DDoS attacks hit record peaks as bots & automation escalate
DigiCert has published its first RADAR Threat Intelligence Brief highlighting a sharp rise in distributed denial-of-service (DDoS) attacks and significant shifts in the global cyber threat landscape.
Record-breaking DDoS attacks
According to the Q3 2025 RADAR Threat Intelligence Brief, DigiCert's security telemetry recorded an "internet tsunami" level of DDoS attacks, with two significant incidents reaching peaks of 2.4 terabits per second (Tbps) and 3.7 Tbps. These are among the largest attacks recorded to date and reflect a fundamental transformation in how cyber assaults are waged.
The company's UltraDDoS Protect network mitigated several multi-terabit attacks during the quarter, helping to prevent an estimated 3,000 hours of potential website downtime for its customers. This surge in activity marks a clear trend toward both unprecedented scale and increasingly sophisticated tactics by malicious actors.
Shifting attack origins
DigiCert's data also shows that incoming attack traffic is being driven in part by shifting geopolitical realities. Regions where digital infrastructure development outpaces regulatory controls are increasingly the origin point for large-scale attacks. Vietnam, Russia, Colombia, and China are cited among the top five sources for malicious traffic, adding new complexities to efforts to track, attribute and manage cross-border cybersecurity issues.
Targeting education
Higher education institutions experienced a notable increase in DDoS attack frequency. The RADAR brief identifies September as a particularly active month for attacks on universities and academic networks. This spike coincided with the beginning of academic terms and increased campus connectivity, which made these institutions a more attractive target compared to sectors like financial services and IT/software services during the same period.
Rise in automation
Automation is also a key theme from the report. Malicious web activity involving bots escalated sharply, rising from 51% of recorded attacks in July to 73% by September. September saw 32 million separate bot violations, illustrating how contemporary cyber threats are driven increasingly by automated tools capable of operating at large scales and high velocity.
In addition, a spike in DNS errors-classified as FormErr-was observed, increasing by 22,000% mid-quarter. This jump reflects the interconnected nature of internet infrastructure, where relatively minor misconfigurations can cascade across wider networks, amplifying risk for stakeholders globally.
"Attackers are not just choosing between precision and scale anymore, they're mastering both," said Michael Smith, AppSec CTO at DigiCert. "Our data shows that targeted precision attacks dominated two of the three months, while large-scale carpet-bombing campaigns surged in August, accounting for 65% of all incidents. As threats grow more complex, organisations need visibility that spans infrastructure, applications and identity to stay resilient."
According to Smith, critical infrastructure and geopolitically significant regions were among the primary targets for these attacks. He noted the geographic distribution of high-impact events observed during the quarter:
"We also saw that the United States bore the brunt of these attacks, accounting for 58% of global DDoS activity, with the United Kingdom (11%) and Saudi Arabia (11%) also heavily targeted. Adversaries are focusing their firepower on critical infrastructure and geopolitically significant regions, those where disruption has the greatest ripple effect."
Ongoing threat intelligence
The RADAR Threat Intelligence Brief will be issued quarterly, distilling key trends observed by DigiCert's suite of network monitoring platforms, including UltraDNS, UltraDDoS Protect, and UltraWAF. The report aims to provide organisations with actionable intelligence to anticipate cyber risks, align defences, and respond to attacks with greater confidence.
