DDoS in February

Fastly’s exclusive monthly DDOS weather report for February 2025 shows a 2.85x month-over-month increase in the volume of attacks.

Fastly’s unique instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4. However, sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly used telemetry from our 410 Terabits per second¹ network servicing 1.8 trillion requests per day² and Fastly DDoS Protection to inform a unique set of insights into the global application DDOS “weather”— the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

The influence of product enhancements in reports

Fastly DDoS Protection launched in October 2024, and we’ve been working hard to make this the best solution for application DDoS on the market. While we’ve discussed at length how powerful the solution’s adaptive Attribute Unmasking engine is in fighting attacks, we’ve been working hard to enhance its foundation and made some major enhancements to detection in February. 

The enhancements further reduced the time from detection to mitigation while broadening the solution's visibility into DDoS attacks (particularly briefer, smaller attacks). We continue to improve core detection and mitigation capabilities, and they likely play a role in why we saw such a severe uptick in the volume of attacks in February. We expect to see the influence of enhancements like these in our reports as we continuously refine the product to make it even better for customers like you. With that disclaimer out of the way, let’s jump into the results!

Key Findings

1. Fastly observed a 285% month-over-month surge in application DDoS attacks, reflecting the ongoing trend of increasing attack volume each month

2. The United Kingdom entered the top 5 countries that observed attack requests since we began analyzing the attack patterns by region

3. Attackers’ allocation of resources for attacks appears to align with the target company’s size, as well as its perceived capacity and resilience

Traffic Trends

Every month Fastly observes tens of billions of application DDoS attacks targeting our customers, but in February, we observed 2.85 times the volume of DDoS requests compared to January.

The trend of increasing volume has been consistent since December 2024 when we launched our first “DDoS in” report. December to January saw a 14.5% increase, and now January to February saw a 285% increase in volume (Image 1).

Fastly’s unique instant global network consists of physical servers, connected to the internet at high-density internet exchange points in points of presence (PoPs) located in 97 strategic locations around the world³.). In February, DDoS attack traffic was detected at multiple PoPs worldwide (Image 2), with the highest volumes observed at our PoPs in:

1. United States

2. Germany

3. Singapore

4. United Kingdom

5. France

Of particular interest in this list is the United Kingdom, which ranked fourth. While the country ranks second by internet usage statistics in Europe, only behind Germany, its rise into the top 5 implies that a much larger set of attacks was observed in the United Kingdom this month. So who did the attackers target?

Many of the targeted organizations in the United Kingdom’s observed attack requests had a level of commonality between them. The organizations operated in High-Technology or Media & Entertainment industries and engaged in privacy, anti-censorship, or press freedom. This is an implicit reality worth making explicit; the more likely your organization’s offerings are to upset those launching attacks, the more likely you are to get their focus, and this rang true in February.

While typically we observe a lull in attacks over the weekend, attacks in February were distributed relatively evenly across the week (Image 3). Friday and Saturday had the highest volume of requests and were 39% above average attack volume.

Typically when building these reports, we use the volume of attack requests as the common form of measurement throughout, but what if we were to look at the count of attacks instead? Here’s how the data shifts. The following company sizes are broken into 3 categories:

• Enterprise: Greater than $1 billion

• Commercial: Between $100 million and $1 billion

• Small and Medium Businesses (SMB): Less than $100 million

When observing the attack count, we find that SMB organizations received almost half of all attacks (43.3%), with Commercial organizations receiving nearly 36% and Enterprises receiving 20.9% (Image 4).

When instead observing the attack request volume by organization size, we find that while the percentage of SMBs only slightly increases, the proportion that Enterprises saw drastic changes (Image 5).

What we can glean from this insight is that when attackers decide to hit the biggest organizations in the world, they come prepared. They likely understand that it will take a larger attack to have any chance of a successful attack and thus launched bigger attacks against organizations of this size in February. To ease your comparison, we’ve combined the pie charts above below (Image 6).

Organizations operating in High Technology had the highest attack count, followed by Commerce and then Media & Entertainment (Image 7). This comes in stark contrast to January when the percentage of customers in commerce who were attacked was less than 11.5%. The distribution highlights the month-to-month volatility in attackers' choice of targets.

This month we also investigated how the data changes when we combine company size and industry. Of particular interest is how particular company sizes are under increased duress depending on their industry. Commercial size organizations are the clear target in Commerce, SMBs in High Technology, and distribution is relatively even in Media & Entertainment and the other industries attacked.

Actionable Guidance

So, what should you take away from all of this information?

It’s important to note that this data only represents one month’s data and should be used with first-party insights from your observability tools and longer-term research to create a comprehensive view. However, from this data alone, there are a few key learnings you can integrate into your existing security efforts:

• Attack volume has increased for three straight months and took a drastic leap from January to February. Although caching content can alleviate some of the load on origin servers, organizations should consider implementing dedicated DDoS solutions that can adapt to the varying patterns of legitimate and attack traffic.

• Security practitioners and organizational leaders should understand the threat landscape, assess the specific risks relevant to their industry, and implement defensive strategies accordingly. For example, a company focused on facilitating pet adoption is likely a less attractive target compared to a media organization, which may face threats ranging from hacktivists to nation-state actors.

• Attack volume was relatively steady throughout the days of the week but did peak on Friday and Saturday (UTC), highlighting the importance of a 24/7/365 SOC that can fight attacks even if they happen over the weekend.

Automatically mitigate disruptive and distributed attacks

As always, we’d be remiss not to remind you that solutions like Fastly DDoS Protection automatically stop the attacks detailed in this report. Fastly DDoS Protection leverages our network’s massive bandwidth and adaptive techniques to ensure your websites remain fast and available, all without any required configuration. Contact us to learn more.

1 as of December 31, 2024

2 as of July 31, 2023

3 as of December 31, 2024