DDos damage: Geopolitical events triggered unprecedented DDoS attacks, AI

Distributed Denial-of-Service (DDoS) attacks are no longer just a nuisance of the digital underground, they’ve evolved into precision weapons of geopolitical influence. Especially, geopolitical events have triggered unprecedented DDoS attacks, whether it’s the India-Pakistan conflict or the Iran-Israel skirmish.

A new Netscout research confirmed that Distributed Denial-of-Service (DDoS) continues to dominate the digital battlefield, destabilizing critical infrastructure. The firm claimed to monitor over 8 million DDoS attacks globally in the first half of 2025, including more than 3.2 M in EMEA. DDoS attacks have evolved into precision-guided weapons of geopolitical influence capable of destabilizing critical infrastructure.

Especially, geopolitical events triggered unprecedented DDoS attacks. The India-Pakistan conflict saw hacktivist groups target the Indian government and financial sectors in May, while the Iran-Israel conflict generated more than 15,000 attacks against Iran and 279 against Israel in June.

“As hacktivist groups leverage more automation, shared infrastructure, and evolving tactics, organizations must recognize that traditional defenses are no longer sufficient. The integration of AI assistants and the use of large language models (LLMs), such as WormGPT and FraudGPT, escalates that concern.” — Richard Hummel, director, threat intelligence, NETSCOUT

“As hacktivist groups leverage more automation, shared infrastructure, and evolving tactics, organizations must recognize that traditional defenses are no longer sufficient,” stated Richard Hummel, director, threat intelligence, NETSCOUT. “The integration of AI assistants and the use of large language models (LLMs), such as WormGPT and FraudGPT, escalates that concern. And, while the recent takedown of NoName057(16) was successful in temporarily reducing the group’s DDoS botnet activities, preventing a future return to the top DDoS hacktivist threat is not guaranteed. Organizations need intelligence-driven, proven DDoS defenses that can deal with the sophisticated attacks we see today.”

NETSCOUT observed more than 50 attacks greater than a terabit-per-second (Tbps) and multiple gigapacket-per-second (Gpps) attacks in the first half of 2025, including a 3.12 Tbps attack in the Netherlands and a 1.5 Gpps attack in the United States.

Hacktivist groups like NoName057(16) orchestrated hundreds of coordinated strikes each month, targeting the communications, transportation, energy, and defense sectors. DDoS-for-hire services have democratized attack tools, enabling novice actors to execute sophisticated attack campaigns. AI-enhanced automation, multi-vector attacks, and carpet bombing techniques challenge traditional defenses. Botnets compromised tens of thousands of IoT devices, servers, and routers, delivering sustained attacks and causing significant disruption. While each of these elements is dangerous on its own, in aggregate, they have formed the perfect storm, creating unprecedented cyber risk for organizations and service provider networks around the world.

Botnet-driven attacks gained sophistication with more than 880 bot-driven DDoS attacks occurring daily in March, peaking at 1,600 incidents, with attack durations increasing to an average of 18 minutes. Leveraging DDoS-for-hire infrastructure, DieNet orchestrated over 60 attacks since March, while Keymous+ launched 73 attacks across 28 industry sectors in 23 countries. Claiming more than 475 attacks in March alone, 337% more than the next most active group, the hacktivist group targeted government websites in Spain, Taiwan, and Ukraine.

Dramatic 43% Increase in Application-Layer & Volumetric Attacks

Last year, Netscout’s 2024 DDoS Threat Intelligence Report cited a dramatic 43% increase in the number of application-layer attacks and a 30% increase in volumetric attacks, especially in Europe and the Middle East. The escalation of attacks involves a range of threat actors, including hacktivists targeting critical infrastructure in the banking and financial services, government, and utilities sectors.

“Hacktivist activities continue to plague global organizations with more sophisticated and coordinated DdoS attacks against multiple targets simultaneously,” stated Richard Hummel, director, threat intelligence, NETSCOUT. “As adversaries use more resilient, take-down-resistant networks, detection and mitigation are more challenging. This report gives network operations teams insights to fine-tune their strategies to stay ahead of these evolving threats.”

Most targeted sectors in India include Wired Telecommunications Carriers, other telecommunications, Wireless Telecommunications Carriers (except Satellite), data processing hosting and relates services, paint and coating manufacturing, web search portals and all other information services, computer storage device manufacturing, direct mail advertising, and computer systems design services.

4,000% Increase in SSDP Amplification Attacks

Last year, Cloudflare observed a 4,000% increase in SSDP amplification attacks. An SSDP (Simple Service Discovery Protocol) attack is a type of reflection and amplification DDoS attack that exploits the UPnP (Universal Plug and Play) protocol.

It was found that when launching HTTP DDoS attacks, threat actors aim to blend in to avoid detection. During Q3, 80% of HTTP DDoS attack traffic impersonated the Google Chrome browser, making it the most common user agent observed in attacks. Specifically, Chrome versions 118, 119, 120, and 121 were most frequently used. In second place, 9% of HTTP DDoS attack traffic had no user agent specified.

A majority of 89% of HTTP DDoS attack traffic used the GET method, aligning with its status as the most commonly used HTTP method. Also, although 80% of DDoS attack requests were made over HTTP/2 and 19% over HTTP/1.1, their share was smaller when normalized by the total traffic volume for each version.

The increasing deployment of powerful botnets, driven by geopolitical tensions and global events, has broadened the range of organizations at risk—many of which were not traditionally considered prime targets for DDoS attacks. Unfortunately, many organizations continue to deploy DDoS protections only after an attack has already caused considerable damage.