DDoS in April

Fastly’s exclusive monthly DDoS weather report for April 2025 finds a significant rate of attack traffic originating in the United States

Fastly’s instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4. However, sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly uses telemetry from our 427 Terabits per second¹ global edge network servicing 1.8 trillion requests per day² and Fastly DDoS Protection to inform a unique set of insights into the global application DDoS “weather”— the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

The influence of product enhancements in reports

Fastly DDoS Protection launched in October 2024, and we’ve been working hard to make this the best solution for application DDoS on the market. While we’ve discussed at length how powerful the solution’s adaptive Attribute Unmasking engine is in fighting attacks, we’ve been working hard to enhance its foundation and continue to make strides in enhancing detection. 

Our enhancements further reduced detection time while broadening the solution's visibility into DDoS attacks (particularly briefer, smaller attacks). We continue to improve core detection and mitigation capabilities, and they likely play a role in why we saw such a consistent uptick in the volume of attacks in April. We expect to see the influence of enhancements like these in our reports as we continuously refine the product to make it even better for customers like you. With that disclaimer out of the way, let’s jump into the results!

Key Findings

1. A single IP was associated with mitigation rules for 456 unique customers

2. 71% of automatically generated rules isolate traffic to the United States

3. April attack volume was 5% more than January, February, and March combined

DDoS Traffic Trends

Where in previous months we saw clear spikes in attack volume on individual days, attacks in April did not adhere to this trend. Much of the month sits close to the average attack volume per day line, implying that there were few outlier spikes skewing the average (Image 1).

While spikes were less drastic, the overall volume of requests identified as part of a DDoS attack was far higher in April than in any month since we started reporting (Image 2).  The increase in volume from March to April represents an 87% increase month over month, and April alone had 5% more DDoS attack volume than all of Q1 combined!

Observing attacks through the lens of what industry was attacked highlights how drastically the data shifts when observing attack volume vs. attack count overall (Image 3).

While Commerce received the most attacks, Media & Entertainment received the vast majority of attack volume. 

Examining the attacks on Media & Entertainment further, the bulk of them targeted Enterprise-level M&E organizations. This adds additional validation to an implicit reality observed in previous reports; attackers understand who they’re attacking and launch bigger attacks against bigger organizations.

DDoS Attack Insights

On April 8th, we released a major update to Fastly DDoS Protection. With it comes two key features: events and event details. Imagine that each event is an individual attack, and the event details allow customers to dive deeper into how it was mitigated. As part of the event details, we can now dive into every rule our adaptive Attribute Unmasking technique creates to fight attacks. This month, we’ll dive into the attributes used in rules and how they’re trending across our global customer base.

Fastly DDoS Protection’s rules are automatically crafted and can contain 10+ attributes to accurately separate attacks from the legitimate traffic they aim to blend with. One common attribute used in combination with others is the attacking IP’s geolocation. In April, 66% of attack rules were able to isolate a portion of the attack to a single country (Image 4).

When we examine what country appears most in rules, the United States far surpasses all others (71%), followed by Germany (11%), China (8%), France (5%), and Indonesia (5%) to round out the top 5 (Image 5).

While it’s likely a portion of attacks are launched from American cyberattackers, it’s worth noting that spinning up serverless instances is incredibly accessible and straightforward. With little effort, attackers can leverage their autonomous system (AS) of choice and make their attacks originate from almost anywhere in the world, regardless of their actual location.

Another common attribute used in a rule is a single IP. About 31% of April’s rules were able to isolate the attack to a single IP as part of the larger rule (Image 6). This is particularly interesting given that volumetric attacks are often described as Distributed Denial of Service, where this data implies a significant portion of attacks aren’t all that distributed.

Diving a bit deeper, we find that when an IP is used as part of a rule, that IP only targets a single Fastly customer 52% of the time (Image 7). While the remaining portion of IPs associated with attacks quickly dissipate with the number of unique customers, we looked more closely at the IPs that attacked the most customers to see just how widespread their attacks were.

This month, we uncovered that a single IP was associated with DDoS attacks on over 400 unique customers. Examining this IP further, we find that the IP belongs to a major global SaaS organization. With that context, we expected the IP would be tied to scraping at a volume that’s malicious across all those customer accounts, but a deeper analysis of metrics coming from our Next-Gen WAF implies something far worse. The IP was tied to multiple CMDEXE, Directory Traversal attacks, and Backdoor attempts at less volumetric levels, but no less malicious. This data implies that the DDoS attacks on hundreds of customers were likely not the result of a business decision to scrape data as fast as possible, but instead that a company machine or IP address was compromised. With this information, we reported attack details to the organization and offered to support their investigation as needed.

This is just the beginning of the type of data explorations the Attack Insights update unlocks for these reports. Stay tuned in future editions for deep dives on other attributes and more unique insights only Fastly can provide.

Actionable Guidance

So, what should you take away from all of this information?

It’s important to note that this report only represents one month of data and should be used with first-party insights from your observability tools and longer-term research to create a comprehensive view. However, from this data alone, there are a few key learnings you can integrate into your existing security efforts:

1. Consider implementing dedicated DDoS solutions that can adapt to the varying patterns of legitimate and attack traffic. Attack volume increased every month in 2025, with a massive uptick in April, and while caching content can alleviate some of the load on origin servers, a dedicated solution is likely optimal.

2. Be mindful of how you’re leveraging geo-based decisioning if you’re still manually creating rules or rate limits (or shift to automatic rule creation). The bulk of DDoS rules that leveraged geo-location in April come from US-based IPs, meaning that blanket block or allow lists can have unexpected consequences.

3. Ensure you have inclusive views of your AppSec tooling and posture – no data silos allowed. It is only because we had access to DDoS, Bot Management, and Next-Gen WAF metrics that we were able to identify that it wasn’t an instance of a scraper gone rogue, but a larger campaign via a compromised machine/IP.

Automatically mitigate disruptive and distributed attacks

As always, we’d be remiss not to remind you that solutions like Fastly DDoS Protection automatically stop the attacks detailed in this report with the insights you need to quickly validate efficacy. Fastly DDoS Protection leverages our network’s massive bandwidth and adaptive techniques to ensure your websites remain fast and available, all without any required configuration. Start leveraging our adaptive technology today and get up to 500,000 requests for free, or contact our team to learn more.