DDoS in July

Fastly’s exclusive monthly DDoS weather report for July 2025 finds enterprises suffering from infrequent but massive attacks in all tracked industries

Fastly’s instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4. However, sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly uses telemetry from our 462 Terabits per second* global edge network servicing 1.8 trillion requests per day** and Fastly DDoS Protection to inform a unique set of insights into the global application DDoS “weather”— the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

Key Findings:

• SMB organizations receive the highest median attack volume

• July’s attack volume was just 51% of June’s (the largest month this year)

• 1 billion+ requests DDoS attacks on enterprises make up just 0.7% of attacks, but 63% of the total volume in July

July’s DDoS Traffic Trends

Summer is in full swing, and it seems bad actors may have also taken vacations in July #afk. Attack volume in the middle of July slowed before ramping up as the month drew to a close.

Admittedly, though, Image 1 is somewhat deceiving. In the grand scheme of DDoS volume in 2025, July was pretty low – especially in light of June’s massive attacks.

As mentioned above, traffic in July was just 51% of June’s observed DDoS traffic volume, and the entire month’s worth of attacks could be encompassed by the major spike seen on June 6 and 7. Since the start of the year, we’ve seen a trend of increasing DDoS volume; however, July is the first month to deviate, falling well below the trend line.

Attack Trends

Each month, we look at attacks through the lens of who was attacked. We found that while overall attack volume was down, the organizations attacked remained largely the same. Similar to previous months, the Media & Entertainment industry received the bulk of both attack volume and attack frequency, followed by Commerce, High Technology, and other industries, including organizations in healthcare, financial services, education, the public sector, and more.

Another lens through which we observe attacks is company size. For those new to these reports, we break down company size by annual revenue as follows:

• Enterprise: Greater than $1 billion

• Commercial: Between $100 million and $1 billion

• Small and Medium Businesses (SMB): Less than $100 million

Similarly to what we find with the industries targeted, the size of organizations under attack closely mirrors what we’ve seen in even the largest of months. This brings us to an unexpected conclusion: while overall volume may change, under this lens, the organizations attacked remain largely the same, no matter the volume. This may be coincidental, a bias created by Fastly’s customer base, or a reality that the organizations getting attacked don’t change while the volume may. We’ll continue to monitor this trend and report back in future editions!

Enterprise Attack Trends

In light of the lower overall attack traffic volume, this month we took an opportunity to dive into attack trends focused on enterprise organizations. While every month since we started this report, they’ve received the largest attack volume, we set out to understand whether they’re receiving larger attacks than all other segments or if it’s just a few attacks that skew volume so heavily. 

To avoid averages that can be skewed with such large volume counts, we’ve intentionally opted for using the median for the following analysis. Looking at July’s data, the results are somewhat disorienting – SMBs had the highest median attack volume, followed by Enterprise and Commercial organizations last.

So what’s happening? We roughly broke down attacks into three categories to understand the enterprise attack landscape:

• Less than 100k – these are attacks that were likely used to probe for vulnerabilities or as a short-lived distraction from another attack being launched. While they can still be damaging, these are less likely to impact performance.

• 100k-1 billion – the motive of these attacks is less clear, often being used to distract, inflate cloud/operational costs, or attempt to inflict performance degradation.

• 1 billion+: These are launched with the clear goal of impacting performance and availability.

With this segmentation and earlier assumptions in mind, we can imply that the vast majority of attacks are designed to either distract or inflate cloud costs as opposed to actually attempting to cause performance impacts. 

While 1 billion+ request attacks only make up 0.7% of total attacks, they account for 63% of total volume observed in July. Looking at what types of companies make up that 0.7%, we find that the majority of the organizations are Media & Entertainment, which makes sense given that they have the highest attack volume for any industry in July. However, there is representation from each of the industries we track against.

While this information shouldn’t be used to gauge whether your enterprise organization needs protection at all, as the old idiom goes – play silly games, win silly prizes, this analysis provides a glimpse into the largest of application DDoS attacks in the world and who they target.

Actionable Guidance

So, what should you take away from all of this information?

It’s important to note that this report only represents one month of data and should be used with first-party insights from your observability tools and longer-term research to create a comprehensive view. However, from this data alone, there are a few key learnings you can integrate into your existing security efforts:

1. Not all attacks are designed to impact performance. Organizations should be mindful of smaller ones that are no less damaging and can impact their cloud costs or distract from targeted payloads. Automated and adaptive solutions are recommended here as they can react to these relatively smaller attacks with accuracy and speed that manual interventions can’t.

2. Be mindful of how your organization leverages insights from a short period of time, and don’t overindex on the headlines. We build these reports to show higher fidelity trends over time and wouldn’t want to give the impression that a single month of high or low volume is indicative of what’s coming your way.

3. Organizations of all sizes should be equally wary of application DDoS attacks. Regardless of an organization’s size, both attack frequency and median attack size are similar. However, enterprise organizations should be prepared to mitigate much larger attacks infrequently, on the scale of 1 billion+ requests.

Automatically mitigate disruptive and distributed attacks

As always, we’d be remiss not to remind you that solutions like Fastly DDoS Protection automatically stop the attacks detailed in this report with the insights you need to quickly validate efficacy. Fastly DDoS Protection leverages our network’s massive bandwidth and adaptive techniques to ensure your websites remain fast and available, all without any required configuration. Start leveraging our adaptive technology today and get up to 500,000 requests for free, or contact our team to learn more.

* As of 2025-03-31

** As of 2023-07-31