Top 10 DDoS Attacks

A Distributed Denial of Service attack occurs when attackers overwhelm a targeted server or network with a high volume of traffic generated from numerous distributed systems. The goal is simple: exhaust the target’s resources so legitimate users cannot access services. In some cases, attackers focus on saturating bandwidth. In others, they target specific applications or network components to interrupt communication between users and digital platforms.

Because attack traffic is launched from geographically dispersed devices across multiple networks, mitigation becomes technically challenging. Organizations that rely heavily on online systems, including e-commerce platforms, financial institutions, SaaS providers, and transportation services, can experience immediate operational disruption when availability is affected. Even short interruptions may result in financial losses, service delays, and reputational impact.

Recent industry data illustrates how sharply the threat landscape has intensified. According to StormWall’s 2025 DDoS statistics report, the total number of DDoS attacks worldwide increased by 198 percent in 2025 compared to 2024, reflecting a dramatic rise in attack frequency within a single year.

In this article, we examine some of the most significant DDoS attacks and explore how their scale, techniques, and impact have evolved over time.

The Deutsche Bahn DDoS Attack, 2026

In February 2026, Germany’s national railway operator, Deutsche Bahn, was targeted by a large-scale Distributed Denial-of-Service (DDoS) attack that disrupted its digital booking and passenger information systems. The attack began on February 17 and continued into February 18, affecting the company’s websites and its DB Navigator mobile application.

According to Deutsche Bahn, the attack occurred in waves and reached substantial scale. Customers experienced difficulties accessing online ticket purchases and real-time travel information. While train operations continued, the temporary disruption of digital services created widespread inconvenience for passengers who rely on online platforms for journey planning.

By February 18, the company reported that countermeasures had minimized the impact and that services were returning to normal. No group claimed responsibility, and Deutsche Bahn did not attribute the attack to any specific actor.

The 29.7 Tbps Aisuru DDoS Attack, 2025

In the third quarter of 2025, Cloudflare disclosed what it described as one of the most powerful Distributed Denial-of-Service attacks ever recorded. The attack, attributed to the Aisuru botnet, reached a staggering 29.7 terabits per second (Tbps), marking a significant escalation in hyper-volumetric DDoS activity. Unlike earlier record-breaking incidents that relied primarily on amplification techniques, this event reflected the maturation of massive, globally distributed botnet infrastructure capable of overwhelming targets through sustained, high-intensity traffic floods.

Aisuru, an ultrasophisticated botnet estimated to consist of between one and four million infected hosts worldwide, had already been active throughout 2025. However, during Q3, its activity intensified dramatically. Cloudflare reported that hyper-volumetric attacks exceeding 1 Tbps and 1 billion packets per second (Bpps) became routine, with such attacks averaging 14 per day. The 29.7 Tbps peak stood out as a defining moment in this surge.

The record-breaking event was characterized as a UDP carpet-bombing attack. Rather than focusing traffic on a limited set of ports or endpoints, the botnet bombarded an average of 15,000 destination ports per second. Packet attributes were randomized in an apparent effort to evade signature-based defenses and overwhelm mitigation systems through distribution and entropy. In addition to the bandwidth peak, Aisuru also launched attacks reaching 14.1 billion packets per second, underscoring the scale and packet-processing pressure such campaigns generate.

Cloudflare stated that its autonomous mitigation systems detected and neutralized the attack without human intervention. This detail is particularly significant, as the majority of Q3 2025 attacks ended in under ten minutes, leaving no realistic window for manual response. The company also reported mitigating 1,304 hyper-volumetric Aisuru attacks during the quarter alone, reflecting a 54% quarter-over-quarter increase in such activity.

Beyond the technical metrics, the broader implications of Aisuru’s operations were notable. The botnet targeted telecommunications providers, financial services, gaming platforms, and hosting companies. According to public reporting, the volume of traffic routed through U.S. Internet Service Providers during some campaigns caused collateral disruption, even when those ISPs were not the intended targets. Portions of Aisuru’s infrastructure were reportedly offered as botnet-for-hire services, lowering the barrier to launching nation-scale disruption.

The 29.7 Tbps Aisuru attack represented more than a new numerical record. It illustrated how DDoS operations in 2025 evolved into automated, hyper-volumetric campaigns capable of targeting backbone infrastructure and critical services with little warning. The incident reinforced a clear reality: defensive capacity must now operate at Internet scale, and mitigation must be fully autonomous to match the speed and magnitude of modern botnet activity.

The 7.3 Tbps DDoS Attack Against a Hosting Provider, 2025

In mid-May 2025, Cloudflare disclosed that it had blocked what was at the time the largest Distributed Denial-of-Service attack ever recorded, peaking at 7.3 terabits per second (Tbps). The attack targeted a hosting provider using Cloudflare’s Magic Transit service and marked a new milestone in hyper-volumetric DDoS activity.

The assault lasted approximately 45 seconds but delivered an extraordinary 37.4 terabytes of data during that short window. The campaign was characterized as a multivector attack, with roughly 99.996% of the traffic identified as UDP floods. The attack also included smaller components such as reflection and amplification techniques leveraging services like NTP, QOTD, Portmap, and RIPv1.

The attack employed a carpet-bombing strategy, targeting an average of nearly 22,000 destination ports of a single IP address, with peaks exceeding 34,000 ports per second. Traffic originated from more than 122,000 source IP addresses across over 5,400 autonomous systems spanning 161 countries, reflecting the globally distributed nature of modern botnets.

Cloudflare reported that the attack was detected and mitigated autonomously across its global anycast network without human intervention. By distributing traffic across hundreds of data centers, the mitigation systems absorbed and filtered the flood in real time.

The DDoS Attack on Google’s Customer, 2022

According to Google’s blog: Starting from June 1, a customer utilizing Google Cloud Armor encountered a sequence of HTTPS-based DDoS attacks, reaching their peak at an astonishing 46 million requests per second. This occurrence marks the most substantial Layer 7 DDoS attack on record, surpassing the previously reported record by at least 76%. To put the scale of this attack into perspective, it is akin to receiving the total daily requests directed at Wikipedia within 10 seconds.

The incident reportedly commenced at around 9:45 a.m. PT, initiating with 10,000 requests per second, then rapidly surging to 100,000 RPS within eight minutes, followed by an additional escalation to a staggering 46 million RPS within just two more minutes, reaching its zenith at 10:18 a.m. PT. The entire DDoS assault persisted for a duration of 69 minutes.

Google highlighted, “The attack leveraged encrypted requests (HTTPS), which would have taken added computing resources to generate.” The characteristics of the geographical distribution and the types of vulnerable services exploited in this attack closely resembled the Mēris family of attacks. Another interesting point is that in September 2021, the Mēris botnet was linked to a DDoS attack on the Russian internet giant Yandex, reaching a peak of 21.8million RPS.

The GitHub DDoS Attack of 2018

On February 28, 2018, GitHub encountered a formidable DDoS attack, measuring a staggering 1.35 terabits per second and enduring for approximately 20 minutes. According to GitHub’s assessment, the traffic originated from “over a thousand distinct autonomous systems spanning tens of thousands of unique endpoints.” Despite GitHub’s proactive preparations for a DDoS attack, their defensive measures were overwhelmed. They were completely unaware that an assault of such magnitude would be launched.

Hackers identified a chance to exploit the Memcached caching system by directly transmitting 1.3 Tbps of data to GitHub’s servers. Notably, this approach diverged from the conventional employment of a zombie bot network. The utilization of memcached servers enabled the hackers to magnify their assault by a staggering factor of 50,000. Luckily, the attack persisted for 20 minutes due to GitHub’s robust DDoS defense protocols. Within 10 minutes of the attack’s commencement, an alert was triggered, prompting the protection service to swiftly halt the DDoS assault before it could escalate beyond control.

Mirai Botnet Attacks of 2016

In September 2016, during its peak, Mirai (botnet) orchestrated substantial Distributed Denial of Service attacks, causing temporary incapacitation to prominent services and websites, including OVH, Dyn, and Krebs on Security. These attacks reached unprecedented levels, surpassing 1 Tbps as reported by OVH, marking them as the most extensive on public record up to that date.

The remarkable aspect of these attacks was in their execution through unassuming Internet-of-Things (IoT) gadgets such as household routers, air quality monitors, and personal surveillance cameras. Mirai’s pinnacle saw the compromise of more than 600,000 susceptible IoT devices.

• Brian Krebs, a cybersecurity expert, encountered a staggering event in September 2016, when his blog fell victim to a DDoS attack surpassing 620 Gbps. This attack by Mirai Botnet established a new record at the time for its immense scale. Despite Krebs having documented 269 DDoS attacks since July 2012, this attack was nearly three times more substantial than any previous occurrence experienced by his website or the entire internet.

• Mirai also targeted OVH, a prominent hosting provider in Europe. According to their official statistics, OVH is responsible for hosting around 18 million applications catering to over a million clients, with notable entities like Wikileaks being among their most renowned and debated clients. Based on OVH’s telemetry data, the attack reached its maximum intensity at 1TBps and was executed by harnessing a network of 145,000 Internet of Things (IoT) devices.

On September 30, 2017, the individual nicknamed as Anna-senpai, suspected of being the creator of Mirai, made the Mirai source code public by sharing it on a notorious hacking forum. Alongside this release, a forum post was composed in which Anna-senpai declared their withdrawal from their activities. This event triggered a surge in imitative hackers who initiated their Mirai botnets. Following this juncture, the Mirai attacks ceased to be attributed to a solitary actor or infrastructure, instead becoming associated with numerous groups.

• As for the most famous attack of Mirai Botnet, on October 21, 2016, Dyn, a prominent provider of Domain Name System (DNS), encountered an onslaught of traffic reaching a staggering one terabit per second, setting a fresh benchmark for DDoS attacks. Some indications suggest that this DDoS assault might have surged to a rate of 1.5 terabits per second. The deluge of traffic resulted in the incapacitation of Dyn’s services, causing a range of renowned websites such as GitHub, HBO, Twitter, Reddit, PayPal, Netflix, and Airbnb to become inaccessible. Dyn’s Chief Strategy Officer Kyle York affirmed, “We identified tens of millions of distinct IP addresses linked to the Mirai botnet that played a role in the attack.”

The Spamhaus Attack, 2013

Another instance of the largest-ever attack during that period occurred in 2013, targeting Spamhaus, an entity dedicated to countering spam emails and associated spam-related actions. Playing a pivotal role in filtering up to 80% of all spam, Spamhaus naturally drew attention from individuals keen on ensuring that spam emails reach their intended destinations. According to Cloudflare’s data, during this attack, an immense flow of traffic, surging at a staggering 300 Gbps, was directed toward Spamhaus. Once the assault was initiated, the consequences were swiftly felt.

Under the united banner of ‘STOPhaus,’ the assemblage comprised a diverse cohort of hackers who convened on March 17, 2013, to orchestrate what would rapidly evolve into an assault generating an overwhelming 300+ gigabits per second of traffic against spamhaus[.]org. The group perceived this anti-spam organization as an imminent threat to their spam-related endeavors.

The ‘STOPhaus collective realizes that Spamhaus has fortified itself with Cloudflare’s protection. After this point, attackers shift their focus from Spamhaus to Cloudflare, but the company manages to mitigate the threat.

But, the attack, channeling a Torrent of around 300 billion bits of data per second, was of such magnitude that it briefly incapacitates Cloudflare, specializing in fortifying organizations against such attacks, causing a momentary service interruption. Cloudflare named it “The Attack that Almost Broke the Internet.”

The Six Banks DDoS Attack, 2012

The Six Banks DDoS Attack of 2012 involved powerful, coordinated attacks on major U.S. banks. These attacks aimed to disrupt online services, revealing digital vulnerabilities and the potential impact of such cyber assaults. A group named “Izz ad-Din al-Qassam Cyber Fighters” declared plans to launch DDoS attacks on key U.S. banks in protest. The attacks were supposedly retaliation for an anti-Islam video. Targets included Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank, PNC Bank, and Capital One.

Employing diverse tactics, the attackers used botnets and sophisticated application-layer attacks to flood targeted banks’ websites. The attacks were executed through a multitude of compromised servers drawn from a botnet known as Brobot, with each assault producing a staggering flow of over 60 gigabits of DDoS attack traffic per second. The Six Banks DDoS Attack significantly disrupted the targeted financial institutions. Prolonged traffic onslaughts led to online banking service interruptions and slower responses, underscoring large institutions’ vulnerability to cyber threats.

Banks responded by bolstering cybersecurity and collaborating with law enforcement and cybersecurity firms to investigate. Though the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility, the group’s identity and motives remained contentious.

The Estonia DDoS Attacks, 2007

During April 2007, the decision of the Estonian government to relocate the Bronze Soldier statue, a Soviet war memorial, from a prominent site in Tallinn to a military cemetery stirred profound discontent among the ethnic Russian population within Estonia, leading to demonstrations and civil unrest. Consequently, this controversy evolved into a cyber confrontation marked by organized DDoS attacks directed at key targets like Estonian government websites, financial institutions, media platforms, and crucial online services.

The DDoS attack against Estonia distinguished itself through its extensive scope and intricate execution. Perpetrators harnessed botnets, complex networks of compromised computers manipulated by malicious operators, to inundate designated websites and servers with overwhelming data traffic. The primary objective of this inundation was to disrupt the operational availability of online services, rendering these platforms inaccessible to legitimate users.

The repercussions of this assault reverberated significantly across Estonia’s digital framework and societal fabric. Government websites, financial institutions, media outlets, and other vital services confronted disruptions, causing financial setbacks and impeding the daily lives of Estonians. The gravity of the situation escalated to the extent that experts from NATO and the European Union were enlisted to assist in lessening the consequences of the attack and reinforcing Estonia’s cyber defenses.

Thus, this attack stands as a pivotal event in the history of cyber warfare. It underscored the vulnerability of modern societies to cyber-attacks and emphasized the importance of proactive cybersecurity and measures. Furthermore, the incident also raised awareness about the need for international collaboration in addressing cyber threats and paved the way for discussions on defining norms and rules for cyberspace.

The Mafiaboy DDoS Attacks, 2000

During the formative stages of the internet’s security protocols, a young Canadian hacker going by the online alias “Mafiaboy” executed a massive Distributed Denial-of-Service (DDoS) assault in 2000, disrupting numerous high-profile websites. In this era, the term “DDoS attack” had not gained widespread recognition, and the Mafiaboy incident attracted considerable attention to this developing threat.

Mafiaboy, whose actual identity is Michael Calce, was a 15-year-old high school student from Montreal, Canada. Equipped with fundamental hacking know-how and driven to showcase his prowess, he initiated an assault on some of the internet’s most prominent platforms. In February 2000, Mafiaboy meticulously orchestrated DDoS attacks targeting major websites, including household names like Yahoo!, Amazon, eBay, CNN, and Dell. Employing a compromised computer network, colloquially termed a “botnet,” he inundated these websites with an overwhelming deluge of traffic. This inundation of traffic effectively flooded the servers, rendering the websites inaccessible to legitimate users.

The repercussions of the Mafiaboy attack reverberated widely, affecting the targeted websites and the larger internet community. The websites in the crosshairs experienced extended downtime, incurring financial losses and tarnishing their reputations. The attack also underscored the vulnerabilities ingrained in the internet’s foundational structure and the latent potential for malicious actors to exploit these weaknesses. Ultimately, Mafiaboy faced legal ramifications for his actions and was brought to justice. In September 2001, he admitted guilt to 55 charges tied to the attack.

Nonetheless, the Mafiaboy incident reverberated as a clarion call for the Internet community, triggering debates about cybersecurity’s paramount importance and the pressing necessity for enhanced safeguards against DDoS attacks. It was an unequivocal demonstration of the considerable havoc an individual fueled by determination could wreak upon the digital landscape. This episode galvanized businesses and organizations to allocate resources toward bolstering their security measures, recognizing the imperative of proactive defense mechanisms.

Conclusion

The rapid escalation of Distributed Denial of Service attacks, both in terms of their scale and complexity, underscores the urgent need for enterprises to bolster their defenses against these growing threats. To effectively safeguard against DDoS attacks, it is imperative to grasp their operational mechanisms and analyze the prevailing tactics. You can use the SOCRadar Labs-DOS Resiliency tab for free to measure your strength in this situation. The DoS Resilience Service allows you to check your domain’s or subnet’s resilience against DoS attacks such as slowloris attack, etc. After determining your strengths and weaknesses from DOS Resiliency, you can use the SOCRadar Attack Surface Management module, no matter what action you must take. Our solution for managing the external attack surface offers security teams immediate insight into all internet-exposed technological resources currently utilized, along with assets linked to IP, DNS, domain, and cryptographic infrastructure, facilitated by sophisticated algorithms for comprehensive internet-wide monitoring.

For more information on DDoS attacks and mitigation methods, check out our other blog post.