Back to blog

Follow and Subscribe

DDoS in September

Liam Mayron

Principal Product Manager

David King

Senior Product Marketing Manager, Security

Alexander Bergman

Director, TLS Eng & Edge Protocols

SecurityIndustry insights

Fastly’s exclusive monthly DDoS weather report for September 2025 details a prolonged 15 million RPS attack lasting over an hour

Fastly’s instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4. However, sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly uses telemetry from our 462 Terabits per second* global edge network servicing 1.8 trillion requests per day** and Fastly DDoS Protection to inform a unique set of insights into the global application DDoS “weather”— the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

Key Findings:

  • 71% of September’s largest day of attack volume is attributable to an attack on a single customer

  • September’s attack volume fell significantly below the trendline, representing just 61% of the volume seen in August

  • Media & Entertainment observed the largest median attack volume, followed by Education and High Technology industries

September traffic trends

September has come and gone, and while students in the northern hemisphere headed back to school, attackers appeared preoccupied. September was a slower month for attacks, falling well below the trendline and representing just 61% of the attack volume observed in August.

September closed out the third quarter of the fiscal year, and when comparing Q3 against previous quarters this year, we find that September was part of a larger trend where Q3 observed less attack volume than Q2. While Q3 was more than twice the attack volume observed in Q1, that percent change is primarily driven by the extremely low volume of January.

This leads to an interesting conclusion: lower attack volume coincides with months when schools are out of session. While nothing definitive can be said, if this trend holds true, organizations can expect to see a higher volume of attacks in Q4 while schools are in session. 

Breaking out the attack volume by day this year reveals just how low September was in comparison to previous months.

Detailing September’s biggest attack

Looking at daily traffic volume over the course of September, it’s clear that one day (September 22nd) stands out for the highest volume of attack traffic.

Given that September was a slower month for attacks, we took the opportunity to investigate this spike in traffic and identify any broad themes that may have contributed to it. As we discovered, the vast majority of the traffic is attributable to a single attack on an Enterprise operating in the media and entertainment space.

While in the past we’ve detailed the largest attacks by total volume, the requests per second (RPS) of an attack are of equal if not greater importance. Think of it like a sustained flood vs. a flash flood. Both are detrimental in their own way, but one is far harder to react to before damage is done. Consider the largest application DDoS attack this year (by volume) observed in June. The attack lasted over two days, produced 250+ billion attack requests, and peaked at 1.7 million RPS. Although the rate was incredibly high and sustained mainly over the period, the largest attack in September lasted less than an hour, peaking at over 15 million RPS. This month, Alexander Bergman, who leads the engineering efforts for Fastly DDoS Protection, joins the blog to detail just how attacks like this manifest.

Early on September 22nd, attackers began targeting production systems for an enterprise operating in the Media & Entertainment space. Within just a minute, the attack scaled to 13.3 million RPS before hitting its peak of 15.5 million RPS just 6 minutes later.

What makes this attack notable is the sustained throughput of real requests. When vendors discuss the largest DDoS attacks, they often refer to those that ping a server (DNS, amplification, etc.) but never complete the request. This attack had enough real requests to fill a Super Bowl many times every second, and that process is computationally costly. While we’ve previously observed larger throughput attacks with over 250 million RPS, typically lasting less than five minutes, this particular attack lasted for an hour. Examining the attack further, the attack originated from a single ASN (cloud provider), which is common, but the throughput from each client was higher than usual, indicating a more sophisticated daemon. It shared certain attributes with common browsers, which made detection harder, but other Fastly proprietary fingerprints uniquely identified the attacker.

From an engineering perspective, it’s important to note that Fastly DDoS Protection prioritizes your legitimate traffic, minimizing any mitigation overlap that would impact it. From all of the analysis we’ve done, we’re proud to share that Fastly DDoS was 100% accurate in its mitigations and caught 98% of the attack traffic. While more could have been mitigated theoretically, doing so could impact legitimate traffic, which isn’t an acceptable tradeoff given the low return-to-impact ratio. We hope that examining how attacks like this manifest offers teams a glimpse into the power at the disposal of motivated attackers, enabling you to prepare your defenses accordingly.

Attack trends

Given how much attack volume is attributable to the single attack on September 22nd, the industry and company size charts are heavily skewed this month. Media & Entertainment dominate the total attack volume by industry chart, and Enterprise organizations account for over half of the total volume for the month.

While the total volume was skewed by the largest attack of the month, the median attack size also shows that Media & Entertainment received by far the largest attack size, followed by the Education and High Technology industries.

This insight reveals that although the largest attack skewed the total volume data for industry & company size, these segments would have had the largest share of attack traffic regardless, which is consistent with the trends observed in previous reports.

Actionable guidance

So, what should you take away from all of this information?

  1. The trend that Enterprises operating in the Media & Entertainment space are the target of the most DDoS attacks continued in September, a reminder to organizations in the space of the importance of proper tooling to mitigate any impact.

  2. If our observation that attack volume increases during the school year holds true, organizations should ensure they have proper staffing and alerting in place for October and November, should the volume and frequency of attacks continue to rise.

  3. The largest September attack peaked at 15.5 RPS and only lasted about an hour. Organizations should consider whether their current runbook would’ve mitigated the impacts of the attack quickly enough, or consider an automatic DDoS protection solution to ensure that if a similar attack targets them, customers won’t be impacted.

Automatically mitigate disruptive and distributed attacks

While September was relatively slower than previous months, each day observed billions of requests flagged as part of an application DDoS attack. Attacks are a constant, and Fastly DDoS Protection is designed for this reality, automatically mitigating the distributed, multi-vector attacks detailed in this report. Let our adaptive technology absorb the next spike so you don't have to. Contact our team or start your free trial today.

* As of 2025-03-31

** As of 2023-07-31

Fastly
© Fastly 2025