Analysing Continent 8 Technologies' DDoS attack data for 1Q 2025

Craig Lusher from our Secure team provides a comprehensive analysis of the latest Distributed Denial of Service (DDoS) statistics from the first quarter of the year and their implications for cybersecurity trends.

Executive summary

The first quarter of 2025 has revealed significant changes in the DDoS threat landscape, characterised by a substantial increase in attack frequency, the emergence of ‘carpet bombing’ techniques and growing trends targeting the iGaming sector. With attack methodologies evolving and becoming more sophisticated, this report provides critical insights for cybersecurity planning and threat mitigation.

Overview of 1Q 2025

The first quarter of 2025 has shown a noticeable increase in DDoS attack activity, with 161 attacks recorded. This represents a rise from 4Q 2024’s 138 attacks and a dramatic increase from 1Q 2024’s 58 attacks. The most active month was February, which continues to show vulnerability during winter months.

Attack intensity and scale

1Q 2025 showed the following patterns in attack intensity:

• Highest attack size: 7.1 Gbps
• Average attack size: 0.3 Gbps
• Peak MPPS (Megapackets per second): 0.64

While individual attack sizes appear smaller compared to historical peaks (2Q 2023’s 560.6 Gbps), this represents a strategic shift rather than reduced threat capability. Intelligence indicates that attackers now possess capabilities exceeding 500 Gbps but are employing more targeted and distributed approaches that can bypass traditional detection mechanisms.

Industry targeting analysis

1Q 2025 has shown a marked increase in attacks specifically targeting the online gambling and casino sector, with intelligence indicating a 400% rise in attacks against these entities since February. This industry-specific targeting represents a prominent trend that requires specialised attention and defence mechanisms.

Customer report analysis

Key statistics for 1Q 2025:

• Highest number of attacks on a single customer: 86 (down from 96 in 4Q 2024)
• Total attack duration: 88.0 hours
• Longest single attack: 54.0 hours

On 26 February, a carpet-bombing incident targeted 53 networks within a short 6-minute window (03:41-03:47 UTC). While this attack peaked at 150 Gbps with 120 Mpps, its distributed nature allows it to circumvent traditional defence systems, potentially resulting in a significant customer impact.

Quarterly comparison and trends

Comparing 1Q 2025 with recent quarters reveals several trends:

1. Attack volume escalation

• 3Q 2024: 37 attacks
• 4Q 2024: 138 attacks
• 1Q 2025: 161 attacks

This shows a clear trend of increasing attack volumes over the past three quarters, with a 372% increase from 3Q 2024 to 1Q 2025.

2. Attack methodology evolution

• 3Q 2024: Primarily single-target, high-bandwidth attacks reaching 37.0 Gbps
• 4Q 2024: Mixed methodology attacks peaking at 13.4 Gbps
• 1Q 2025: Introduction of carpet bombing and distributed attacks across multiple targets

While individual attack volume metrics appear to show decreasing intensity, this is misleading as attacks are now distributed across multiple targets simultaneously, making traditional detection mechanisms less effective.

3. Customer report patterns

The number of affected customers has increased dramatically in 1Q 2025, indicating a broader targeting strategy. Of particular note is the observed ‘spray’ technique that targets entire network Classless Inter-Domain Routing (CIDR) blocks rather than individual IPs, affecting multiple customers simultaneously.

4. Emerging threat: DDoS carpet bombing

1Q 2025 has seen the emergence of carpet bombing or spray attacks that distribute traffic across multiple hosts within targeted IP ranges. These attacks:

• Use lower traffic per host to stay below traditional detection thresholds
• Can affect multiple customers simultaneously within a targeted network range
• Often serve as reconnaissance for larger attacks, with initial probes in the 1-2 Gbps range
• May be linked to DDoS-for-hire services available on underground forums

Year-over-year analysis

Comparing 1Q 2025 to 1Q 2024 shows significant changes in the threat landscape:

• Total attacks increased by 178% (58 → 161)
• Largest attack size increased by 137% (3.0 Gbps → 7.1 Gbps)
• Emergence of sophisticated carpet-bombing techniques not observed in 1Q 2024

Data breach correlation analysis

Intelligence indicates a notable correlation between DDoS attacks and subsequent data breaches in the iGaming sector. 1Q 2025 has seen examples of multiple organisations experiencing what appears to be a new attack pattern:

1. Initial DDoS attacks serving as diversionary tactics
2. Followed by sophisticated data exfiltration operations
3. Resulting in large-scale data leaks (reaching hundreds of gigabytes)

Unlike traditional ransomware operations, these attacks show no ransom demands prior to data release, indicating a potential shift in threat actor motivations from financial gain to maximum disruption or competitive advantage.

Implications and insights

1. Attack methodology evolution

The transition to carpet-bombing techniques represents a significant evolution in DDoS tactics. These attacks distribute traffic across multiple targets within a network range, using traffic volumes per target that stay below conventional detection thresholds.

2. Industry targeting

Intelligence indicates a targeted campaign against the iGaming sector, with a 400% increase in attacks since February 2025.

3. Attack duration and reconnaissance

The average attack duration has increased dramatically to 4.3 hours, with the longest attack lasting 54 hours. Short, intense attacks (3-6 minutes) are now frequently observed as reconnaissance to test defence capabilities before launching larger campaigns.

Emerging AI-enhanced threats

Intelligence suggests a rising trend of AI technology adoption by threat actors. Self-hosted AI tools are enabling more sophisticated and unpredictable attack patterns that traditional defence mechanisms struggle to detect. These AI-enhanced attacks show several characteristics:

1. Dynamic adaptation to defence mechanisms
2. Improved ability to bypass detection thresholds
3. More convincing social engineering components in blended attacks
4. Enhanced coordination between DDoS attacks and subsequent breach attempts

Recommended defence strategies

Based on 1Q 2025 attack patterns, particularly the emergence of carpet-bombing techniques, the following defence strategies are recommended:

1. Dynamic threshold configuration

   • Implement dynamic rather than static DDoS mitigation thresholds
   • Configure systems to detect and respond to dispersed traffic patterns

2. Advanced rate limiting

   • Implement rate limiting based on source IP, Autonomous System Numbers (ASNs) and geolocation
   • Deploy systems capable of rapid adaptation as attack sources change

3. Enhanced monitoring

   • Configure Security Information and Event Management (SIEM) and Security Operations Centre (SOC) tools to correlate attack signals across multiple hosts
   • Implement real-time alerts for ‘under the radar’ patterns that aggregate into attacks

4. Automated response

   • Deploy Security Orchestration, Automation and Response (SOAR) tools with custom playbooks for rapid automated countermeasures
   • Move beyond static defence methods to adaptive response systems

Looking ahead

The increase in attack volumes and sophistication in 1Q 2025 indicates a significant evolution in the threat landscape. Organisations should prepare for:

1. Continued sophisticated carpet-bombing attacks targeting multiple hosts simultaneously
2. Increased targeting of online gambling and casino operations
3. Short ‘test’ attacks followed by larger, more sustained campaigns
4. Blended attacks where DDoS serves as a distraction for data breach attempts

The 26 February incident, which affected 53 networks within a 6-minute window, demonstrates the effectiveness of these new attack methodologies and highlights the need for enhanced detection and mitigation capabilities.

Continent 8’s DDoS mitigation solution

Our best-in-class DDoS solution continues to evolve and in recent months we have amplified our scrubbing capacity to 5+ Tbps, as well as increased our scrubbing centres geographically deployed across multiple continents. Locations include Los Angeles, Chicago, New York, Miami, London, Amsterdam, Frankfurt, Singapore, Hong Kong and Sao Paulo.

Key features of our mitigation solution:

DDoS protection should also form part of a wider, multi-layered approach to cybersecurity. A 360-degree, end-to-end protection strategy should include DDoS mitigation solution as well as WAF/WAAP protection, MDR/EDR services, SIEM and SOC resources, VAPT assessments, backup solutions, and mobile device, phishing defence and MFA services.

This is the only way to have multiple protections in place for each attack type and to ensure the greatest level of resilience.

To learn more about how Continent 8 can help protect your organisation, contact a member of the team via sales@continent8.com or our Contact Us form.