Gcore sees DDoS attacks surge to 1.3 million in Q4

Gcore has published its latest Radar report on distributed denial-of-service attacks, showing a sharp rise in both the number and size of incidents in the second half of 2025.

Total attacks reached 1.3 million in the fourth quarter of 2025, up from 512,000 a year earlier. Attack volumes climbed to 12 Tbps from 2.2 Tbps, while network-layer incidents accounted for 82% of observed attacks.

The figures point to a threat environment shaped by automation, short bursts of traffic and growing use of botnet infrastructure. The shift was also reflected in attack origins, with Latin America emerging as a major source of network-layer activity.

Attack profile

According to the report, 75% of network-layer attacks lasted less than one minute. Only 2% continued for more than 10 minutes, suggesting attackers are relying on brief, intense waves to overwhelm systems before defences can fully respond.

Application-layer attacks followed a different pattern: 64% lasted more than 10 minutes, indicating a move towards longer campaigns designed to disrupt services and interfere with application workflows.

The report says attackers are increasingly using automation to run large-scale campaigns. It links that shift to a move away from opportunistic attacks towards operations intended to cause direct business disruption, including account takeover attempts, scraping and manipulation of application processes.

Target sectors

Technology remained the most attacked sector, accounting for 34% of incidents tracked by Gcore. Financial services followed with 20%, while gaming represented 19%.

These industries remain exposed because service availability is central to their operations, and outages can quickly lead to financial loss or wider disruption. The prominence of technology targets also reflects the sector's central role in the digital economy, where disruption to infrastructure can affect multiple downstream services.

Gcore identified several factors behind the growth in attack numbers and scale, including broader access to attack tools, the spread of insecure internet-connected devices, geopolitical and economic instability, and more advanced attack techniques.

Regional shift

The report found a strong concentration of network-layer attack traffic in the Americas. Mexico accounted for 31% of observed network-layer traffic, followed by Brazil with 24% and the United States with 20%.

For application-layer attacks, the United States remained the largest single source at 23%. Gcore linked the concentration of network-layer activity in the Americas to the AISURU botnet, which it said disproportionately affects networks and device ecosystems in those countries.

The findings suggest mitigation resources may need to be positioned differently. Rather than focusing only on protecting end targets, the report argues for placing defences closer to likely attack origins, particularly in regions that generate high levels of malicious traffic.

Andrey Slastenov, Head of Security at Gcore, said: "The latest Radar report is a call to action for business across industries. Attacks are becoming more frequent and more sophisticated because organising them is now cheaper and easier than ever. Businesses and organisations that previously felt unaffected are now being targeted. Effective protection strategies do exist, but understanding what is happening and being prepared has never been more important."

The data adds to wider industry concerns over the falling cost of launching disruptive cyberattacks and the growing availability of tools that lower the barrier to entry for threat actors. The combination of brief, high-volume floods and longer application-level campaigns also points to a broader range of tactics than in earlier periods.

Gcore is headquartered in Luxembourg and provides cloud, network and security services. The report covers DDoS attack trends observed in the third and fourth quarters of 2025.