September 2025 marked a notable shift in the global DDoS threat landscape, with overall attack volumes dropping sharply compared to the prior month. A total of 1,103 attacks were observed by the DigiCert UltraDDoS Protect platform, representing a 70.32% decrease from August. While seasonal slowdowns in DDoS activity have been observed in past years, the September decline appears tied to a cooling period following the resurgence of malicious actor campaigns in July and August. This ebb and flow illustrate the cyclical nature of DDoS activity, where operational tempo and infrastructure availability fluctuate over time rather than following a uniform trend line.
The distribution of attack vectors also revealed important developments. The majority of observed attacks fell into the “Total Traffic” category, where overall volumes exceeded organizational thresholds and triggered defensive measures. UDP-based floods continued to play a central role due to their efficiency and amplification potential, while TCP RST floods rose in prominence as attackers increasingly sought to exploit resource limitations on stateful devices. The emergence of L2TP amplification attacks further highlights malicious actors’ adaptability in blending volumetric saturation with protocol-specific techniques. Collectively, these trends show that adversaries are not only sustaining high levels of disruptive traffic but also diversifying their methods to stress multiple layers of defense simultaneously.
One of the most striking industry-level findings was the Education sector’s position as the top targeted vertical, accounting for 29.32% of observed DDoS activity. This is the first time Education has ranked first, continuing a steady climb after holding third place in July and August. The start of the academic year likely contributed to this trend, as universities and schools became heavily dependent on digital platforms for enrollment, learning management, and administrative operations. Decentralized IT environments, uneven security maturity across institutions, and reliance on public-facing services such as portals and databases make the sector particularly susceptible to disruption. The concentration of attacks against Education underscores the growing strategic value malicious actors see in targeting services with high visibility and immediate operational impact.
Taken together, September’s activity highlights both volatility and evolution in the DDoS threat landscape. While overall attack volumes fell, adversaries demonstrated resilience by shifting focus to new industries and employing diversified attack vectors. The rise of Education as the most targeted sector reinforces the need for organizations in every vertical to continually evaluate their readiness against disruptions that can quickly shift in scale, scope, and focus. Maintaining adaptive defenses and anticipating where adversaries may move next remains critical to sustaining operational resilience.
Stats at a Glance
- Total Number of Attacks: 1,103
- Total number of hours of downtime avoided: ~ 599.21
- Number of Mega Attacks (100+ Gbps): 0
- Largest DDoS Attack (Gbps): 81.38 Gbps
- Largest DDoS Attack (million packets-per-second): 13.90 Mpps
- Longest DDoS Attack: 1.96 Days
- Average DDoS Attack (Gbps): 1.88 Gbps
- Median DDoS Attacks (Gbps): 0.67 Gbps
- Average DDoS Attack (packets-per-second): 299.58 Kpps
- Median DDoS Attack (packets –per second): 95.68 Kpps
- Average Duration: 32.60 Minutes
- Median Duration: 7.98 Minutes
- Unique vs Carpet Bombing: 91.02% Unique / 8.98% Carpet Bombing
- Top Three Industry Targeted: Education (29.32%), IT/Technical Services (23.77%), Software/Web Services (10.34%)
