During the second quarter of 2025, network security surveillance systems recorded a spike in extremely large-scale distributed denial-of-service (DDoS) attacks called “hyper-volumetric DDosS” with peaks of up to 7.3 terabits per second (Tbps) and 4.8 billion packets per second, (Bpps) within 45 g of the network.iHere, the highest ever.

While the overall number of DDoS attacks fell sharply to 7.3 million in the second quarter of 2025 compared to 20.5 million in first quarter, the “hyper-volumetric DDos” attacks have increased dramatically.

1752652577405.png

Photo: The Hacker News

Overview of the second quarter of 2025

Index
Data for the first quarter of 2025
Data for the second quarter of 2025
Notes
Total DDoS attacks
20.5 million
7.3 million
 Dramatically due to the 18 – day campaign in the first quarter
Hyper-volumetric DDoS
Unknown
6,500 cases (71 cases per day on average)
 Most impactful
Network class DDoS attack (L3/4)
~16.8 million
3.2 million
 81% down from first quarter
DDoS HTTP attack (L7)
~3.8 million
4.1 million
 9% increase
DDoS ransom demand
-​
Increase by 68%
 Worrying Trends
Beats 100 million packets per second.
-​
Increase by 592%
 Extreme blockage
Attack over 1 Tbps (L3 / 4)
-​
Up 1,150%
 Five out of every 10,000 cases reach this threshold.
HTTP DDoS exceeds 1 million requests per second
-​
6% of the total
 That’s a lot higher than last year.

Increasingly sophisticated offensive tactics

DDoS attacks are no longer merely “floods”: flushing large amounts of traffic to jam the system. Instead, the attacker is using a concerted tactic between:

  • Huge attacks, putting direct pressure on bandwidth, servers and security.
  • Small, silent sweeps, aimed at identifying vulnerabilities, configuration weaknesses, or defensible areas

This approach helps to sidestep traditional defense systems that typically focus on detecting apparent or high-throughput abnormal behavior.

What is worrying is that many attacks are now cleverly designed to “hide” in valid traffic, making detection ever more difficult. This means that the system may be under attack without any idea until the service begins to stall or interrupt.

Common cyberattack techniques (Class 3/4):

  1. DNS Flood: sends a large number of DNA queries to jam the domain resolution system
  2. TCP SYN Flood: exploit TCp’s 3-step handshake process to deplete server resources
  3. UDP Flood: sends unknown traffic to random ports, disrupting and taking up bandwidth

The main targets targeted

The areas most attacked:

  1. Telecommunications services and carriers
  2. Internet and IT infrastructure
  3. Online gaming
  4. Gambling and Betting

Countries most attacked (based on Cloudflare customers’ billing country):

  1. China
  2. Brazil
  3. Germany
  4. India
  5. South Korea
  6. Turkey
  7. Hong Kong
  8. Vietnam
  9. Russia
  10. Azerbaijan

Vietnam is now among the top 10 countries hit by the most cyber attacks, showing an increasing level of cyber security risk. This fact is not surprising, because over the years, regulators such as the Ministry of Information and Communications have repeatedly warned of domestic IoT devices being not properly secured, such as keeping the default password unchanged, failing to update software (firmware) or opening network ports without protective configurations. These weaknesses make it easy for devices to become targets of hijacking and then join botnet networks that perform large-scale DDoS attacks.

In addition, digital infrastructure in Vietnam is strongly developing, especially in such areas as e-commerce, digital finance (fintech), online education and health. These are industries that are highly dependent on the network’s constant and stable access, making them attractive targets for ransom attacks.

The DDoS attacks reported were traced to traffic sources in countries such as:

  • Emergence
  • Singapore
  • Hong Kong
  • Argentina
  • Ukraine

Threat from DemonBot botnet and insecure IoT devices

One of the most serious risks now comes from botnets, especially a variant called DemonBot. This malware specializes in devices running Linux, the most common of which are low – security IoT devices such as security cameras, routers, video recorders, etc..

DemonBot hacks through three main weaknesses:

  • Network port open without protection
  • SSH password weak or defaults
  • Old firmware, not updated

Once hijacked, these devices can be mobilized to generate massive attack traffic, targeting services such as online games, storage platforms, or enterprise systems. This is how many large-scale DDoS attacks are organized without the attacker’s own infrastructure.

Recommendations for users and businesses

To minimize the risk of exploitation, basic precautions should be taken immediately:

For individuals and households:

  • Regular firmware updates for network and IoT devices
  • Change the default password with a separate, strong one
  • Disable or limit remote access via unnecessary network ports
  • Combining the use of smart DNS firewalls and filters

For enterprises:

  • Perform periodic security assessment for the entire system
  • Consider implementing a dedicated DDoS protection service, especially for online platforms with a 24 – hour availability.
  • Monitor network traffic for early detection of irregularities

While the number of DDoS attacks in the second quarter of 2025 tended to decrease compared to the previous quarter, the level of danger increased significantly. Larger, more sophisticated attacks are often accompanied by evasion tactics and ransom demand.

In that context, when Vietnam is already among the most targeted countries, users and businesses can not be subjective. Enhancing security, proactively preventing and building response capacity early is key to reducing damage and protecting the digital system in the long term.

According to Cloudflare Reports