DDoS in August

Fastly’s exclusive monthly DDoS weather report for August 2025 finds that hyperscale clouds are the source network in 70% of associated attacks

Fastly’s instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4. However, sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly uses telemetry from our 462 Terabits per second* global edge network servicing 1.8 trillion requests per day** and Fastly DDoS Protection to inform a unique set of insights into the global application DDoS “weather”— the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

Key Findings:

• August 1 was the third-largest day of attack volume since the beginning of 2025

• Median attack volume is highest in Media & Entertainment (M&E), then the Public Sector, and Education

• Attacks isolated to an ASN are most associated with hyperscale clouds 70% of the time

August Traffic Trends

As summer (for those of us in the northern hemisphere) draws to a close, August kicked off with a spike in attack traffic and was followed by subsequent days of consistently much lower volume (Image 1).

Examining the month’s average volume against total daily volume, it’s apparent how much influence a single outlier like the 1^st can have over the rest of the month. All in all, August was a return closer to the established trendline of average attack volume per month (Image 2).

While not above the trend as seen in April, May, and June, we are heading into the holiday season, which historically experiences higher traffic volumes. We’ll continue to monitor how this data changes in the coming months and share updates in future editions.

Comparing August against every day so far this year, August 1st clearly stands out as the third largest spike in attack traffic observed (Image 3).

While just 42% the volume of this year’s largest attack, August 1 still observed tens of billions of requests over the 24-hour period (UTC). Similar to what we’ve seen in the other largest attacks of the year, the spike is primarily attributable to attacks on a single customer. However, while June’s spike targeted an enterprise in High Technology, this one targeted an enterprise in Media & Entertainment.

Attack trends

August received nearly 73,000 attacks, which breaks down to about 1.7 every minute of every day. This is on par or slightly higher than what we’ve seen in previous months, given there are 31 days in August, whereas others have just 30 or fewer. Every month, we examine attacks through the lens of who was attacked, and this month, we’ll kick things off with a look into the size of companies attacked in August. For those new to these reports, we break down company size by annual revenue:

• Enterprise: Greater than $1 billion

• Commercial: Between $100 million and $1 billion

• Small and Medium Businesses (SMB): Less than $100 million

Typically, we use total volume to provide an unfettered view into who was attacked; however, even a single massive attack drastically skews how the data is presented. For [REDACTED] & giggles, check out how total volume looks against company size in August (Image 4).

In contrast, median attack volume tells a completely different story (Image 5).

The massive attacks are completely negated in this view, showing that Commercial organizations actually receive the largest median attack volume. This dynamic serves as a reminder to take headlines you read with a grain of salt; while it would be easy to say that 91% of attack volume hit enterprises in August, and it’d be factually correct, the reality is nuanced (and often omitted).

In most editions, we also chart total volume against the industries they target, but for this month, we’re exploring a new view of the median volume per industry. In doing so, we remove much of the natural bias of our customer base and find that many of the industries we often see dominating the chart, like Commerce and High Technology, actually have a smaller median attack size than industries like the Public Sector and Education that take the second and third places for highest median volume (Image 6).

We’ll continue to monitor this data to see if it’s a consistent trend or just an abnormality for the month. A consistent trend here could suggest either sophisticated, targeted campaigns or the work of persistent, less-skilled actors. Regardless, we’ll keep you posted. Media & Entertainment leading the median volume is the least shocking, as they’re typically the most significant proportion of total volume in these reports, likely due to the controversial or timely content that attackers want to discourage or impact the coverage of.

Mitigation trends

Transitioning to the types of attributes found in rules Fastly DDoS Protection automatically generates to protect our customers, this month, we took a look at IPs and ASNs. For those less familiar, an IP or Internet Protocol Address is a unique identifier for a device like your home router, and an ASN or Autonomous System Number is a unique identifier for a whole network. You can imagine these as a single phone number versus your telecom provider, which owns and manages a whole block of phone numbers. Both of these can be used to separate an attack from legitimate traffic, and this month, we took a look at what happens when they’re included as part of a rule. 

IPs used in August rules

A single IP was found in 42% of rules in August. As we dive into this section, it’s worth noting that a single attack often requires multiple rules to fully mitigate it. While a rule may leverage a single IP, there are numerous instances where other rules bring in either additional IPs or must separate the attack traffic in another manner. Essentially, this isn’t to say that 42% of the time an attack is coming entirely from a single IP, just that enough of it was to cut part of the attack away.

Taking a deeper look at the IPs, we find that many of them are involved in just one or a few attacks and were never seen again (Image 7).

While we aim to dive deeper into what’s happening here, whether the vast majority of these are attacks from a local network (which may indicate botnet activity) or coming from cloud or hyperscalers (which may indicate the ease of spinning up serverless environments anywhere in the globe), this data does point to the distributed nature of many DDoS attacks in August. It also adds credence to the whack-a-mole game that many security teams face, where they stop one IP from attacking just for another to come right after.

Flipping the distributed dataset and looking at the IP associated with the most DDoS attacks, we find that the worst offending IP in August was involved in 184 unique attacks on 59 customers, primarily in the Media & Entertainment and High Technology industries. Taking a look outside the borders of Fastly, this same IP is associated with 17 abuse reports (on sites like AbuseIPDB), which span not just DDoS but also OWASP-style attacks. Interestingly, the third-party abuse reports only started in August, and we also couldn’t find it in any associated rules in July, which may point to the short-lived nature of IPs used in widespread attacks.

ASNs used in rules

Sometimes an attack can’t be attributed to a single IP but instead to a swath of them from a single network. In August, 66% of rules include a single ASN as part of their many attributes. Similarly to what we found with IPs, a single ASN isn’t commonly found in more than 10 rules, with the vast majority of rules having a unique ASN in August. However, looking at the top 10 ASNs used in rules, we do uncover a pattern: hyperscale cloud providers are the ASN in 71% of associated attacks.

Similar to what we found with IPs being short-lived, this finding may provide an additional point of correlation, as hyperscale clouds often have a lower barrier to entry for spinning up a serverless environment than more traditional hosting/VPS or even Content platforms.

Actionable guidance

So, what should you take away from all of this information?

1. Organizations operating in the media and entertainment space continue to receive the highest proportion of total and median attack volume. If your organization operates in the space, we urge you to consider adopting application DDoS protection if you haven’t already.

2. If your manual mitigation criteria heavily incorporates IPs, consider whether this effort could be replaced by automated solutions or rules incorporating ASN with additional attributes to increase accuracy. Given how many unique IPs are used in attacks, this should only be used in rules for the most egregious of offenders. 

3. Enterprises should ensure their infrastructure or tooling can absorb (ideally mitigate) attacks in the realm of tens of billions of requests over short periods. Each of the largest attacks this year was able to scale to millions of requests per second, far beyond what some can manage without performance impacts.

Automatically mitigate disruptive and distributed attacks

As shown in August, a single massive attack can target any industry, from Media & Entertainment to High Technology, while smaller, persistent attacks plague commercial businesses daily. Fastly DDoS Protection is designed for this reality, automatically mitigating the distributed, multi-vector attacks detailed in this report. Let our adaptive technology absorb the next spike so you don't have to. Contact our team or start your free trial today.

* As of 2025-03-31

** As of 2023-07-31