Cyber attackers closed out 2025 by pushing internet infrastructure to new limits, according to DigiCert’s newly released Q4 2025 RADAR report, which analyzes trillions of network events across DNS, DDoS, and web application traffic.
The quarterly findings point to a clear shift in attacker behavior: larger attacks, longer durations, and sustained pressure campaigns aimed at foundational services during peak year-end demand.
Well, DigiCert is the world’s leading provider of digital trust, enabling individuals and businesses to engage online with the confidence that their footprint in the digital world is secure. DigiCert® ONE, the platform for digital trust, provides organizations with centralized visibility and control over a broad range of public and private trust needs, securing websites, enterprise access and communication, software, identity, content, and devices. DigiCert pairs its award-winning software with its industry-leading standards, support, and operations, and is the digital trust provider of choice for leading companies around the world.
DNS demand spikes and so do attacks
Global DNS traffic reached record levels in December as online activity surged across finance, travel, e-commerce, and consumer devices. DigiCert reports that authoritative DNS query volume climbed to 4.75 trillion queries in December, up from 4.3 trillion in October, reflecting roughly 10% growth over the quarter.
At the same time, DNS became a more active attack surface.
DDoS attacks targeting DigiCert’s UltraDNS platform jumped sharply to 176 events in December, up from just 14 attacks in October and 18 in November. The report notes elevated NXDOMAIN rates, which can signal automated scanning, enumeration, or DNS-focused attack activity.
The combination of rising legitimate demand and background abuse amplified pressure on DNS infrastructure, underscoring its dual role as both a core service and an attractive attack vector.
Mega DDoS attacks grow larger and last longer
DDoS activity escalated dramatically by year-end. December alone saw 2,200 DDoS attacks, representing a 106% month-over-month increase compared with November.
The scale of attacks also expanded:
- Mega DDoS attacks (100+ Gbps) climbed to 23 events, up more than 150% from November
- The largest observed attack peaked at 2.02 Tbps, entering true terabit territory
- Attack persistence increased, with the longest DDoS campaign lasting 8.1 days
Rather than short bursts of disruption, DigiCert says attackers increasingly favored sustained pressure campaigns, designed to exhaust mitigation capacity and operational teams over multiple days.
Industry targeting remained consistent, with IT and technical services, communications service providers, and financial services among the most impacted sectors—areas where outages can create cascading downstream effects.
Application attacks persist beneath the surface
At the application layer, DigiCert’s UltraWAF telemetry showed a more nuanced picture. While overall malicious web traffic declined compared with earlier Q4 peaks, automation-driven attacks remained persistent.
In December, UltraWAF processed 1.88 billion web requests, up 3.13% from November. Cookie-based manipulation emerged as the dominant attack technique, alongside sustained bot activity probing protected applications.
According to DigiCert, this reflects a shift away from broad, noisy attacks toward more concentrated, technique-driven exploitation, particularly in transaction-heavy industries such as travel, hospitality, and financial services.
“Attackers are pushing limits”
DigiCert summarizes the quarter as a turning point rather than an anomaly.
“Q4 closed with attackers pushing limits: scaling attacks higher, running them longer, and maintaining persistent reconnaissance across applications and infrastructure,” the report notes, describing a move from episodic disruption to coordinated, multi-layer pressure campaigns.
The emergence of mega botnets such as Aisuru and Kimwolf, each reportedly comprising millions of devices, has enabled attackers to generate terabit-scale traffic and sustain attacks over extended periods.
Why it matters
The Q4 2025 RADAR report reinforces a growing reality for security and infrastructure leaders: resilience is no longer about surviving peak traffic alone, but about maintaining operations under prolonged, adaptive attack conditions.
As attackers coordinate across DNS, network, and application layers, DigiCert warns that siloed defenses leave organizations exposed. The report urges enterprises and service providers to treat multi-day, terabit-scale attacks as a baseline threat model, not a worst-case scenario.
