DDoS in June

Fastly’s exclusive monthly DDoS weather report for June 2025 finds 250 billion request attack targeting a major High Technology provider

Fastly’s instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4. However, sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly uses telemetry from our 427 Terabits per second* global edge network servicing 1.8 trillion requests per day** and Fastly DDoS Protection to inform a unique set of insights into the global application DDoS “weather”— the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

Key Findings

1. A 250+ billion request attack was the largest application DDoS attack we’ve observed so far this year.

2. Fastly DDoS Protection detected nearly two attacks every minute in June on average.

3. A single JA4 signature was detected in 17% of associated rules

Traffic Trends

Every day in June, Fastly DDoS Protection observed billions of DDoS attacks on customer services. June’s cumulative application DDoS attacks were dominated by two days at the beginning of the month. On June 6^th and 7^th, the attack volume was so large that it drastically skews how the rest of the month’s volume appears in the chart. In fact, the traffic spike’s peak on June 6th is 20 times larger than any other day outside the 2-day spike.

The spike is so large that it moved the month’s average volume above the majority of the month’s daily cumulative volume! Comparing daily attack volume against all of 2025 and we see just how big these attacks really were. No other day in 2025 comes close. The difference in scale is so vast that whole days in January don’t even appear on the graph!

Given the massive difference in volume on June 6^th and 7^th, we set out to understand just what happened – was it a coordinated attack on multiple customers, a particular industry, or something in between? As we came to find out, the truth was far more concerning.

The BIG spike

Fastly DDoS Protection has observed some massive attacks this year, most recently in our May report, an attack that lasted over an hour, with more than 1 million requests per second (RPS). However, on June 6^th and 7^th, the majority of the days’ attack volume was attributed to two coordinated attacks on a single large (enterprise) customer operating in the High Technology space. Over the course of just two days, bad actors launched two separate attacks reaching a cumulative 250+ billion requests. Below, we’ll outline the attack details and defining features, giving you a glimpse into the power and sustained scale bad actors have at their disposal.

At 10 pm local time (based on the customer’s HQ location), a major High Technology provider observed the beginnings of an over 4-hour barrage against one of their highest visibility services. The first of two prolonged attacks was launched from a variety of countries, including Germany, China, the United States, India, and predominantly the Netherlands. Peaking at 1.6 million RPS, the attack was detected within seconds by Fastly DDoS Protection, which leveraged multiple attributes, including the hostname and TLS details, to separate the distributed attack from the legitimate traffic it aimed to blend with. At 2:15 am local time, the first attack finally came to a close. Unfortunately, the story doesn’t end here.

Half an hour later, the attack resumed for an astounding 19 more hours. Likely perpetrated by the same bad actor, given the near identical attack fingerprints and source countries, this attack peaked at 1.7 million RPS.

Bringing data from both attacks together reveals that while the majority of the traffic came from the Netherlands, the United States, Germany, and Indonesia, each of the rules automatically created to mitigate the attack featured one additional country (France, China, or the United Kingdom). This appears to be a concerted effort by the attacker to hide their tracks.

Unfortunately for them, it didn’t work. The customer experienced no downtime or latency impacts and our proprietary Attribute Unmasking technology still honed in on their attack characteristics – sorry, not sorry.

In total, these attacks lasted for a total of almost 24 hours. The scale and duration are a reminder to all companies of the importance of an automated DDoS mitigation solution. While we’ve observed that nearly half of all attacks last under a minute, examples like this reinforce why it isn’t practical to have teams manually drafting static rules to fight an attack. Even though the attack pivoted over its duration, Fastly DDoS Protection was able to adjust in tandem to follow the attack without impacting legitimate traffic.

Attack Trends

Events were included as part of a recent update to Fastly DDoS Protection, and with it came two key features: events and event details. Imagine that each event is an individual attack, and the event details allow customers to dive deeper into how it was mitigated. Essentially, Events provide a more accurate way for us to measure an individual attack. In June, Fastly DDoS Protection observed 77,451 cumulative DDoS attacks, which we categorize as events. Surprisingly, this is only eight fewer attacks than what we saw in May’s report. While this could just be coincidental, it could also be reflective of the number of attackers in the world. Perhaps each month, they launch a similar number of cumulative attacks, just on different organizations. We’ll continue to monitor this trend in future editions. It’s worth noting that if we were to evenly distribute events in June, we’d have seen almost two attacks every minute!

Each month, we investigate DDoS attacks through the lens of who was attacked. Given the volume of the June 6 and 7 attacks, you’ll see their influence on each of the volume charts below.

Attack volume by industry is clearly skewed by the High Technology company outlined in the previous section, but pairing this with the Event count by industry, we see that Media & Entertainment was the primary target for the most attacks. This is consistent with what we’ve seen in previous reports, possibly because this industry is the most likely to gain the unwanted attention of attackers who disagree with content published on their sites.

Companies come in all sizes and provide another lens for us to observe attacks through. For those new to these reports, we break down company size by annual revenue:

• Enterprise: Greater than $1 billion

• Commercial: Between $100 million and $1 billion

• Small and Medium Businesses (SMB): Less than $100 million

While the Enterprise company targeted in June’s BIG attack skews the volume chart, Small and Medium businesses hold the majority of the Event count. Given the industry by Event distribution, it’s likely these are also SMBs within the Media & Entertainment, High Technology, and Commerce space. Their prevalence is both a reflection of Fastly’s customer base and the fact that there are way more SMBs doing less than $100 million per year than larger businesses bringing in more revenue. Only so many dollars (and other currencies, of course) to go around on this Earth.

Mitigation Trends

In the last two reports, we examined what percentage of rules include country and/or IP and found that the results were incredibly similar.

1. IP address was included in 31% and 35% of rules in April and May, respectively.

2. Geolocation was included in 66% and 67% of rules in April and May, respectively.

Given how consistent these percentages appear to be month over month, we’ll opt to speak to them with less frequency in future editions. With that in mind, this month we examined how signatures like JA4s are used as part of a rule to help identify an attacker when combined with other parameters like geolocation, IP, customer under attack, and more. For those unfamiliar, a JA4 is a TLS Client Fingerprint that comprises information like the protocol, TLS version, SNI, number of Cipher Suites, and more, seen in a TLS Client Hello packet. While it isn’t uncommon for JA4s to be shared amongst completely legitimate requests, when combined with other parameters, they create an effective lens through which we can identify an attacker. This is partially because signatures like JA4 are significantly harder to spoof than attributes like IP address or User Agent.

In June, signatures like JA4 were used to help identify a significant portion of attacks. While the vast majority of the JA4s were only used as part of a single rule, we identified one that was involved in 17% of all rules.

Examining it further, we find that when this signature is leveraged as part of a rule that includes geolocation, it is typically associated with traffic from Europe (39%) or the United States (13%). This signature also appears to leverage a botnet with a high variety of IPs at their disposal, as the vast majority of the rules tied to it aren’t able to pinpoint the attack to a single IP. This is indicative of a highly distributed attack, and likely someone/a group who has strong expertise in the world of DDoS attacks.

The customers this signature targets are also very telling. 53 unique customers are associated with attacks from this signature, and a significant portion of them operate in news agencies and platforms that support them. Additionally, some of the customers attacked are focused on hyper-regional news within Europe. Given that they don’t see widespread global traffic due to their local focus, this may imply that this bad actor is located somewhere within the European Union.

Given this bad actor’s prevalence in Europe, with a particular focus on news agencies and SaaS platforms that are akin, we’re opting to call them the Byline Banshee. A nod to Irish folklore (a country that we saw a portion of geolocated traffic from this attacker originating), their attacks have been quite noisy, just as the wailing spirit the name comes from. We’ll keep an eye on whether the Byline Banshee makes a resurgence in future months!

Actionable Guidance

So, what should you take away from all of this information?

It’s important to note that this report only represents one month of data and should be used with first-party insights from your observability tools and longer-term research to create a comprehensive view. However, from this data alone, there are a few key learnings you can integrate into your existing security efforts:

1. Ensure your defense is robust enough to handle application DDoS attacks at the scale of 1 billion+ RPS. While in the past we’ve seen attacks of this size target the largest Enterprise customers on our platform, June’s attack on an organization of Commercial size makes it clear that just because those organizations make less revenue, they’re no less likely to receive the unwanted attention of attackers.

2. Consider leveraging signatures like JA4 to identify attackers (or leveraging products like Fastly DDoS Protection that automatically incorporate them in rules). While not a novel concept, this provides yet another lens to look at attacks through and accurately separate the traffic without impacting legitimate users.

3. Be mindful of how you’re leveraging geo-based decisioning if you’re still manually creating rules or rate limits (or shift to automatic rule creation). As seen in the Byline Banshee’s attacks this month, the vast majority of traffic came from countries that don’t fit the nation-state definition.

Automatically mitigate disruptive and distributed attacks

As always, we’d be remiss not to remind you that solutions like Fastly DDoS Protection automatically stop the attacks detailed in this report with the insights you need to quickly validate efficacy. Fastly DDoS Protection leverages our network’s massive bandwidth and adaptive techniques to ensure your websites remain fast and available, all without any required configuration. Start leveraging our adaptive technology today and get up to 500,000 requests for free, or contact our team to learn more.