DDoS in May

Fastly’s exclusive monthly DDoS weather report for May 2025 finds nearly two new attacks launched every minute of May

Fastly’s instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4. However, sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly uses telemetry from our 427 Terabits per second* global edge network servicing 1.8 trillion requests per day** and Fastly DDoS Protection to inform a unique set of insights into the global application DDoS “weather”— the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

The influence of product enhancements in reports

Fastly has been combating massive DDoS attacks for over a decade, utilizing our platform and other solutions to mitigate these threats. However, we launched Fastly DDoS Protection in October 2024 to provide adaptive and automatic mitigation to our customers. Since then, we’ve continued working hard to make it the best solution for application DDoS on the market. While we’ve discussed at length the power of the solution’s adaptive Attribute Unmasking engine in combating attacks, we’ve been working diligently to enhance its foundation and continue to make strides in improving detection.

Our enhancements further reduced detection time while broadening the solution's visibility into DDoS attacks (particularly briefer, smaller attacks). We continue to improve core detection and mitigation capabilities, and they likely play a role in why we saw such a consistent uptick in the volume of attacks in April and May. We expect to see the influence of enhancements like these in our reports as we continuously refine the product to make it even better for customers like you. With that disclaimer out of the way, let’s jump into the results!

Key Findings

1. Fastly DDoS Protection observed nearly two attacks every minute in May on average

2. The highest percentage of May attacks were launched on Thursdays and Fridays between 14:00 and 20:00 UTC 

3. When a country is used as part of an automatically generated rule, the United States is the most common (41%)

DDoS Traffic Trends

Application DDoS attacks in May were generally distributed throughout the month, with only one major peak on May 6^th, 2025, where the day’s cumulative attacks were 1.8x larger than the month’s average. While the attacks on May 6th centered around Media & Entertainment organizations, representing 93% of the day’s overall volume, the attacks don’t appear to be part of a coordinated campaign, as the companies attacked aren’t in similar lines of business within the industry.

The volume of DDoS attacks has increased each month of 2025 up until May, where the month-over-month volume of attacks was less than 1% smaller than that of April. We’ll continue to monitor this trend in the coming months. More to come here!

The largest attack Fastly DDoS Protection detected in May lasted over an hour, with more than 1 million requests per second (RPS). While not as large as the 250 million RPS attack we outlined in a previous blog, it provides a glimpse into the sustained attack capabilities that attackers possess.

Attack Trends

Events came as part of our latest update to Fastly DDoS Protection. With it comes two key features: events and event details. Imagine that each event is an individual attack, and the event details allow customers to dive deeper into how it was mitigated. In May, Fastly DDoS Protection observed 77,459 cumulative DDoS attacks, which we categorize as events. If we were to evenly distribute them, we’d have seen almost two events every minute of May!

In previous editions of the report, we created a heat map illustrating the distribution of attack volume by the hour and day of the week. This month, we opted to recreate that heat map but instead look at it through the lens of events by the hour and day of the week.

When observing attacks through the lens of events, we find that while attacks occur at all hours of the day throughout the week, the highest count of attacks occurs on Thursday and Friday between 14:00 and 20:00 UTC. This is particularly interesting given that this time period is during business hours for most of the Western world. Pairing this with the insight that the majority of attacks we were able to automatically create rules for targeted the United States, we arrive at an interesting conclusion. While typically we’ve observed that attacks come during off hours for the Western world, or the weekend, May’s attacks hit those organizations while they likely had SOC members with eyes-on-glass in the region. Without additional information from each customer, it's hard to know exactly why May departed from the established trend, but some possible explanations could be:

1. Ransom attempts: While every attack observed in this report could be mitigated with Fastly DDoS Protection in blocking mode, not every customer has made the switch, and overt attacks like these may have been made to gain the attention of SOC analysts in an attempt to assert dominance.

2. Response to geopolitical change: between political decisions made in the United States, Europe, and parts of APAC, attackers may have launched attacks at Fastly Media & Entertainment customers in response to posts and news they found triggering.

We’ve always considered attack volume versus attack count in these reports, but will now use Events to represent attack count as an even more accurate measure of the number of attacks Fastly customers are observing. Fortunately for previous readers, the data is very similar to what we’ve observed in previous months across both industry and company sizes. 

When observing attacks by the industries they target, Media & Entertainment continues to be the primary target of attackers. Similar to our hypothesis for why May’s attacks largely occurred during business hours in the Western World, there may have been an increase in motivation for hacktivists and motivated attackers alike to launch attacks against organizations that displayed content contrary to their views. While we typically see Media & Entertainment has a lower share of attack counts, its share of over half of all Events implies that attacks on this industry were comparatively smaller than those in April, for example, but more frequent.

Looking at attacks by company size reveals that the vast majority (66%) of May’s attack volume targets organizations of Enterprise size. For those new to these reports, here’s how we break down company size:

• Enterprise: Greater than $1 billion

• Commercial: Between $100 million and $1 billion

• Small and Medium Businesses (SMB): Less than $100 million

In contrast, the number of events is largely tied to SMB organizations. While the distribution of Enterprise attack volume rose significantly compared to previous months, this trend aligns with the observation that Enterprise organizations receive more volume, but SMB organizations receive more individual attacks. 

Mitigation Trends

As part of the event details, Fastly DDoS Protection displays every rule associated with an event. From these rules, we can observe trends in the attributes of an attack, helping teams inform their security policies.

It took 3.2 rules on average to mitigate an event in May. As we alluded to earlier, 67% of rules included the attacker’s country as part of the automatically-generated rule. The top 5 countries included in the rule were:

1. United States (41%)

2. Germany (9%)

3. Netherlands (5%)

4. Indonesia (5%)

5. Singapore (5%)

In April’s report, we noted that while it’s likely a portion of attacks are launched from American cyberattackers, spinning up serverless instances is incredibly accessible and straightforward. With little effort, attackers can leverage their autonomous system (AS) of choice and make their attacks originate from almost anywhere in the world, regardless of their actual location. This is one explanation for why the United States is frequently featured in rules. That or… the United States is just full of attackers – time will tell. 

Another attribute used as part of Fastly DDoS Protection rules is IP address. In some instances, an attack can be narrowed to a single IP, and this occurred 35% of the time in May.

Compare this to what we found in April (31%), and we see only a slight uptick in the distribution. From this insight, we can infer that the application DDoS landscape is shifting relatively slowly in terms of its attack methods. Stopping attacks at an individual organization’s level is complex and likely requires some form of automated intervention. However, from Fastly’s vantage point, we can see that there are common recurring themes in the majority of attacks each month. While the volume has increased throughout the year, the attacks themselves have largely remained the same from a macro perspective. This may be because attackers find success with the current approach. 

Although customers with access to tooling like Fastly DDoS Protection need not worry about attacks like these, the slow rate of change may imply that a high percentage of organizations around the globe either don’t have access to this level of protection or what they have is insufficient, otherwise what would be the point of launching the attacks at all.

Actionable Guidance

So, what should you take away from all of this information?

It’s essential to note that this report represents only one month of data and should be used in conjunction with first-party insights from your observability tools and longer-term research to create a comprehensive view. However, from this data alone, there are a few key learnings you can integrate into your existing security efforts:

1. Attack volume was slightly smaller in May than in April, but was still vastly higher than any other month in Q1. Although caching content can alleviate some of the load on origin servers, organizations should consider implementing dedicated DDoS solutions that can adapt to the varying patterns of legitimate and attack traffic.

2. Security practitioners and organizational leaders should understand the threat landscape, assess the specific risks relevant to their industry, and implement defensive strategies accordingly. For example, a company focused on facilitating pet adoption is likely a less attractive target compared to a media organization, which may face threats ranging from hacktivists to nation-state actors.

3. Attack volume was relatively steady throughout the week, but it peaked on Thursday and Friday between 14:00 and 20:00 (UTC), highlighting the importance of a 24/7/365 Security Operations Center (SOC) for organizations operating in EMEA or APAC.

Automatically mitigate disruptive and distributed attacks

As always, we’d be remiss not to remind you that solutions like Fastly DDoS Protection automatically stop the attacks detailed in this report with the insights you need to quickly validate efficacy. Fastly DDoS Protection is rated 4.7/5 stars by your peers on Gartner Peer Insights and leverages our network’s massive bandwidth and adaptive techniques to ensure your websites remain fast and available, all without any required configuration. Start leveraging our adaptive technology today and get up to 500,000 requests for free, or contact our team to learn more.

* As of 2025-03-31

** As of 2023-07-31