Cloudflare’s 2025 Internet Review: Attacks, Outages & Traffic Trends

The internet in 2025 remained a dynamic and often precarious environment, characterized by relentless growth, escalating threats, and critical dependencies. Cloudflare’s annual Radar Year in Review provides a comprehensive analysis of global traffic patterns, the evolving nature of cyberattacks, and the fragility of the systems we rely on daily. Drawing on data from its vast network, the report identifies key trends that defined the year, offering crucial context for understanding the forces reshaping our digital world.

Traffic volumes continued their upward trajectory, but this growth was far from uniform. Significant spikes coincided with major news cycles, major software updates, and the unexpected outages of popular online platforms. A clear shift toward mobile connectivity persisted, with mobile devices accounting for over half of global web traffic for substantial portions of the year, especially during holidays and major live-streamed events. The dominance of encryption was another unmistakable trend, with HTTPS securing more than 95% of all observed requests by year’s end, rendering unencrypted HTTP traffic increasingly rare.

The scale and sophistication of cyber threats reached unprecedented levels. DDoS attacks shattered previous records in 2025, with several incidents measured in terabits per second. Attackers not only increased the sheer power of their assaults but also altered their tactics. Short, sub-minute bursts became more frequent, likely aimed at probing defenses or evading automated mitigation systems. While network-layer attacks were most common, application-layer assaults also grew, often targeting APIs and login pages with simple yet massively scaled techniques rather than complex new methods.

Automated traffic, both helpful and harmful, shaped a significant portion of internet activity. Cloudflare classified a large share of requests as bot-driven. This included legitimate bots like search engine crawlers, but also a rising tide of malicious automation dedicated to scraping content, stuffing credentials, and hoarding inventory. Distinguishing between good and bad bots grew more difficult as operators employed residential IP addresses and sophisticated browser signatures, with their tactics and infrastructure rotating more rapidly than ever before.

Widespread outages repeatedly exposed the internet’s concentrated points of failure. Incidents stemming from BGP route leaks and DNS failures caused cascading disruptions, proving that a single misconfiguration could ripple globally within minutes. Similarly, outages at major Software-as-a-Service (SaaS) platforms led to immediate, measurable drops in traffic, followed by sharp recoveries once service resumed, illustrating how user behavior shifts instantly during downtime.

Government-directed internet disruptions remained a persistent reality. Cloudflare observed dramatic traffic declines, sometimes exceeding 50%, linked to events like elections, protests, and national exams. These were not always complete blackouts; more often, they involved throttling or selective blocking. The impact of these shutdowns frequently extended beyond national borders, especially when affected countries hosted key services or transit infrastructure, causing immediate traffic shifts in neighboring regions.

The data underscores how quickly the digital landscape now reacts to security events. Spikes in malicious traffic were detected within minutes of public vulnerability disclosures, indicating that attackers monitor the same sources as defenders. This real-time threat environment demands equally rapid responses. The report also highlighted the effectiveness of modern defenses; even during the largest recorded attacks, traffic typically stabilized within seconds, demonstrating how automated protection has become essential at the network edge.

(Source: HelpNet Security)