As we enter 2025, the threat landscape continues to evolve, with Distributed Denial of Service (DDoS) attacks growing in both scale and sophistication. So far this year, we’ve already seen several major DDoS attacks over 5 million Requests Per Second (RPS), signaling a concerning trend for organizations worldwide.
These attacks are larger than anything we’ve seen before and are coming at an increasing pace—showing attackers’ priorities for 2025 and beyond. As attackers ramp up their capabilities, their priorities for the upcoming years are becoming clearer. It’s no longer a question of if organizations will face these kinds of disruptions, but when.
The implications for businesses are significant, with these sophisticated DDoS attacks threatening to overwhelm unprepared businesses. This growth further emphasizes the importance of heightened vigilance and proactive measures to safeguard against an ongoing wave of high-intensity cyber disruptions.
Attack #1: A French Home Supply Store
The first major attack, which happened on January 9, targeted a French home supply store. The attack reached almost 6 million requests per second (RPS) in just over 2 hours and leveraged a combination of the HTTP/2 Rapid Reset technique and traditional DDoS methods, amplifying its impact by increasing the number of simultaneous requests from each client. The malicious traffic was distributed across several geolocations, adding a layer of complexity to geo-based filtering strategies. Because the target is a retail website that hosts extensive product information and images, the attackers aimed to overload the origin servers—not only with raw traffic, but also with a high volume of requests to retrieve various product details and images. This tactic was designed to exhaust server resources, slow down response times, and disrupt the shopping experience for legitimate users, ultimately affecting the retailer’s operations and customer trust.
What makes this attack even more alarming is the scale of the botnet behind it. A total of 32,381 unique IP addresses were identified as part of the attack, making it clear that this wasn’t a small-scale effort. The use of such a large number of compromised devices suggests a well-coordinated and highly distributed botnet, designed to inflict maximum damage by flooding the target with a relentless stream of malicious requests. This serves as a stark reminder of the increasing sophistication and reach of modern DDoS campaigns, which are no longer limited to small botnets or brief attacks.
In cases like this, the size of the botnet amplifies the scale of the attack, overwhelming the target’s defenses and causing prolonged downtime, financial losses, and reputational damage. Additionally, these attacks can be a test of resilience, with threat actors testing the strength of an organization’s infrastructure before launching even larger attacks.
Defending against such massive botnets requires a multi-layered approach. This includes leveraging advanced DDoS mitigation services that can adjust to large traffic spikes, using Web Application Firewalls (WAFs) to filter malicious requests, and prioritizing legitimate users. It’s also essential for organizations to have an incident response plan in place to quickly identify, mitigate, and recover from these types of attacks, while continuously monitoring network traffic for early signs of unusual behavior.
Attack #2: An Indonesian Government Agency
The second attack, which took place just one day after the first, targeted a major government institution in Indonesia. This attack escalated quickly, with nearly 10 million requests per second (RPS) bombarding the organization’s infrastructure. Unlike the first attack, which lasted just over two hours, this one was prolonged, enduring for just under 14 hours.
We observed that the attackers employed a reconnaissance phase to test the mitigation with a brief spike, followed by a larger one, and finally the actual attack that peaked at 10 million RPS. This staged approach allowed them to probe the defenses before launching the full-scale assault. The attack leveraged the HTTP/2 Rapid Reset vector, which amplifies the number of simultaneous requests a single client can send, significantly increasing the impact without the need for a vast number of IPs.
The malicious traffic primarily originated from Indonesia but was highly geo-distributed, further complicating mitigation efforts. Most clients attempted to evade detection by masquerading as legitimate Chrome clients; however, the Imperva Client Classification service successfully identified and blocked these deceptive attempts, showcasing the importance of advanced threat detection mechanisms in countering modern DDoS tactics.
Unlike the first attack, this one had a relatively small number of IPs involved—only 5,343 unique addresses. This indicates that the attackers relied on a more concentrated, yet highly efficient, botnet. While the number of IPs was lower compared to the first attack, the sheer scale of the RPS demonstrates the growing sophistication of DDoS strategies. These attacks are no longer limited by the size of the botnet, but rather by how effectively the attackers can harness a smaller pool of compromised devices to generate extreme volumes of traffic- a fact only helped by the HTTP/2 Rapid Reset technique used by attackers to maximize traffic capabilities. The extended duration of this assault further emphasizes the increasing capacity of adversaries to sustain prolonged disruptions and overwhelm even robust defenses.
When a DDoS attack lasts for many hours, the motive behind the attack is often to sustain disruption over a longer period of time, potentially exhausting the target’s resources and causing extended downtime. The sustained duration of the attack can cause significant strain on a company’s network, leading to slowdowns, loss of service, and negative customer experiences. The attacker’s goal is typically to wear down defenses, forcing the target into a state of continuous mitigation or recovery. To defend against this type of attack, organizations need to focus on resilience strategies that account for prolonged periods of high traffic. This includes using rate-limiting to manage incoming requests, deploying traffic analysis tools to identify and block malicious patterns, and working with DDoS protection services that specialize in mitigating long-duration attacks. Additionally, setting up alert systems and ensuring proper bandwidth scaling can help prevent the attack from overwhelming the network infrastructure.
Attack #3: A United States Beverage Company
The most recent—and by far the largest—attack took place on January 25, targeting a major US beverage company. This attack was particularly notable, reaching an astonishing 13.5 million requests per second (RPS) in an incredibly short window of just 8 minutes.
What makes this attack especially noteworthy is the sheer intensity of the RPS within such a brief period. The attack was launched from 7,640 unique IP addresses, which, while considerable, emphasizes the efficiency with which attackers were able to generate massive amounts of traffic in a very short timeframe. This represents a new level of DDoS sophistication, where the focus is not just on the volume of requests but on how quickly they can be unleashed to maximize disruption. The combination of rapid-fire requests and large-scale botnet participation is a strong indicator of the evolving tactics behind these increasingly devastating DDoS campaigns.
Attacks that reach massive RPS levels in a short amount of time are typically designed to cause rapid and overwhelming disruption. These high-intensity attacks are often executed by more sophisticated botnets, leveraging numerous compromised devices to generate extreme traffic volumes in a short burst. The goal is to flood the target’s infrastructure with such an intense load that it results in immediate downtime, service interruptions, or even complete system failure. These fast-moving attacks are particularly dangerous because their speed makes them harder to detect and mitigate before they have already caused significant damage. In many cases, attackers use this approach to bypass traditional defense mechanisms that rely on detecting longer-term patterns of malicious activity, leaving organizations scrambling to respond. Defending against these quick bursts of massive RPS requires proactive measures such as using advanced DDoS protection services capable of handling rapid surges in traffic, employing real-time traffic monitoring to quickly identify suspicious behavior. Additionally, ensuring that the infrastructure is equipped with sufficient redundancy and capacity to absorb sudden traffic spikes can help reduce the impact of such attacks.
Why This Is Important
Although significant on their own, the discovery of IP overlap between all of these attacks makes them even more concerning, as it points to a consolidated, well-equipped actor. On average, 20% of the IPs—1,670 in total—were common amongst all three attacks. Over half of these IPs had a high risk score, which shows that they’re involved in frequent, severe attacks. Although we can’t attribute this activity to an actor or botnet yet, it’s notable that these attacks are persistent and are involved in many DDoS attacks on a daily basis, targeting sites across many industries and countries.
These attacks are a stark reminder that DDoS threats are becoming more frequent and severe. While traditional mitigation tactics like rate-limiting, IP blocking, and over-provisioning bandwidth can help protect against smaller-scale attacks, these massive assaults require more advanced protection. Solutions that rely on adaptive protection, traffic analysis, and threat intelligence are becoming essential for mitigating these large-scale attacks in real time.
These incidents also highlight the importance of businesses adopting a layered security approach. Relying on a single security solution may not be sufficient in the face of today’s evolving DDoS landscape. Organizations must stay ahead of attackers by deploying multi-faceted defense strategies that include bot mitigation, application firewalls, and real-time monitoring.
Preparing for Future DDoS Threats
As DDoS attacks continue to grow in size and complexity, it’s critical that businesses take proactive steps to defend their networks and applications. Here are some key strategies to consider:
- Deploy DDoS Protection Tools: Consider investing in DDoS mitigation services that use AI and machine learning to detect and mitigate large-scale attacks in real time.
- Imperva DDoS Protection leverages machine learning and AI algorithms to adapt and detect more accurately when DDoS attacks occur, and also adjusts the security policies using AI/ML algorithms.
- Monitor and Analyze Traffic: Use traffic analytics to identify anomalies and potential threats early on. This will allow your security teams to take swift action before an attack escalates.
- Imperva Attack Analytics applies machine learning and domain expertise across the application security stack to reveal patterns in the noise, and prioritize investigations.
- Create an Incident Response Plan: Develop a comprehensive plan for responding to DDoS attacks, ensuring that your team knows how to act swiftly and effectively during an assault.
Conclusion
As the frequency and scale of DDoS attacks continue to increase, organizations need to stay vigilant and invest in robust defenses to protect against the evolving threat. The attacks we’ve witnessed so far in 2025 are just the beginning, and we can expect more high-volume assaults in the coming months. By staying prepared and leveraging the latest technologies in DDoS mitigation, businesses can better protect their critical services and maintain the trust of their customers.
Stay tuned to our blog for more insights, and read our weekly Threat Intelligence Report to stay on top of the latest trends in cybersecurity.
Try Imperva for Free
Protect your business for 30 days on Imperva.
