Skip to main content
Cloud Security

DDoS Strategic Report Q3 2025: massive botnet attacks

Sebastian Cyber Security Consultant
15 min read
DDoS Strategic Report Q3 2025: massive botnet attacks

The End of the Era of Cyber Innocence

The third quarter of 2025 will be remembered as the moment when the physical bandwidth limits of internet infrastructure were brutally tested. The emergence of the Aisuru botnet, capable of generating attacks exceeding 29 terabits per second, redefines network security for Polish enterprises.

ICWT, as an authorized Cloudflare partner in Poland, observes these changes from the front line. The report combines Cloudflare’s global telemetry with local context, analyzing the impact of geopolitics, NIS2 regulations, and the specifics of the Polish market.

Chapter 1: Anatomy of a Digital Leviathan – The Aisuru Botnet

Scale and Technical Parameters of the Threat

The Aisuru botnet has assembled an army of infected devices estimated at between 1 and 4 million hosts worldwide. Unlike previous generations, it leverages a broader spectrum of compromised resources, including servers and edge routers with high-capacity links.

The data indicates that attacks which just a year ago would have been considered record-breaking incidents of the year now occur on average every two hours.

DDoS attacks 2023-2025

Attack Mechanics: Carpet Bombing and Randomization

The 29.7 Tbps attack was not directed at a single IP address. It used the carpet bombing technique — a UDP carpet bombing attack targeting thousands of IP addresses within the target subnet. Aisuru bombarded an average of 15,000 target ports per second.

Traditional systems monitor traffic to specific IPs, but carpet bombing saturates the entire organization’s uplink. The attackers randomized packet attributes, making it impossible to create a simple blocking signature.

The Economics of Cybercrime: Botnet-for-Hire

Fragments of the Aisuru botnet are being offered on the black market in an as-a-service model. For a few hundred to several thousand dollars, an entity with no technical expertise can paralyze a competitor’s digital infrastructure. For Polish companies, this means a threat not only from advanced APT groups, but also from unfair competition.

Chapter 2: Geopolitics as an Attack Vector – Implications for Poland

Indonesia: The New Center of Gravity for Cyber Threats

Indonesia dominates as a source of attacks. The share of HTTP DDoS traffic originating from the country increased by 31,900% over five years and maintained the leading position in 2025.

The reason is the mass infection of unsecured IoT devices and routers, particularly MikroTik devices, which are especially popular in the region. For Polish administrators, this means the need to monitor traffic from Southeast Asia and implement geolocation-based rules.

Sources of DDoS attacks in Q3 2025

The War for Resources and the Extractive Industry

The escalation of trade tensions between the EU and China was reflected in attack targets. The Mining, Minerals & Metals sector recorded a sharp increase in incidents, climbing 24 positions in the ranking.

This is a warning signal for Polish industrial giants. Cyberattacks are becoming a tool of economic pressure aimed at disrupting supply chains.

Poland in the Crosshairs: Regional Context

Poland remains one of the most frequently attacked countries in Europe. Attacks were observed against:

  • Public sector: mObywatel and CEPiK systems
  • Transport: PKP Intercity ticket sales systems
  • Finance: banking sector, BLIK

Any Polish company that is part of the critical infrastructure supply chain is a potential target, even if it is not involved in politics.

Chapter 3: The Transformation of Targets – Who Are the Bots Attacking?

Artificial Intelligence Under Fire

The most dynamic growth was recorded in the generative artificial intelligence sector. In September 2025, attack traffic targeting these entities increased by 347% month over month.

  • Processing queries to AI models requires enormous GPU power
  • Fake query attacks generate massive operating costs
  • The increase coincided with regulatory debates, suggesting activist motivations

Automotive Sector

The Automotive industry moved up 62 positions in the target ranking. This is linked to the growing level of vehicle connectivity. A DDoS attack can prevent remote vehicle unlocking, OTA updates, and the operation of navigation systems.

Most frequently attacked DDoS sectors

Chapter 4: The Evolution of Attack Vectors – Technical Analysis

Most common types of DDoS attacks

The Renaissance of the Network Layer (L3/4)

Network-layer attacks accounted for 71% of all incidents, recording an 87% year-over-year increase.

  • UDP Flood: The most popular vector, driven by Aisuru. The UDP protocol is ideal for generating enormous traffic volumes at minimal cost.
  • Mirai still alive: Mirai variants account for nearly 2% of all network attacks despite a decade having passed.

HTTP DDoS: Less Frequent, but Smarter

The number of application-layer attacks fell by 41%, but their quality increased.

  • Headless Browsers: As much as 20% of HTTP attacks are generated by tools simulating fully fledged browsers. They bypass JavaScript challenges, requiring behavioral analysis.
  • Known Botnets: 70% of HTTP attacks originate from known botnets. Thanks to Cloudflare's global intelligence (20% of global traffic), customers are protected proactively.

Duration: The End of Human Response

89% of network attacks and 71% of HTTP attacks last less than 10 minutes. A protection model based on SOC team response is completely ineffective. The only solution is autonomous Always-On mitigation responding in under 3 seconds.

Chapter 5: The Role of the Partner in the Implementation Process – The ICWT Approach

Why Is “Boxed” Cloudflare Not Enough?

Many companies buy a Cloudflare license, enable the default settings, and consider themselves secure. The Q3 2025 report shows that with attacks >29 Tbps, the default configuration may be insufficient.

  • Misconfigurations: The Aisuru botnet actively looks for gaps such as open ports left exposed on the origin server or overly permissive WAF rules.
  • False Sense of Security: Without proper implementation, attackers can bypass Cloudflare by targeting the server's IP address directly.

ICWT Methodology: “Global Technology, Local Delivery”

The ICWT approach is based on:

  • Understanding the client's business needs
  • Environment analysis and security architecture planning
  • Proper implementation minimizing downtime
  • Configuration audit and hardening to catch errors
  • Experience from delivering dozens of implementations
  • Hybrid architecture integrating Cloudflare with on-premise systems
  • DevSecOps support integrating protection into CI/CD processes
  • Experts in solutions, not logos, matching tools to needs

Chapter 6: The NIS2 Directive and DDoS Protection

DDoS as a Compliance Threat

The year 2025 is marked by the implementation of the NIS2 Directive. A DDoS attack paralyzing services for several hours is a serious incident requiring notification. The lack of adequate anti-DDoS safeguards may be interpreted as a failure to exercise due diligence, which may result in financial penalties of up to EUR 10 million or 2% of annual turnover.

Cloudflare as a Compliance Element

Implementing Cloudflare Enterprise supports NIS2 compliance:

  • Business Continuity: SLA-guaranteed service availability even during an attack
  • Supply Chain Security: Protection of APIs and B2B integrations
  • Reporting and Auditability: Detailed logs and post-incident reports necessary for reporting to CSIRT

Strategic Recommendations for Polish CISOs

  • Eliminating Hardware from DDoS Defense: Local devices are useless against attacks >1 Tbps. Defense should be moved to the cloud, where network capacity (449 Tbps) far exceeds the largest possible attacks.
  • Implementing API Protection: Due to the increase in attacks on programming interfaces, it is essential to implement WAF and API Gateway with schema validation.
  • Origin Security Audit: Hiding the real IP address of servers (Cloudflare Tunnel instead of open ports).
  • Education and Testing: Regularly conducting penetration tests and DDoS simulations.

Summary

The third quarter of 2025 showed that the internet has become a battlefield where terabits of data are the ammunition. The Aisuru botnet proves that the only constant is the changing scale of threats. For Polish companies, DDoS protection is no longer an option, but a prerequisite for operating in the digital market.

ICWT combines the power of Cloudflare with implementation expertise and an understanding of the local market, delivering solutions that let you sleep soundly even when a digital storm is raging outside.

Tags:
#DDoS protection 2025 #Aisuru botnet #Cloudflare #Cloudflare partner Poland #NIS2

Related articles

EDR or XDR - which solution fits your organization?

EDR or XDR - which solution to choose? Comparison of scope, data correlation and operational maturity. Selection criteria for your organization.
All articles