AI‑driven threat coordination, resilient botnets, and weaponized IoT devices are reshaping the global DDoS landscape, according to NETSCOUT’s latest threat intelligence report.
NETSCOUT today released its second‑half 2025 DDoS Threat Intelligence Report, revealing a dramatic escalation in the scale, sophistication, and coordination of global Distributed Denial‑of‑Service (DDoS) attacks. The report recorded more than eight million attacks worldwide, with peak assaults reaching 30 terabits per second (Tbps) a benchmark that signals the arrival of hyper‑scale DDoS campaigns capable of overwhelming even well‑protected networks.
The analysis shows that DDoS threats have entered a new maturity phase, characterised not only by sheer volume but by multi‑vector complexity, coordinated botnets, and AI‑assisted exploitation. Attackers are leveraging compromised IoT devices, customer‑premises equipment, and vast botnet ecosystems to launch direct‑path attacks that increasingly impact broadband and mobile providers. Some outbound floods exceeded 1 Tbps, creating service, liability, and reputational risks for operators.
A major insight from the report is the rise of adaptive, multi‑vector strategies, with 42% of observed attacks combining two to five different vectors often shifting mid‑attack to evade mitigation systems. High-value internet services such as NTP and DNS continue to face sustained pressure, reinforcing the need for robust, globally resilient architectures.
“Adversaries are scaling faster than traditional defences can keep up. Hyper‑coordinated DDoS operations are now a business‑level risk, demanding automated, intelligent countermeasures.” — Richard Hummel, Director, Threat Intelligence, NETSCOUT
July 2025 also witnessed a surge of more than 20,000 botnet‑driven attacks in a single month, demonstrating how coordinated threat groups can rapidly overwhelm critical sectors including government, finance, and transportation. Despite international takedowns of DDoS‑for‑hire operations, hacktivist groups remain persistent and increasingly well‑organised.
The report also highlights a massive 219% rise in dark‑web references to malicious AI tools, illustrating how threat actors are using large language models to automate reconnaissance, exploit vulnerabilities, and expand botnet infrastructure. Groups such as Keymous+ reportedly boosted their attack bandwidth nearly fourfold by combining resources.
NETSCOUT’s findings are based on more than 15 years of directly observed attack telemetry, monitoring global peak traffic of over 800 Tbps across 376 industry verticals and 12,698 Autonomous System Numbers (ASNs).
The company cautioned that enterprises must now match adversarial innovation with autonomous, intelligent, and proactive DDoS defences to avoid operational disruption on unprecedented scales.