Botnets and Familiar Foes Drive DDoS Attack Activity

Executive Summary

Attackers didn’t need new exploits to drive more than 27,000 botnet-driven distributed denial-of-service (DDoS) attacks in March 2025. Instead, they weaponized years-old vulnerabilities to launch smarter, longer-lasting campaigns hitting service providers with an average of one attack every two minutes. The tactics we observed reflect the ongoing evolution of botnet-driven threats and the continued pressure on backbone infrastructure.

NETSCOUT observed sustained bot-driven DDoS activity targeting the service provider space throughout March 2025. On average, there were around 880 confirmed DDoS attack events per day, peaking on March 10 with more than 1,600 incidents. These attacks were fueled by large, distributed botnets built by exploiting primarily known vulnerabilities in web servers, routers, and Internet of Things (IoT) devices.

NETSCOUT’s ASERT team tracks tens of thousands of unique bots participating in attacks each month. Although the daily volume dipped slightly from February’s levels, attackers made up for it with more-complex vector combinations, broader port targeting, and longer-lasting attack durations. Botnet-driven DDoS attack events continued to grow in persistence, with average durations increasing compared with previous months.

The hacktivist group NoName057(16) continued to dominate in both claimed operations and actual attack activity, often using multiple methods such as TCP ACK, TCP SYN floods, and even HTTP/2 POSTs against primarily government websites across Spain, Taiwan, and Ukraine. This points to a continuation of persistent, politically motivated campaigns.

Key Findings

• Attack frequency: March averaged 880 DDoS attacks per day, with a sharp spike on March 10 reaching 1,600 attacks.
• Longer attack durations: The average DDoS event lasted about 18 minutes and 24 seconds, slightly longer than in previous months, showing a trend toward more persistent targeting. This is significantly more than the global average for DDoS attacks, which is somewhere between 5 to 15 minutes.
• Dominant threat actor: NoName057(16) was behind more than 475 claimed attacks in March, 337 percent more than the next most active group. But NoName057(16)’s operational footprint was far more expansive. We observed more than 26,000 attack configurations linked to the group’s infrastructure, representing variations in vector combinations, targets, and timing. In total, more than 500 IP addresses and more than 575 domains were targeted, indicating a substantial volume of unclaimed activity and sustained command-and-control operations throughout the month.
• Port targeting patterns: The most common TCP port combo was 80 and 443, used in more than 850 attacks. For UDP, 443 and 80 were also dominant, reflecting a focus on encrypted and web-facing services.
• Top attack vectors:TCP SYN floods were the most frequently observed vector, appearing in more than 5,500 attacks, which accounts for about 20 percent of all of the more than 27,000 confirmed DDoS events in March. Multivector attacks were common, including combinations such as TCP SYN + DNS Flooding and TCP ACK + TCP SYN.
• Frequent source combinations: Single-country bots from Mongolia (~3,000 attacks) dominated, but the most frequent multinational botnet combo was Germany + United States (more than 600 attacks).

Detailed Analysis

Attack Frequency and Trends

Much of March’s botnet-driven DDoS activity targeting the service provider space aligns with previous trends in which backbone infrastructure and transit networks face persistent pressure. These events are captured via provider-side telemetry, which serves as the basis for this analysis.

March’s botnet-driven DDoS activity stayed consistent for most of the month, with daily volumes just below 1,000 attacks. March 10 saw more than 1,600 confirmed attacks, about 70 percent above average but still within the month’s normal range of fluctuation.

This spike in DDoS attack events occurred during the week of March 9–15, which lined up with high-profile attacks on X (formerly Twitter), Wikipedia, and World of Warcraft Classic. The group Dark Storm Team claimed responsibility for the attack on X, citing geopolitical tensions as their motivation. These high-visibility incidents coincided with, and likely contributed to, a rise in total DDoS activity that kept defenders on heightened alert through mid-month.

Threat Actor Activity

NoName057(16) remained the most active and visible threat actor in March. Of the more than 1,000 attacks claimed by all groups, NoName057(16) alone accounted for more than 475. More importantly, there was a strong overlap between that group’s claims and observable attack traffic. Although some groups tend to exaggerate their activity, claiming credit when websites go offline for unrelated reasons, NoName057(16)’s announcements often align with observable attack patterns, such as:

• HTTP/2 POST floods
• TCP ACK and TCP SYN floods
• Sustained multiminute engagements

NoName057(16)’s targets included government websites, transportation and logistics, and financial services.

Although the group’s bot activity is globally distributed, a significant portion of observed attack traffic either originates from or is transmitted through a small number of content delivery networks (CDN) and cloud hosting providers. These networks are used to host bots directly or serve as relays via proxies and virtual machines. This approach provides attackers with reliable bandwidth and complicates mitigation, because malicious traffic often blends with legitimate flows from trusted infrastructure.

Other groups such as Keymous+, Dark Storm Team, and Red Wolf Ceyber were also active, although their operational footprint was far smaller. While these actors occasionally make headlines or claim credit for outages, their observed attack volume and consistency remained limited throughout March.

Port and Protocol Targeting

Botnets in March targeted familiar ground, but often in more strategic combinations. The most common port pairs were:

• TCP: Among all observed botnet-driven DDoS attacks, port 443 was the most frequently targeted individually. The most common port combination was 80 and 443, appearing in more than 800 unique attacks. This continues the trend of sustained pressure on public-facing web infrastructure.
• UDP: 443, 80, and 53 were frequently targeted individually, indicating ongoing abuse of encrypted traffic and DNS services. The first notable combination was 500 and 4500, typically used for VPN services.

 VPN infrastructure saw continued probing in March. Although VPN-related ports didn’t top the charts, their appearance in targeted combos shows attackers are still actively interested in disrupting remote-access services.

Single-vector attacks still dominated in raw volume, with TCP SYN floods at the top of the list (~5,500 attacks). But attackers increasingly leaned into multivector combinations, including:

• TCP SYN + DNS Flooding
• TCP ACK + TCP SYN

This suggests more attackers are trying to blend techniques to overwhelm both bandwidth and stateful infrastructure at the same time. These combinations show that DDoS bots aren’t limited to a single vector; they can rapidly switch tactics, which poses a serious challenge for defenders without adaptive mitigation.

Source analysis showed that although many attacks used globally distributed infrastructure, single-country events were also very common. Mongolia led with more than 2,900 attacks, primarily traced to localized IoT and router infections. These source IPs were confirmed to be legitimate based on their consistent activity over multiple days, combined with supporting evidence from passive monitoring tools and honeypots, including observed connection attempts. Taken together, this points to real, reachable devices being used in the attacks, rather than fake or short-lived sources.

The most frequent multicountry combination was Germany and the United States, involved together in more than 600 attacks. This pairing likely reflects attacker interest in leveraging reliable infrastructure—such as cloud-hosted resources or enterprise devices—alongside continued abuse of under-secured networks in other regions.

Vulnerabilities and Bot Infrastructure

DDoS-capable bots aren’t usually built on custom hardware and infrastructure. They’re built by exploiting known weaknesses in infrastructure, especially in routers, web servers, and IoT devices. In March, attackers leaned on a familiar mix of exploits:

• CVE-2017-17215: Tied to Mirai and its variants, still actively used to target Huawei routers.
• CVE-2017-16894, CVE-2019-17050, and CVE-2021-41714: Often seen in bot clusters focused on service-provider infrastructure.
• CVE-2021-27162 and family: These showed up across thousands of events, pointing to broader exploitation campaigns.

These exploits aren’t cutting edge. They’re old, public, and well-documented. That’s part of the problem: Attackers don’t need new tools when so many hosts are still unpatched or poorly secured.

We also saw patterns in bot behavior that matched common scanning and brute-force activity:

• Web and SMB crawlers
• Telnet and SSH login attempts
• TLS/SSL and ping scanners

Attackers actively search, test, and compromise devices at scale. Many of these bots showed up in attacks multiple days in a row, which matches the longer average durations we saw. 

Recommendations

Service providers are still squarely in the crosshairs, and March made that even more obvious. To stay ahead of these bot-driven DDoS threats, we recommend the following:

• Real-time visibility into botnet behavior and attack patterns. Tools such as NETSCOUT Arbor Sightline can help surface early signs of trouble.
• Proactive mitigation with automated systems such as Arbor Threat Mitigation System (TMS) or Arbor Edge Defense (AED). These can stop both volumetric floods and more-complex, multivector attacks.
• Intelligence-driven defense. Feeds such as NETSCOUT’s ATLAS Intelligence Feed (AIF) provide information about context, what’s trending, who’s being targeted, and how actors are evolving.

It’s not just about stopping traffic; it’s about understanding where that traffic is coming from, why it’s happening, and what it could become. March’s activity shows that DDoS attacks are still growing in sophistication and intent.