European Cyber Report

The dynamic threat situation continues to escalate — the danger is increasing.

The threat posed by Distributed Denial-of-Service (DDoS) attacks intensified dramatically in the first half of 2025. The Link11 network recorded 225% more attacks than in the same period last year. Not only was there a massive increase in quantity, but also a qualitative development in the methods used to carry out the attacks. Looking at the last few months, the trend seems clear: the danger continues to grow unchecked.

143%

The rise of large-scale “ISP killer attacks” that threaten the infrastructure of providers or data centers.

438TB

The cumulative attack volume rose massively from an initial 110 TB.

225%

DDoS attacks registered in the Link11 network compared to the previous year.

Attacks are on the rise

The increase in DDoS attacks is the result of several factors, but is continuing to rise particularly due to global tensions. Two trends are driving the figures upward: more large attacks with higher peak values and an increase in many smaller attacks.

New type of attack emerges

A new form of Layer 7 attack has emerged in the form of so-called Yo-yo DDoS attacks. Yo-yo DDoS attacks target the auto-scaling functions of cloud infrastructures. Instead of permanently overloading systems, they generate alternating load peaks and quiet periods, causing instability and high costs.

Turbo attacks are decreasing

While we measured an increase in turbo attacks in the Link11 network in 2024, long, persistent attacks are playing an increasingly important role. The longest documented attack in the first half of 2025 lasted 12,388 minutes, or around eight days and 14 hours.

ISPs in the crosshairs

A worrying trend has been on the rise recently: more than twice as many attacks compared to last year were severe enough to paralyze backbone connections. Potential damage is more widespread and significantly more costly for providers and their customers.

Focus on ML and AI

Attackers use Artificial Intelligence and Machine Learning to detect and exploit vulnerabilities more quickly. At the same time, the number of unprotected IoT and smart home devices is growing, serving as an easily exploitable reservoir for automated botnets.

Attacks are shifting

The WAAP analysis shows sectoral shifts from H1 2024 to H1 2025: led by finance, the public sector, and retail & e-commerce, followed by defense, telecommunications, and healthcare. Attacks on defense, retail & e-commerce, and logistics & transportation increased particularly sharply.

Countries of DDoS traffic (not attackers’ origin)

Origin of DDoS traffic: Global distribution of the attack infrastructure 2025

We no longer see just brute force in the form of bandwidth, but also in highly precise Layer 7 attacks. The use of 20,000 deceptively ge nuine requests per minute can be more dangerous than 200 million packets per second if they go unnoticed in legitimate traffic.

Jag Bains

VP Solution Engineer Link11

The attackers cleverly disguise themselves using VPNs, CDNs, and geo-IP obfuscation. This suddenly makes it look as if the requests are coming from the neighborhood, while the system is simultaneously being bombarded from Vietnam, Russia, or the US.

Sean Power

Solution Engineer Link11

The dimensions are truly frightening. In the first half of 2025, 438 terabytes of DDoS traffic were moved. That‘s more than seven years of uninterrupted Netflix streaming in 4K. Numbers like these illustrate the threat better than any statistics.

Jens-Philipp Jung

CEO Link11