Craig Lusher from our Secure team provides a comprehensive analysis of the latest Distributed Denial of Service (DDoS) statistics from the first quarter of the year and their implications for cybersecurity trends.

Executive summary

The first quarter of 2025 has revealed significant changes in the DDoS threat landscape, characterised by a substantial increase in attack frequency, the emergence of ‘carpet bombing’ techniques and growing trends targeting the iGaming sector. With attack methodologies evolving and becoming more sophisticated, this report provides critical insights for cybersecurity planning and threat mitigation.

Overview of 1Q 2025

The first quarter of 2025 has shown a noticeable increase in DDoS attack activity, with 161 attacks recorded. This represents a rise from 4Q 2024’s 138 attacks and a dramatic increase from 1Q 2024’s 58 attacks. The most active month was February, which continues to show vulnerability during winter months.

Attack intensity and scale

1Q 2025 showed the following patterns in attack intensity:

• Highest attack size: 7.1 Gbps
• Average attack size: 0.3 Gbps
• Peak MPPS (Megapackets per second): 0.64

While individual attack sizes appear smaller compared to historical peaks (2Q 2023’s 560.6 Gbps), this represents a strategic shift rather than reduced threat capability. Intelligence indicates that attackers now possess capabilities exceeding 500 Gbps but are employing more targeted and distributed approaches that can bypass traditional detection mechanisms.

Industry targeting analysis

1Q 2025 has shown a marked increase in attacks specifically targeting the online gambling and casino sector, with intelligence indicating a 400% rise in attacks against these entities since February. This industry-specific targeting represents a prominent trend that requires specialised attention and defence mechanisms.

Customer report analysis

Key statistics for 1Q 2025:

• Highest number of attacks on a single customer: 86 (down from 96 in 4Q 2024)
• Total attack duration: 88.0 hours
• Longest single attack: 54.0 hours

On 26 February, a carpet-bombing incident targeted 53 networks within a short 6-minute window (03:41-03:47 UTC). While this attack peaked at 150 Gbps with 120 Mpps, its distributed nature allows it to circumvent traditional defence systems, potentially resulting in a significant customer impact.

Quarterly comparison and trends

Comparing 1Q 2025 with recent quarters reveals several trends:

1. Attack volume escalation

• 3Q 2024: 37 attacks
• 4Q 2024: 138 attacks
• 1Q 2025: 161 attacks

This shows a clear trend of increasing attack volumes over the past three quarters, with a 372% increase from 3Q 2024 to 1Q 2025.

2. Attack methodology evolution

• 3Q 2024: Primarily single-target, high-bandwidth attacks reaching 37.0 Gbps
• 4Q 2024: Mixed methodology attacks peaking at 13.4 Gbps
• 1Q 2025: Introduction of carpet bombing and distributed attacks across multiple targets

While individual attack volume metrics appear to show decreasing intensity, this is misleading as attacks are now distributed across multiple targets simultaneously, making traditional detection mechanisms less effective.

3. Customer report patterns

The number of affected customers has increased dramatically in 1Q 2025, indicating a broader targeting strategy. Of particular note is the observed ‘spray’ technique that targets entire network Classless Inter-Domain Routing (CIDR) blocks rather than individual IPs, affecting multiple customers simultaneously.

4. Emerging threat: DDoS carpet bombing

1Q 2025 has seen the emergence of carpet bombing or spray attacks that distribute traffic across multiple hosts within targeted IP ranges. These attacks:

• Use lower traffic per host to stay below traditional detection thresholds
• Can affect multiple customers simultaneously within a targeted network range
• Often serve as reconnaissance for larger attacks, with initial probes in the 1-2 Gbps range
• May be linked to DDoS-for-hire services available on underground forums

Year-over-year analysis

Comparing 1Q 2025 to 1Q 2024 shows significant changes in the threat landscape:

• Total attacks increased by 178% (58 → 161)
• Largest attack size increased by 137% (3.0 Gbps → 7.1 Gbps)
• Emergence of sophisticated carpet-bombing techniques not observed in 1Q 2024

Data breach correlation analysis

Intelligence indicates a notable correlation between DDoS attacks and subsequent data breaches in the iGaming sector. 1Q 2025 has seen examples of multiple organisations experiencing what appears to be a new attack pattern:

1. Initial DDoS attacks serving as diversionary tactics
2. Followed by sophisticated data exfiltration operations
3. Resulting in large-scale data leaks (reaching hundreds of gigabytes)

Unlike traditional ransomware operations, these attacks show no ransom demands prior to data release, indicating a potential shift in threat actor motivations from financial gain to maximum disruption or competitive advantage.

Implications and insights

1. Attack methodology evolution

The transition to carpet-bombing techniques represents a significant evolution in DDoS tactics. These attacks distribute traffic across multiple targets within a network range, using traffic volumes per target that stay below conventional detection thresholds.

2. Industry targeting

Intelligence indicates a targeted campaign against the iGaming sector, with a 400% increase in attacks since February 2025.

3. Attack duration and reconnaissance

The average attack duration has increased dramatically to 4.3 hours, with the longest attack lasting 54 hours. Short, intense attacks (3-6 minutes) are now frequently observed as reconnaissance to test defence capabilities before launching larger campaigns.

Emerging AI-enhanced threats

Intelligence suggests a rising trend of AI technology adoption by threat actors. Self-hosted AI tools are enabling more sophisticated and unpredictable attack patterns that traditional defence mechanisms struggle to detect. These AI-enhanced attacks show several characteristics:

1. Dynamic adaptation to defence mechanisms
2. Improved ability to bypass detection thresholds
3. More convincing social engineering components in blended attacks
4. Enhanced coordination between DDoS attacks and subsequent breach attempts

Recommended defence strategies

Based on 1Q 2025 attack patterns, particularly the emergence of carpet-bombing techniques, the following defence strategies are recommended:

1. Dynamic threshold configuration

   • Implement dynamic rather than static DDoS mitigation thresholds
   • Configure systems to detect and respond to dispersed traffic patterns

2. Advanced rate limiting

   • Implement rate limiting based on source IP, Autonomous System Numbers (ASNs) and geolocation
   • Deploy systems capable of rapid adaptation as attack sources change

3. Enhanced monitoring

   • Configure Security Information and Event Management (SIEM) and Security Operations Centre (SOC) tools to correlate attack signals across multiple hosts
   • Implement real-time alerts for ‘under the radar’ patterns that aggregate into attacks

4. Automated response

   • Deploy Security Orchestration, Automation and Response (SOAR) tools with custom playbooks for rapid automated countermeasures
   • Move beyond static defence methods to adaptive response systems

Looking ahead

The increase in attack volumes and sophistication in 1Q 2025 indicates a significant evolution in the threat landscape. Organisations should prepare for:

1. Continued sophisticated carpet-bombing attacks targeting multiple hosts simultaneously
2. Increased targeting of online gambling and casino operations
3. Short ‘test’ attacks followed by larger, more sustained campaigns
4. Blended attacks where DDoS serves as a distraction for data breach attempts

The 26 February incident, which affected 53 networks within a 6-minute window, demonstrates the effectiveness of these new attack methodologies and highlights the need for enhanced detection and mitigation capabilities.

Continent 8’s DDoS mitigation solution

Our best-in-class DDoS solution continues to evolve and in recent months we have amplified our scrubbing capacity to 5+ Tbps, as well as increased our scrubbing centres geographically deployed across multiple continents. Locations include Los Angeles, Chicago, New York, Miami, London, Amsterdam, Frankfurt, Singapore, Hong Kong and Sao Paulo.

Key features of our mitigation solution:

DDoS protection should also form part of a wider, multi-layered approach to cybersecurity. A 360-degree, end-to-end protection strategy should include DDoS mitigation solution as well as WAF/WAAP protection, MDR/EDR services, SIEM and SOC resources, VAPT assessments, backup solutions, and mobile device, phishing defence and MFA services.

This is the only way to have multiple protections in place for each attack type and to ensure the greatest level of resilience.

To learn more about how Continent 8 can help protect your organisation, contact a member of the team via sales@continent8.com or our Contact Us form.

Craig Lusher from our Secure team provides a comprehensive analysis of the latest Distributed Denial of Service (DDoS) statistics from the fourth quarter of the year and their implications for cybersecurity trends.

Overview of 4Q 2024

The fourth quarter of 2024 marked a significant shift in DDoS attack patterns, with 138 recorded incidents. This represents a substantial increase from 3Q’s 37 attacks, though remaining well below historical peaks like 2Q 2023’s 1,106 attacks. October emerged as the most active month, aligning with historical patterns of increased 4Q activity.

This is a trend not just at Continent 8. In fact, 4Q also happened to see the largest DDoS attack ever recorded, with Cloudflare mitigating a 5.6 (Terabits per second) Tbps Mirai-variant botnet attack on one of their customers on October 29.

Attack intensity and scale

4Q 2024 demonstrated interesting patterns in attack intensity:

• Highest attack size: 13.4 Gbps
• Average attack size: 0.4 Gbps
• Peak Megapackets per second (MPPS): 0.5992

This quarter’s largest attack of 13.4 Gbps represents a decrease from 3Q 2024’s peak of 37.0 Gbps. For perspective, this is dramatically lower than 4Q 2023’s peak of 412.9 Gbps, indicating a significant shift in attack methodologies.

Attack duration patterns

Key statistics for 4Q 2024:

• Average attack duration: 17.6 minutes
• 75% of attacks lasted between 30-45 minutes
• Longest sustained attack: approximately 70 minutes
• Multiple attacks showed consistent duration patterns, suggesting automated tools

Customer report analysis

Key statistics for 4Q 2024:

• Highest number of attacks on a single customer: 96 (increase from 19 in 3Q)
• Total attack duration: 21.1 hours
• Longest single attack: 1.13 hours
• Average attack duration: 17.6 minutes

Quarterly comparison and trends

Comparing 4Q 2024 with recent quarters reveals several interesting trends:

1. Attack volume evolution

• 1Q 2024: 3.0 Gbps peak
• 2Q 2024: 85.5 Gbps peak
• 3Q 2024: 37.0 Gbps peak
• 4Q 2024: 13.4 Gbps peak

This shows a significant escalation in attack frequency during 4Q.

2. Attack intensity progression

• 1Q 2024: 3.0 Gbps peak
• 2Q 2024: 85.5 Gbps peak
• 3Q 2024: 37.0 Gbps peak
• 4Q 2024: 13.4 Gbps peak

While attack frequency increased, intensity continued to decrease throughout the year.

3. Customer report patterns

The decrease in affected customers coupled with the dramatic increase in attacks per customer suggests a shift toward more targeted campaigns.

Year-over-year analysis

Comparing 4Q 2024 to 4Q 2023 shows significant changes in the threat landscape:

• Total attacks decreased by 26% (187 → 138)
• Number of affected customers decreased by 63% (27 → 10)
• Largest attack size decreased by 97% (412.9 Gbps → 13.4 Gbps)

Implications and insights

1. Attack evolution

The higher volume but lower intensity of attacks suggests a fundamental shift in attacker strategies, focusing on persistent, lower-threshold campaigns rather than high-impact events.

2. Targeting patterns

The concentration of attacks on fewer customers, with more attacks per target, indicates a move toward more sophisticated, focused operations.

3. Attack duration

The shorter average attack duration (17.6 minutes) combined with increased frequency suggests a tactical shift toward ‘pulse’ style attacks rather than sustained campaigns.

Looking ahead

While individual attack intensities have decreased significantly year-over-year, the dramatic increase in frequency and focus on specific targets suggests an evolution in threat actors’ strategies. The pattern of increased 4Q activity appears to be holding true, though manifesting differently than in previous years.

Organisations should prepare for:

• Continued high-frequency, lower-intensity attacks
• More targeted attack campaigns
• Potential seasonal variations in attack patterns
• The need for detection of lower-threshold attacks

Continent 8’s DDoS mitigation solution

Our best-in-class DDoS solution continues to evolve and in recent months we have amplified our scrubbing capacity to 5+ Tbps, as well as increased our scrubbing centres geographically deployed across multiple continents. Locations include Los Angeles, Chicago, New York, Miami, London, Amsterdam, Frankfurt, Singapore, Hong Kong and Sao Paulo.

Key features of our mitigation solution:

DDoS protection should also form part of a wider, multi-layered approach to cybersecurity. A 360-degree, end-to-end protection strategy should include DDoS mitigation solution as well as WAF/WAAP protection, MDR/EDR services, SIEM and SOC resources, VAPT assessments, backup solutions, and mobile device, phishing defence and MFA services.

This is the only way to have multiple protections in place for each attack type and to ensure the greatest level of resilience.

To learn more about how Continent 8 can help protect your organisation, contact a member of the team via sales@continent8.com or our Contact Us form.

Craig Lusher from our Secure team provides a comprehensive analysis of the latest DDoS statistics from the third quarter of the year and their implications for cybersecurity trends.

Overview of 3Q 2024

The third quarter of 2024 has continued to show relatively low DDoS attack activity, with 37 attacks recorded. This represents a slight increase from 2Q’s 32 attacks but remains significantly lower than the 359 attacks recorded in 3Q 2023. The most active month was July, which aligns with historical patterns of increased summer activity.

Attack intensity and scale

3Q 2024 showed some interesting patterns in attack intensity:

• Highest attack size: 16.8 Gbps
• Average attack size: 0.8 Gbps
• Peak MPPS (Megapackets per second): 0.32

This quarter’s largest attack (16.8 Gbps) represents a significant decrease from 2Q 2024’s peak of 85.5 Gbps. For perspective, this is dramatically lower than the massive attacks seen in 2023, which peaked at 560.6 Gbps in Q2 2023, and over 1Tbps prior to that.

Customer impact analysis

Key statistics for 3Q 2024:

• Highest number of attacks on a single customer: 19 (up from 7 in 2Q)
• Total attack duration: 25.0 hours
• Longest single attack: 3.48 hours

Quarterly comparison and trends

Comparing 3Q 2024 with recent quarters reveals several interesting trends:

1. Attack volume stabilization

• 1Q 2024: 58 attacks
• 2Q 2024: 32 attacks
• 3Q 2024: 37 attacks

This shows a relative stabilisation at lower attack volumes compared to 2023’s numbers.

2. Attack intensity evolution

• 1Q 2024: 3.0 Gbps peak
• 2Q 2024: 85.5 Gbps peak
• 3Q 2024: 16.8 Gbps peak

While more intense than 1Q, 3Q’s attacks remained relatively moderate compared to historical peaks.

3. Customer impact patterns

The consistent number of affected customers over 2Q and 3Q 2024 suggests a stable threat landscape, though individual customers faced more repeated attacks in 3Q.

Year-over-year analysis

Comparing 3Q 2024 to 3Q 2023 shows a dramatic shift in the threat landscape:

• Total attacks decreased by 90% (359 → 37)
• Largest attack size decreased by 89% (149.7 Gbps → 16.8 Gbps)

Implications and insights

1. Attack evolution

The lower volume but moderate intensity of attacks suggests a shift in attacker strategies, possibly focusing on more targeted, strategic attacks rather than broad campaigns.

2. Attack duration

The average attack duration of 2 hours shows a trend toward longer, more sustained attacks compared to previous quarters, potentially indicating more sophisticated attack strategies.

Looking ahead

While attack volumes remain relatively low compared to 2023 and previous, the increase in attacks per individual customer and attack duration suggests continued evolution in threat actors’ strategies. Organisations should maintain robust DDoS protection despite the lower overall attack volumes, as the pattern of attacks suggests more targeted and potentially more sophisticated approaches.

The historical pattern of increased activity during major sporting events and holiday periods suggests potential for increased activity in the upcoming quarters, particularly with various significant events on the horizon.

This analysis demonstrates the importance of maintaining comprehensive DDoS protection and the value of Continent 8’s multi-layered security approach, even during periods of relatively low attack volume.

Continent 8’s DDoS mitigation solution

Our best-in-class DDoS solution continues to evolve and in recent months we have amplified our scrubbing capacity to 5+ Tbps, as well as increased our scrubbing centres geographically deployed across multiple continents. Locations include Los Angeles, Chicago, New York, Miami, London, Amsterdam, Frankfurt, Singapore, Hong Kong and Sao Paulo.

Key features of our mitigation solution:

DDoS protection should also form part of a wider, multi-layered approach to cybersecurity. A 360-degree, end-to-end protection strategy should include DDoS mitigation solution as well as WAF/WAAP protection, MDR/EDR services, SIEM and SOC resources, VAPT assessments, backup solutions, and mobile device and phishing defence services.

This is the only way to have multiple protections in place for each attack type and to ensure the greatest level of resilience.

To learn more about how Continent 8 can help protect your organisation, contact a member of the team via sales@continent8.com or our Contact Us form.

A Distributed Denial-of-Service (DDoS) attack, whether large or small, can cause significant downtime and financial loss.

But what exactly is a DDoS attack?

In this blog, Craig Lusher, Product Principal of Secure Solutions at Continent 8 Technologies, will explore what a DDoS attack is, the different types of DDoS attacks, and the best practices for mitigating DDoS attacks.

What is a DDoS attack?

A DDoS attack is like an unexpected traffic jam on an otherwise free-flowing highway. The attacks attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming it with a flood of Internet traffic.

DDoS attacks leverage multiple compromised computer systems as sources of attack traffic, including computers and Internet of Things (IoT) devices. They involve networks of Internet-connected devices infected with malware, controlled remotely by attackers and forming a botnet.

The process begins with the attacker creating the botnet by infecting multiple devices. Next, they send remote commands to the botnet, which then sends numerous requests to the target’s IP address. This flood of requests overwhelms the server or network, resulting in a denial-of-service for legitimate traffic.

Several high-profile DDoS attacks have made headlines in recent months, showcasing the damage these attacks can inflict, regardless of industry.

• On August 9 and 10, DDoS attacks hit Final Fantasy 14 (FFXIV) online role-playing gaming data centres for two straight days. The DDoS attacks caused log-in delays and large-scale disconnections, preventing players from logging into the critically acclaimed massively multiplayer online role-playing game (MMORPG).
• On August 8, a DDoS attack targeted the Kursk Region’s local services, as per the Ministry of Digital Development, Communications and Mass Media of the Russian Federation. The perpetrators aimed to potentially disrupt social services, damage the online infrastructure and/or obtain access to user data, but all attacks were successfully thwarted.
• On July 30, a DDoS attack resulted in an eight-hour Azure outage. The Azure outage had global reach, impacting a subset of customers attempting to connect to a range of Azure, Microsoft 365 and Microsoft Purview services.

Types of DDoS attacks

DDoS attacks come in various forms. DDoS attacks can be categorised into three main types based on which part of the network connection they target.

Volumetric attacks

A volumetric attack aims to overwhelm the bandwidth between the target and the Internet with massive amounts of data. The attack often uses amplification techniques to ensure it consumes all available bandwidth.

A good example is Domain Name System (DNS) amplification. This method is done through a small query to an open DNS server with a spoofed IP address, resulting in a large response being sent to the victim, ultimately overwhelming their bandwidth.

Protocol attacks

A protocol attack exploits weaknesses in network protocols, particularly layers 3 and 4 of the protocol stack. It disrupts service by consuming server resources or network equipment resources like firewalls and load balancers.

SYN flood is a popular method. It overwhelms the target by sending many TCP SYN packets with spoofed IP addresses, exhausting resources by never completing the TCP handshake.

Application layer attacks

The application layer attack targets the application itself, often appearing as legitimate traffic. It exhausts the target’s resources and creates a denial-of-service. The attack preys on the application layer (Layer 7 of the OSI model) where web pages are generated and delivered in response to HTTP requests.

HTTP flood method, for example, generates multiple HTTP requests to flood the server. These requests overwhelm the server and cause a denial-of-service. These can range from simple attacks with one URL and similar IP addresses to complex attacks using many IP addresses and random URLs.

Mitigation methods – A defence-in-depth, multi-layered approach

The main challenge in mitigating a DDoS attack is distinguishing between legitimate traffic and attack traffic. For example, a legitimate surge from a product release differs from an attack surge from known attackers.

These attacks are also multi-vector. This means they use multiple pathways to overwhelm targets, making it harder to distinguish between attack and normal traffic. A layered approach, such as combining DNS amplification (targeting layers 3/4) with an HTTP flood (layer 7), requires varied strategies for mitigation.

Due to these complexities, protecting a site from DDoS attacks requires a multi-layered approach. In the event of unforeseen circumstances, having a clear plan in place for responding to DDoS attacks can minimise downtime and damage.

Finding a service specialising in DDoS solutions can be a great help, but there are layers to the mitigation process.

• It begins with securing all devices and keeping them updated to prevent their compromise and inclusion in a botnet. Regular updates and patches are particularly crucial for mitigating application layer attacks.
• In DDoS mitigation, more redundancy means more reliability. Scaling network redundancy enhances reliability by distributing resources across multiple data centres, which helps balance the load during an attack. Increasing network bandwidth can also aid in handling volumetric attacks.
• Having on-demand capacity to increase the resources to the affected asset. This can be achieved by either expanding vertically, by adding larger throughput connectivity or laterally by adding additional connectivity or by using Content Delivery Networks (CDNs) which absorb excess traffic by taking the load off the origin servers.
• Implementing rate or connection limiting using Web Application Firewalls (WAFs). Rate and connection limiting controls the number of requests and connections a server accepts in a given timeframe.
• Effective traffic monitoring combined with behavioral analytics is essential for identifying and responding to unusual patterns. In this case, traffic analysis tools improve efficiency.
• Deploying WAFs and using advanced Intrusion Protection Systems (IPS) to act as a reverse proxy can help filter out malicious traffic. WAFs are also key to mitigating protocol attacks.

At Continent 8, we advocate for a ‘defence-in-depth’ strategy, where multiple layers of security controls are implemented throughout the organisation’s IT environment. This ensures that if one layer is breached, additional layers are in place to prevent or mitigate the attack.

Continent 8’s defence-in-depth, multi-layered approach includes:

1. Coarse filtering: Ad-Hoc upstream traffic filtering and DDoS scrubbing
2. Medium filtering: Managed access control lists at the network edge
3. Medium/fine filtering: Layer 3 and 4 DDoS scrubbing
4. Fine filtering: Layer 7 Web Application and API Protection (WAAP) rate limiting and filtering
5. Polish: Traffic delivery with Endpoint Detection and Response/Managed Detection and Response (EDR/MDR) solutions and managed updates and hardening
6. Log event monitoring and threat protection: Security Operations Centre (MSOC) and Security Incident and Event Management (SIEM) threat detection and response

Continent 8 for complete DDoS protection

Continent 8 offers the most comprehensive cybersecurity solutions equipped to meet today’s emerging DDoS threats.

• DDoS solution: Our DDoS service offers a global network with 5 Tbps> of DDoS scrubbing and network capability. This ensures businesses are protected from volumetric layer 3/4 attacks.
• EDR and MDR solution: Our EDR and MDR services ensure comprehensive protection for endpoints against advanced threats such as ransomware, malware and phishing attempts. These solutions monitor endpoint activity in real-time, detect anomalies and respond to threats promptly.
• Firewall solution: Our Firewall service includes customisable IDS/IPS capabilities. When combined with our SOC service, IDS/IPS events are enriched with specific threat intelligence and ingested into our SIEM platform. Our SOC analysts can then deliver powerful insights into a customer’s current threat state and perimeter activities, providing detection, prevention and responses to known and emerging threats.
• SOC and SIEM solution: Our SOC and SIEM services deliver continuous 24x7x365 monitoring, advanced threat detection to identify anomalies and potential risks, integrated threat intelligence to stay ahead of evolving and high-impact threats and a cutting-edge SIEM architecture for high-performance analytics and efficient incident management.
• WAAP solution: Our WAAP service defends web applications and APIs from threats like OWASP Top 10 vulnerabilities such as SQL injection, cross-site scripting, as well as credential stuffing, site scraping, malicious bots and other vulnerabilities and exploits. This cloud-based solution is scalable and flexible, allowing businesses to adapt their security measures as needed.

Cybersecurity solutions for a safer tomorrow

Continent 8 provides comprehensive, multi-layered threat prevention, detection and response solutions to secure your organisation’s digital assets in the face of evolving cyber threats. For more information on how Continent 8 can support your cybersecurity initiatives, email sales@continent8.com or fill out our Contact Us page.