DDoS attacks hit new peak with over 250 billion requests in major June surge

Fastly's latest DDoS Weather Report for June 2025 has detailed a surge in sophisticated attacks, including a coordinated event targeting a major high technology provider with over 250 billion malicious requests.

The company's findings are based on telemetry from its global edge network, which handles up to 427 Terabits per second of traffic and 1.8 trillion requests each day. Fastly's systems detected trillions of attempted distributed denial-of-service (DDoS) attacks at network layers 3 and 4, but new trends point to more elusive and dangerous application-layer (layer 7) attacks.

According to the June report, the scale and duration of attacks hit new highs, with Fastly observing nearly two attacks per minute on average throughout the month. The month's figures were heavily skewed by two days of unprecedented activity on 6 and 7 June, which saw attack volumes twenty times greater than any other day in 2025.

Major incident details

On these two days, attackers focused their efforts on a single large enterprise customer in the high technology sector. Fastly reports that "over the course of just two days, bad actors launched two separate attacks reaching a cumulative 250+ billion requests." The initial attack started at 10 pm local time and lasted for over four hours, peaking at 1.6 million requests per second. The attack originated from numerous countries, including Germany, China, the United States, India, and especially the Netherlands.

Fastly's systems identified and contained the attack within seconds, using identifiers such as hostname and TLS details to differentiate malicious from legitimate traffic. The first wave concluded at around 2:15 am, but less than thirty minutes later, a second barrage began and persisted for 19 more hours, peaking even higher at 1.7 million requests per second.

Describing the attack pattern, the report states, "Bringing data from both attacks together reveals that while the majority of the traffic came from the Netherlands, the United States, Germany, and Indonesia, each of the rules automatically created to mitigate the attack featured one additional country (France, China, or the United Kingdom). This appears to be a concerted effort by the attacker to hide their tracks."

Despite the massive scale, Fastly confirmed that "the customer experienced no downtime or latency impacts and our proprietary Attribute Unmasking technology still honed in on their attack characteristics."

Broader trends

Overall, Fastly counted 77,451 individual DDoS "events" in June, which is just eight fewer than the previous month. The company notes that "if we were to evenly distribute events in June, we'd have seen almost two attacks every minute."

The report also highlights that while enterprises accounted for the largest volume of attack traffic due to the major incident, the majority of attack "events" targeted small and medium businesses, particularly those in the media and entertainment sector. Fastly's analysis suggests this industry remains a frequent target, "possibly because this industry is the most likely to gain the unwanted attention of attackers who disagree with content published on their sites."

Mitigation strategies

Fastly reviewed how its DDoS Protection rules were triggered, noting consistent patterns in the use of IP address and geolocation across recent months – with geolocation included in 67% of rules in May. The June report shifted focus to the use of JA4 signatures, a type of TLS client fingerprint. "While it isn't uncommon for JA4s to be shared amongst completely legitimate requests, when combined with other parameters, they create an effective lens through which we can identify an attacker," the report explained.

Notably, one JA4 signature featured in 17% of all rules for June. Analysis found this was linked to a botnet with significant distribution and a focus on customers in European news agencies and hyper-regional platforms. Based on its activity, Fastly referred to the likely perpetrator as the "Byline Banshee," explaining that "their attacks have been quite noisy, just as the wailing spirit the name comes from. We'll keep an eye on whether the Byline Banshee makes a resurgence in future months!"

Actionable guidance

"It's important to note that this report only represents one month of data and should be used with first-party insights from your observability tools and longer-term research to create a comprehensive view. However, from this data alone, there are a few key learnings you can integrate into your existing security efforts:

Ensure your defence is robust enough to handle application DDoS attacks at the scale of 1 billion+ RPS. While in the past we've seen attacks of this size target the largest Enterprise customers on our platform, June's attack on an organisation of Commercial size makes it clear that just because those organisations make less revenue, they're no less likely to receive the unwanted attention of attackers.

Consider leveraging signatures like JA4 to identify attackers (or leveraging products like Fastly DDoS Protection that automatically incorporate them in rules). While not a novel concept, this provides yet another lens to look at attacks through and accurately separate the traffic without impacting legitimate users.

Be mindful of how you're leveraging geo-based decisioning if you're still manually creating rules or rate limits (or shift to automatic rule creation). As seen in the Byline Banshee's attacks this month, the vast majority of traffic came from countries that don't fit the nation-state definition. Automatically mitigate disruptive and distributed attacks."