DDoS in January

Fastly’s exclusive monthly DDOS weather report for January 2025 shows an uptick in a surprising industry.

Fastly’s unique instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4, but sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly used telemetry from our 377 Terabits per second network servicing 1.8 trillion requests per day and Fastly DDoS Protection to inform a unique set of insights into the global application DDOS “weather”— the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

Key Findings

1. Fastly observed a 14.5% month/month increase in the volume of application DDoS attacks, with an increasing volume trend forming throughout the month.

2. Throughout the month, the highest volume of DDoS traffic consistently occurred between 2:00 - 11:00 PM UTC, Sunday through Thursday. 

3.  The highest volume of DDoS traffic was detected from our PoPs located in the United States, Germany, Singapore, France, and Japan.

DDoS Traffic Trends

In January, Fastly DDoS Protection detected tens of billions of requests linked to application DDoS attacks. While attack volume was slower at the beginning of the month, there’s a notable increase in attack volume as the month progresses (Image 1).

Fastly’s global network consists of physical servers, connected to the internet at high-density internet exchange points in nearly 100 strategic locations around the world, otherwise known as points of presence (PoPs). In January, DDoS attack traffic was detected at multiple PoPs worldwide (Image 2), with the highest volumes observed at our PoPs in:

1. US

2. Germany

3. Singapore

4. France

5. Japan

Fastly's global footprint of PoPs and varied customer base provide us a comprehensive view of global traffic and attack trends. The presence of always-on DDoS mitigation in our PoPs enables automatic DDoS mitigation for our customers, compared to limited and localized attack mitigation in scrubbing solutions.

In December, most attacks occurred during the workweek, with only 12% happening over the weekend. However, January’s attacks bounced around the days of the week. While Saturday remained the day with the lowest volume of attacks observed, Sundays in January saw the highest volume of attacks  (Image 3).

This month, we took the attack volume by day chart and built it out a bit further. By overlaying the time of day the attacks came in, we produced a heatmap of what times were the most popular for attackers (Image 4).

The results highlight the consistent nature of attacks throughout the day and week. Although minor spikes were observed at 12:00 and 1:00 PM on Sunday and 2:00 AM on Monday (UTC), no clear pattern emerges from this data. This reinforces the fact that DDoS attacks can occur at any time, requiring defenders to remain vigilant around the clock.

Comparing trends against December 2024

The new year started slightly more aggressively than in December. Comparing overall volume between December 2024 and January 2025, we found a 14.5% increase. In December, most attacks came at the beginning of the month, but in January, the majority occurred in the latter half (Image 5).

Last month, we half-jokingly noted attackers took the holidays off. However, looking at the graph above, this theory seems even more plausible. If we build a single joint line chart starting in December and working through January, there’s a clear lull in attack volume heading into the main portion of the holiday season. That valley doesn’t end until well after the new year kicked off (Image 6).

Perhaps they came back with a vengeance after finding coal in their stockings.

Organizational Trends

Looking at the volume of DDoS in January through the lens of who it targeted, Media & Entertainment organizations were by far the largest, receiving over half the month’s volume (Image 7).

But how big were these organizations? We correlated the volume of applications DDoS attacks organizations saw in January to their annual revenue estimates (Image 8). To ease viewing, we broke the revenue bands into four groups:

• Enterprise: Greater than $1 billion

• Commercial: Between $100 million and $1 billion

• Small and Medium Businesses (SMB): Less than $100 million

• Undisclosed: Those we were unable to pull a reliable annual revenue for. These are likely somewhere in the SMB or Commercial brackets, given they aren’t public or have limited information disclosed

It doesn’t come as a surprise that Enterprise saw the largest portion of attacks. It is likely accepted by even attackers that to impact the Media & Entertainment or High Technology giants, it would take significantly larger attacks than their SMB counterparts. However, compare this to last month, where we saw a much higher volume attributed to commercial-size organizations (Image 9).  

While it may just be a coincidence, this distribution is something we’ll continue to monitor as we head into March.

Actionable Guidance

So, what should you take away from all of this information?

It’s important to note that this data only represents one month’s data and should be used with first-party insights from your observability tools and longer-term research to create a comprehensive view. However, from this data alone, there are a few key learnings you can integrate into your existing security efforts:

• To withstand the growing frequency of DDoS attacks, organizations must ensure their infrastructure and security tools can scale effectively to handle unpredictable attack volumes. Proactively identifying vulnerable assets and implementing defensive measures in advance is crucial for maintaining resilience.

• As with other attacks, DDoS attacks happen around the clock and all days of the week. Global enterprises must have their Security Operations Centers (SoCs) strategically situated around the world with a follow-the-sun model for round-the-clock coverage.

• While massive volume DDoS attacks are relatively rare, we consistently observe a relentless stream of smaller attacks, highlighting the need for an always-on DDoS protection solution.

Automatically mitigate disruptive and distributed attacks

Of course, we’d be remiss not to remind you that solutions like Fastly DDoS Protection automatically stop the attacks detailed in this report. Every detected attack request mentioned in this report could’ve been blocked. Fastly DDoS Protection leverages our network’s massive bandwidth and adaptive techniques to ensure your websites remain fast and available, all without any required configuration. Contact us to learn more.