October 2025 experienced a notable escalation in distributed denial-of-service (DDoS) activity, with a 14.69% increase in total observed attacks compared to September. While the majority of attacks continued to fall within the 0–5 Gbps range, the distribution of attack sizes shifted meaningfully. High-capacity “mega” attacks exceeding 100 Gbps increased by 500%, and several higher packet-rate tiers saw substantial growth. This suggests that malicious actors have regained or expanded access to higher-bandwidth botnet infrastructure capable of executing more impactful network saturation events. Smaller and more frequent lower-volume attacks also increased, indicating ongoing automated probing and persistent service disruption attempts across a broad set of organizations.
One of the most significant developments was the rise in carpet-bombing DDoS attacks, which accounted for 20.71% of all observed activity and increased by 164.65% month-over-month. Unlike targeted host-level floods, carpet-bombing affects entire network address blocks, creating operational challenges by distributing attack load across multiple assets. This technique is often used to bypass threshold-based detection and to stress upstream or carrier-level defenses. A particularly concentrated campaign on October 30th resulted in 301 individual attacks—largely directed at a single software and web services provider—yet services remained stable throughout mitigation. Attack vectors further demonstrated tactical diversity. “Total Traffic” floods represented the largest share of observed vectors at 42.78%, while UDP floods, DNS amplification, and IP fragmentation techniques remained prominent tools for volumetric disruption. Meanwhile, multiple TCP-based vectors continued to target stateful infrastructure components such as load balancers and firewalls.
From a geographic perspective, Czechia emerged as the third most targeted country. This aligns with ongoing politically motivated campaigns linked to the country’s vocal support for Ukraine and participation in EU and NATO policy discussions. Pro-Russian hacktivist groups have repeatedly targeted government, media, and critical service providers in Czechia, reflecting broader geopolitical tensions influencing DDoS activity in the region.
Overall, the October threat landscape shows a more adaptive DDoS ecosystem. Adversaries alternated between high-bandwidth floods, protocol-level disruption, and carpet-bombing techniques, indicating flexible and diverse botnet resources. These patterns suggest DDoS is being used for both direct service disruption and broader strategic pressure-testing of organizational resilience.
Stats at a Glance
- Total Number of Attacks: 1,265 (a 14.69% increase compared to September 2025)
- Total number of hours of downtime avoided: ~ 492.19
- Number of Mega Attacks (100+ Gbps): 5 (a 500% increase compared to September 2025)
- Largest DDoS Attack (Gbps): 476.17 Gbps (a 485.12% increase compared to September 2025)
- Largest DDoS Attack (million packets-per-second): 40.49 Mpps (a 191.29% increase compared to September 2025)
- Longest DDoS Attack: 1.23 Days
- Average DDoS Attack (Gbps): 2.49 Gbps (a 32.45% increase compared to September 2025)
- Median DDoS Attacks (Gbps): 0.67 Gbps
- Average DDoS Attack (packets-per-second): 281.61 Kpps
- Median DDoS Attack (packets –per second): 82.78 Kpps
- Average Duration: 23.35 Minutes
- Median Duration: 7.93 Minutes
- Unique vs Carpet Bombing: 79.29% Unique / 20.71% Carpet Bombing
- Top Three Industry Targeted: IT/Technical Services (56.15 %), Communication Service Providers (20.61%), Financial Services (12.18%)
