods are being implemented by advanced botnets such as the botnet malware family Gorilla.

In recent months, a marked increase has been seen specifically in the following types of DDoS attacks:

A Growing Threat: DDoS-for-Hire Services

Typically, DDoS attacks were carried out by highly skilled hackers with access to large networks of compromised devices, often referred to as botnets. With the rise of the commercialization of cybercrime, a new and concerning trend has emerged: DDoS as a Service (DDoSaaS). This trend significantly lowers the barrier to entry for launching powerful DDoS attacks. It is a model that allows individuals with limited technical skills to utilize botnet infrastructure and launch attacks against targets of their choice.

Greater Accessibility

DDoSaaS platforms are available on the dark web – as well as through “legitimate” channels on the open internet, where they are marketed as “stress testing” services. (By masquerading as legitimate services, they can be sold on the open internet). “Legitimate” channels include Telegram Channels, DDoS-for-Hire Forums and API-based DDoS Platforms.

These services provide simple, web-based dashboards and interfaces, allowing users to easily configure and launch attacks without requiring in-depth technical knowledge.

Users can usually select from various DDoS attack types, including volumetric floods, protocol attacks, and application layer attacks.

Greater Affordability

Services are typically offered through tiered subscription plans, with prices ranging from as low as $10 (on sale!) to $500 per month. Pricing often depends on factors like attack duration, volume, frequency, and the number of concurrent targets.

Most platforms accept easy-to-use payment methods such as cryptocurrency payments – particularly Bitcoin, for anonymity. Some services even accept PayPal and other payment methods.

More Effective

DDoSaaS providers maintain networks of compromised devices (frequently called botnets) to carry out attacks. These botnets can sometimes generate very high traffic volumes.

Many of these services utilize reflection and amplification methods to increase attack power and effectiveness.

Most platforms offer features to hide users’ identities, like not tracking IP addresses and encouraging VPN/Tor network usage.

Providers Operate Like Legitimate Businesses

Many DDoSaaS providers offer customer support, tiered service packages, and performance guarantees. Some even offer Service Level Agreements (SLAs) and refunds if an attack doesn’t achieve the desired outcome.

Beyond DDoS, some platforms offer other malicious tools like IP trackers or credential stuffing services.

DDoSaaS is Contributing to a Notable Surge in DDoS Attacks

The proliferation of DDoSaaS has democratized cyberattacks, making them accessible to anyone with malicious intent and a modest budget. As a result, organizations must be more vigilant than ever, adopting proactive cybersecurity measures. Businesses can reduce the risk of downtime, protect their reputation, and ensure the continuity of their operations by:

•  Understanding the mechanics of DDoSaaS  
• Implementing robust defenses
•  Continuously testing for DDoS vulnerabilities

DDoSaaS is not just a passing fad. It’s a growing business that has solidified its place in the cybercrime ecosystem. The best defense is to be proactive, continuously test for vulnerabilities, and adapt to the changing threat landscape.

Drill-Down: Top Attacks

The tables below provide insight into DDoS attacks published in the media during the third quarter of 2024. See also MazeBolt’s attack reports for Q1 and Q2.

July

August

September

Key Takeaways

Even with the best DDoS protections in place, the MazeBolt research team has found out, on average, 37% of an organization’s DDoS attack surface still remains vulnerable to DDoS attacks. This is because, over time, changes in IT systems and online services lead to security policy drift that results in DDoS vulnerabilities and misconfigurations, which leave organizations unprotected.

Shifts in the DDoS attack landscape that were particularly noteworthy this year included:

• The growing number of attacks disrupting elections
• New and more stringent compliance regulations that went into effect (NIS2, DORA)
• Greater public awareness of DDoS – in response to both the headlines around high-profile arrests of perpetrators of DDoS attacks, and several alleged DDoS attacks on big name brands
• Increased adoption of the business model known as DDoS-for-Hire services

 Protecting organizations from damaging DDoS attacks – and thereby strengthening the business continuity of online services – requires: 

Continuous
DDoS Testing

Sharpening of Operational Resilience

Transparency
and Reporting

Regulatory
Compliance

About MazeBolt

MazeBolt RADAR™ is a patented DDoS Vulnerability Management solution. Using thousands of non-disruptive DDoS simulations and without affecting online services, it can identify and enable the remediation of vulnerabilities in deployed DDoS defenses. RADAR™ enables organizations and governments to maintain the uninterrupted business continuity of online services. Using RADAR’s patented vulnerability simulation technology, enterprises have unparalleled visibility into their DDoS protection solutions so they can be confident that damaging DDoS attacks can be prevented – before they happen.

Read more at: https://www.mazebolt.com

Research and Analysis

Access Full Guide

Frost & Sullivan Report

Organizations in many industries are reporting a 300% increase in damaging DDoS attacks this year. As the risk of DDoS attacks continues to surge, organizations are realizing the need to incorporate DDoS Vulnerability Management capabilities to supplement their current DDoS solutions. In parallel, industry compliance requirements create an urgent need for in-depth DDoS vulnerability testing and reporting.

Frost & Sullivan’s report, “Ongoing Vulnerability Testing for DDoS Protection,” explores the main reasons organizations are vulnerable to damaging DDoS attacks and how you can mitigate the risk through continuous, automated DDoS testing and vulnerability identification.

In this report, you will learn:

• Why DDoS attacks are increasing
• The business impact of DDoS attacks
• Why current DDoS mitigation approaches are unreliable
• The importance of ongoing maintenance of security policies
• How proactive, continuous DDoS testing mitigates the risk

Access Full Report

CIOReview

Access Full Guide

Maintaining Business Continuity

Business continuity represents one of the highest organizational priorities in the digital economy. When online services are driving the business around the clock, companies must ensure their architectures are resilient against attacks, including distributed denial of service (DDoS) attacks, which represent the most significant cyber threat to business continuity.

This interview with Matthew Andriani looks at how the industry needs to make a shift in DDoS protection deployments by moving away from a ‘deploy and trust’ approach to a proactive vulnerability identification and remediation philosophy.

What you will learn

• How to augment your existing DDoS defense solutions
• How MazeBolt is taking a different approach from traditional manual DDoS testing solutions
• Strengthening the walls of Cybersecurity and protecting business reputation
• How to ensure that all vulnerabilities are identified and eliminated before an attack