DDoS in December 2025

The latest monthly DDoS weather report details the DDoS attack that almost stole Christmas – Fastly’s largest of 2025 

Fastly’s instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4. However, sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly uses telemetry from our 497 Terabits per second* global edge network servicing 1.8 trillion requests per day** and Fastly DDoS Protection to inform a unique set of insights into the global application DDoS “weather”- the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

Key Findings:

• 2025’s largest volume attack: December 25 was the largest day of attack volume for all of 2025, and volume is primarily attributable to a single attack

• Larger attack size than previous months: While the attack count was similar to November, volume was much higher, indicating larger attacks on average

• Sophisticated attacks combine multiple DDoS vectors: The massive attack on December 25 leveraged multiple types of DDoS (both network and application level) in a failed attempt to cause performance impacts

December attack trends

In light of four consecutive months of declining DDoS attack volume, we headed into December unsure if the trend would continue - we found quite the opposite. December saw the largest day of attack volume by a wide margin.

Comparing December to all other months of 2025, we see that it not only deviates from the trend but is by far the largest month of attack volume – 37% larger than the next-highest month, June.

While attack volume was significantly higher in December, individual attack count remained relatively flat month over month.

Given that November had one of the lowest attack volumes in 2025 and December had the highest, the similarity in attack counts suggests higher attack volume overall. Analysis of the data revealed that the higher average attack size is heavily skewed by a single attack on December 25, the day with the highest attack volume this year. Here’s how that attack manifested.

The Grinch Attack: 2025's largest DDoS attack

Cybersecurity has no days off.

While many enjoyed time with loved ones throughout the holiday season, cybersecurity teams (often operating short-staffed) around the globe remained at the ready to mitigate attacks. And for good reason: on the evening of Christmas Day in the United States, one Enterprise High Technology customer felt the full force of a massive botnet executing the largest DDoS attack Fastly saw in all of 2025. 

As many on the West Coast of the United States sat to eat their Christmas dinner, a botnet of massive scale began a sophisticated DDoS attack, combining network and application floods from all over the world in an attempt to overwhelm a customer at a time when attackers assumed their target might be unprepared. 

At Fastly, we’ll be calling this attempt to ‘steal Christmas’ from the target’s cybersecurity team as the “Grinch Attack.”

 (Yes, this is the best version. Don’t @ me)

As we dive into the attack details to offer insight into the power and capability these botnets have at their disposal, it’s important to level-set on the different types of DDoS attacks they can launch. Most attacks come in one of three forms: 

• Packets per second attacks (PPS) – these are often designed to overwhelm CPU and state tables, putting pressure  on packet-processing capacity, often occurring at Layers 3/4 

• Terabits per second attacks (TBPS) – these focus on bandwidth exhaustion at Layers 3/4, saturating pipes irrespective of packet count

• Requests per second (RPS) – these put application-level (Layer 7) pressure by flooding applications and APIs with fully formed requests

Often, we’ll find that an attack focuses on a single one of these three methods, but as the attack's sophistication grows, attackers combine multiple methods to overwhelm both hardware resources and human personnel combating the attack. In the case of the Grinch attack, bad actors simultaneously combined a high-level RPS attack with a low-level PPS attack to cause more damage.

The Grinch’s Application DDoS attack phase

On Christmas evening, attackers targeted multiple applications and APIs of a major High Technology Enterprise at an unprecedented scale. Within one minute, The Grinch scaled to over 10 million requests per second, then hit a sustained max RPS of over 100 million for three minutes shortly after. For context, in previous months' reports, we’ve detailed massive 1 million and 15 million RPS attacks that broke records, but this not only reached a scale 7 to 8 times larger, it also continued the attack for ~48 more hours. 

The chart below uses a logarithmic scale;  equal vertical steps represent traffic changing by orders of magnitude, not fixed request counts. This format allows us to see both normal traffic and extreme spikes represented in the same graph. The chart shows not only the massive scale the attack reached early on, but the sustained attack that continued for multiple days thereafter.

All in all, this phase of the Grinch consisted of over 220 billion requests, many times larger than any other attack this month.

Diving a level deeper, we explored the types of rules that Fastly DDoS Protection automatically generated to mitigate the attack. Mitigating attacks of this sophistication without impacting legitimate traffic is complex, but the solution’s Adaptive Threat Engine crafted over one thousand rules to separate attacks from legitimate traffic. Examining them holistically, a few patterns emerge.

75% of the rules were able to isolate the attack to a single country. The Grinch’s attack traffic primarily came from the United States (25%), Brazil (22%), and Mexico (21%).

Anecdotally, many of the primary countries leveraged in the attack are those referenced in XLab’s analysis of the Kimwolf botnet that has recently come into the spotlight. This leads our team to believe that, given the massive scale and geographic similarities, this botnet may be the one that launched the Grinch. If you haven’t heard of this botnet before, check out Brian Krebs’ recent write-up here.

While the country code helped isolate portions of the attack, this rule attribute is always used in combination with others to safely separate attacks from legitimate traffic. In the case of the Grinch, it took over 4 attributes on average in each rule to isolate attack traffic from everything else. Combinations of attributes like specific IPs (28% of rules), ASNs (57% of rules), and general browser/header fingerprints (99% of rules) allowed Fastly DDoS Protection to safely isolate the Grinch’s attack traffic automatically for the duration of the ~48+ hours it occurred.

The Grinch’s Network DDoS attack phase

As the Grinch’s application DDoS attack began to stabilize (still at an incredibly high ~1 million RPS) and show slow decline a few hours into the attack (likely as attackers saw limited success), they quickly added a new variable to the mix: a network DDoS attack. This phase, primarily attributable to attacks sourced from South America, lasted for nearly half an hour and attempted to flood services with nearly 70 million PPS. Interestingly, looking at the L7 attack with this insight, we see that just after the network DDoS attack kicked off, the L7 attack began to slow and soon after significantly dropped in RPS.

While we can’t say for certain what caused it, this may indicate the attackers hitting capacity and resource constraints, as there’s only so much power available to the botnet at any given time if infected devices aren’t available for use. This isn’t by any means a definitive finding, as there are dozens of explanations –  the attack hit its resource ceiling, attackers hit other organizations that aren’t Fastly customers, and endless other answers - but how this phase of those attacks looks when combined has thought-provoking takeaways to say the least.

Actionable guidance

So, what should you take away from all of this information? How can you Grinch-proof your organization?

1. Attackers are savvy and aim to disrupt operations when perceived defenses are low. Targeting a US-focused organization on Christmas was intentional and reinforces the need for automated solutions or a Managed Security provider that can mitigate attacks despite likely lower headcount over the holidays.

2. The Grinch happening after multiple consecutive months of low attack volume exemplifies why organizations need a solution that operates always-on or on-demand to mitigate attacks when they inevitably occur. This provides budget flexibility without sacrificing security.

3. The size, scale, and complexity of massive attacks necessitate an automatic solution that can safely separate attack traffic from normal. Fastly DDoS Protection created over a thousand rules over the course of the Grinch attack, and that’s not something humans can replicate at the same scale, speed, and efficacy.  

Automatically mitigate disruptive and distributed attacks

While massive attacks make headlines, we’ve seen a sustained volume of DDoS attacks targeting organizations in all industries. The unpredictable nature of these attacks highlights why organizations should seek a solution that automatically mitigates the distributed, multi-vector attacks detailed in this report. Let our adaptive technology absorb the next spike so you don't have to. Contact our team or start your free trial today.

* As of 2025-03-31

** As of 2023-07-31