Cloudflare Radar 2025: record-breaking DDoS, the explosion of AI bots, and the post-quantum era

Cloudflare processes an average of 81 million HTTP requests per second across more than 330 data centers in 125 countries. This scale provides unique insight into the state of the global internet - and every year Cloudflare shares these observations in its Radar Year in Review report.

This year's edition covers data from January 1 to December 2, 2025 and reveals trends that directly affect the security of Polish companies. As a Cloudflare partner in Poland, ICWT analyzes the key findings from the perspective of the local market.

Key figures from the Cloudflare Radar 2025 report

• Global internet traffic increased by 19% year over year (vs 17% in 2024)
• The record DDoS attack reached 31.4 Tbps (for comparison - 5.6 Tbps in 2024)
• AI bots account for 4.2% of all HTML traffic
• The share of post-quantum cryptography jumped from 29% to 52%
• A total of 174 major internet outages were documented worldwide
• 6.2% of global traffic required security mitigation

The internet under growing threat pressure

Data from Cloudflare Radar 2025 clearly shows that the pace of threat growth is outstripping the growth of the internet itself. Below are three areas that should raise a red flag in every Polish SOC.

Record DDoS attacks - a new scale of threat

The year 2025 brought an unprecedented escalation of volumetric attacks. Attacks exceeding 1 Tbps (so-called hyper-volumetric) appeared regularly from July onward, when more than 500 such incidents were recorded in a single month.

The escalation unfolded rapidly:

• Late August - the first attack exceeding 10 Tbps
• September - a series of attacks above 20 Tbps
• October - a record of 29.7 Tbps and 14 Bpps (packets per second)
• Early November - a new record: 31.4 Tbps

Globally, 6.2% of all internet traffic required mitigation, with the share exceeding 10% in 14 countries. In Equatorial Guinea, as much as 40% of traffic was blocked or subject to verification.

For Polish organizations covered by the NIS2 Directive, this is an alarming signal - a DDoS attack that paralyzes services is a reportable incident, and the lack of adequate safeguards may result in penalties of up to EUR 10 million or 2% of annual turnover. Increasingly, local solutions also do not have sufficient scale to stop such attacks.

The explosion of AI bots - invisible traffic changing the rules of the game

One of the most groundbreaking trends of 2025 is the explosion of traffic generated by crawlers associated with artificial intelligence. AI bots accounted for an average of 4.2% of all HTML traffic (range 2.4–6.4% over the year), while Googlebot alone accounted for an additional 4.5%.

Activity of individual AI crawlers in 2025:

• GPTBot (OpenAI) - peak activity in June, declining to the baseline level in November
• ClaudeBot (Anthropic) - traffic doubled in H1, declined in H2
• PerplexityBot - 3.5x growth by the end of the year
• ChatGPT-User - 16-fold growth, clear weekly pattern (work/school)
• Crawling for user actions (chatbot responses, agentic browsing) increased 15-fold

Particularly telling is the crawl-to-refer ratio, meaning how many times a bot visits a page vs. how much traffic it sends back:

• Anthropic: from 25,000:1 to 100,000:1 crawls per referral
• OpenAI: up to 3,700:1
• Perplexity: 100:1 to 700:1
• Google: 3:1 to 30:1

AI companies are consuming content at scale while giving back almost nothing in the form of referral traffic. For publishers and companies with valuable content, including Polish ones, these are real business losses.

Public cloud as a launch platform for attacks

The United States accounts for 40% of global bot traffic (up 5 percentage points year over year). Major cloud platforms are the preferred source of malicious traffic:

• AWS: 14.4% of bot traffic (two ASNs combined)
• Google Cloud: 9.7%
• Microsoft Azure: 5.5%

All three platforms increased their share compared to 2024. Attackers are increasingly renting cloud resources to generate malicious traffic - cheap, scalable, and difficult to block without behavioral analysis.

The most frequently attacked sector in 2025 was not banking or e-commerce, but organizations in the "People and Society" category - religious institutions, non-profit organizations, libraries. At its peak (July), this sector accounted for 23.2% of mitigated traffic globally.

How Cloudflare responds to these threats

The data from the Radar report is not just statistics - behind every number is a specific protection technology. Cloudflare operates one of the largest edge networks in the world and is actively developing tools that neutralize the threats described.

Global edge network as an autonomous shield

Cloudflare's network - 330+ cities, 125+ countries - is not a CDN in the traditional sense. Every point of presence (PoP) autonomously mitigates attacks in under 3 seconds, without forwarding traffic to a central scrubbing center. In Poland, there are currently several Cloudflare datacenters, located in Warsaw and Wrocław.

In July 2025, when a single DDoS campaign triggered a global spike in mitigated traffic, Cloudflare's network absorbed the attack without impacting the performance of protected websites. This is a fundamental difference compared to local anti-DDoS appliances, which are simply useless in attacks >1 Tbps - the link gets saturated before the hardware has time to respond.

Post-quantum cryptography - the future that is already working

One of the most optimistic trends of the year is the adoption of post-quantum cryptography:

• The global share increased from 29% (January) to 52% (December 2025)
• 28 countries doubled their share of post-quantum traffic
• Puerto Rico: jump from 20% to 49%; Kuwait: from 13% to 37%

A key catalyst was the release of iOS 26 in September with automatic quantum-resistant key exchange - iOS's share of post-quantum traffic jumped from below 2% to 25% within a few weeks.

Cloudflare was one of the first providers to implement post-quantum TLS, enabling customers to protect themselves against future quantum computer attacks without configuration changes. For Polish companies, this is ready-made protection for years to come - it is enough to be behind Cloudflare.

RPKI - a quiet revolution in routing security

BGP routing security (Resource Public Key Infrastructure) is often overlooked, but it is a critical element of protection. Without RPKI, an attacker can hijack traffic by redirecting it through malicious networks.

• The share of correctly validated IPv4 routes increased from 50% to 53.9%
• Validated IPv6 routes: 60.1% (+4.7 pp)
• Over 5 years (2020–2025), the number of RPKI-protected routes increased 3-fold

Cloudflare validates RPKI on its edge routers and rejects unauthorized route announcements, protecting customer traffic from BGP hijacking.

Email security - more than 5% of messages are threats

Cloudflare Area 1 Email Security classifies more than 5% of analyzed email messages as malicious. The dominant techniques are:

• Phishing links - the most common vector
• Sender impersonation (identity deception)
• Imitation of well-known brands (brand impersonation)

The TLD domains .christmas and .lol proved particularly dangerous - almost all traffic from these domains is spam or malware. This is an important clue for administrators configuring filters.

Bottom line: Key 2025 trends and conclusions for Polish companies

The Internet is growing faster than ever

Global Internet traffic increased by 19%, accelerating from last year's 17%. Growth accelerated from August onward, driven by, among other things, Starlink's expansion (2.3x traffic, services in 20+ new countries) and increasing digitalization.

• Botswana - record growth 298% above baseline
• Starlink: Benin 51x growth, East Timor 19x, Botswana 16x
• Googlebot generates 28% of all verified bot traffic; OpenAI's GPTBot is second with ~7.5%

Mobile dominates, HTTP/3 is growing slowly

• Mobile traffic: 43% of global traffic (vs 41% in 2024), 117 countries with mobile dominance
• HTTP/3: 21% of traffic globally - slow but steady growth; 15 countries exceeded 33% (leader: Georgia at 38%)
• IPv6: 29% globally (+1 pp.); leader: India at 67%. Belize surprised with a jump from 4.3% to 24%
• iOS: 35% of mobile traffic (up 2 pp.); Android: 65%. Monaco with a 70% iOS share - the highest in the world

174 major outages - the internet is not reliable

In 2025, Cloudflare documented 174 major internet outages. Nearly half were the result of deliberate government shutdowns - Iraq, Syria, Sudan (exams), Tanzania (protests), Afghanistan (the Taliban's decision to cut off fiber-optic links).

Infrastructure-related causes were mainly damage to subsea and terrestrial cables (USA, South Africa, Pakistan, Haiti, Hong Kong) as well as fires affecting telecommunications infrastructure (Cairo). Jamaica lost connectivity for more than a week after Hurricane Melissa.

Lesson for Polish companies: disaster recovery planning must include connectivity loss scenarios, not just server failures.

Web technologies and API automation

The report reveals significant changes in the technology ecosystem:

• WordPress: down to 47% among the top 5,000 domains (the downward trend continues)
• Go and Python dominated automated API clients (20% and 17%), overtaking Node.js
• Google: 89.5% share of the global search engine market; in Russia, Yandex is still at 65%
• Chrome: 66% globally; Safari dominates on iOS (79%), Yandex Browser competes with Chrome in Russia

ICWT recommendations for Polish organizations

Based on Cloudflare Radar 2025 data, as a Cloudflare partner in Poland, we present six priority recommendations:

1. Always-On DDoS protection - with 89% of attacks lasting less than 10 minutes, manual response is ineffective. Autonomous mitigation at the edge is needed, reacting in seconds, not minutes.
2. Managing AI bot traffic - configuring robots.txt, implementing Cloudflare Bot Management and rate-limiting policies for AI crawlers is now a necessity, not an option. Uncontrolled crawling generates costs and steals content.
3. Adoption of post-quantum cryptography - Cloudflare offers post-quantum TLS by default. It is worth ensuring that internal systems and client applications support the new algorithms before quantum computers become a real threat.
4. RPKI validation at the operator level - verification that the connectivity provider correctly validates BGP routes. Cloudflare rejects unauthorized announcements - but only if the traffic reaches the Cloudflare network.
5. Multi-layer email protection - implementation of DMARC, SPF, DKIM, and filtering solutions (Cloudflare Area 1). With 5%+ malicious messages, it is a matter of time, not probability.
6. NIS2 compliance - anti-DDoS security documentation, incident reporting procedures, and a business continuity plan as a formal element of regulatory compliance.

Methodology and full report

The Cloudflare Radar Year in Review 2025 report is based on data from the global Cloudflare network for the period from January 1 to December 2, 2025. The baseline for calculating growth is the average daily traffic volume from the week of January 12–18, 2025.

The full interactive version of the report, with filtering available across 200+ countries and regions, is available on the Cloudflare Radar Year in Review 2025.

The original post on the Cloudflare blog with commentary from the author (David Belson) is available as The 2025 Cloudflare Radar Year in Review.

ICWT - Your Cloudflare partner in Poland

The data from the Cloudflare Radar 2025 report confirms that effective protection requires not only technology, but also proper implementation. Default configuration is not enough - with attacks exceeding 31 Tbps, every detail of the security architecture matters.

As an authorized Cloudflare partner in Poland, ICWT combines global technology with local experience. We have a dedicated team of engineers and experience delivering the largest implementations in Poland. Contact us to discuss the security of your infrastructure.