DigiCert sees record UltraDNS DDoS surge in December 2025

DigiCert reported a sharp rise in distributed denial-of-service attacks targeting its UltraDNS service in the final quarter of 2025, with incidents hitting a record level in December.

DigiCert's Q4 2025 RADAR Threat Intelligence Brief shows DDoS events against UltraDNS rose from 14 in October and 18 in November to 176 in December. Over the same period, overall DDoS attacks observed increased from 1,067 in November to 2,200 in December, a 106% month-on-month jump.

The data points to a shift away from short disruptions and towards campaigns that apply pressure over longer periods. DigiCert recorded a longest attack duration of 8.1 days. The largest observed attack peaked at 2.02 Tbps, suggesting terabit-scale attacks are becoming more common in active campaigns.

Botnet growth

Two large botnets, Aisuru and Kimwolf, were identified as major drivers of the quarter's DDoS activity. DigiCert said each had access to millions of devices, providing a larger pool of endpoints to generate attack traffic.

The report also highlights the geographic origin of malicious traffic. It found 71% originated from Great Britain, though it does not specify what share was tied to UltraDNS-targeting incidents versus other hostile activity across DigiCert's network telemetry.

UltraDNS sits within DigiCert's security portfolio alongside UltraDDoS Protect and UltraWAF. DigiCert said the RADAR analysis draws on trillions of network events across its global security platform to track patterns in internet traffic and attack activity.

Sustained demand

Beyond attack traffic, the report describes elevated internet demand that stayed high for longer stretches. DigiCert's DNS usage data suggests what used to be brief periods of heavy demand shifted into sustained loads lasting weeks rather than days. During busy seasons, it found no clear off-peak period.

The briefing also noted higher-than-normal signals in DNS traffic, including NXDOMAIN requests (failed lookups) and higher query volumes linked to automation tools. It attributed this mix to persistent scanning, repeated bad requests caused by misconfigurations, and automated probing by bots and tools.

These patterns matter for organisations running online services because DNS is a critical routing layer for internet traffic. Higher baseline load, combined with prolonged hostile traffic, can narrow the margin for error in capacity planning and incident response.

Application probing

The report also described web application threats that remained highly automated during the quarter but more targeted in execution. It observed repeated testing of how applications respond to different requests, rather than single high-profile attempts to disrupt services. Cookie manipulation was cited as one technique used for ongoing probing.

This approach can be harder to detect when it blends into legitimate traffic and routine automation. It also raises the importance of continuous monitoring and controlling configuration drift, since repeated testing can expose weaknesses that emerge over time.

In DigiCert's view, the quarter showed sustained demand and sustained attack pressure converging across multiple layers of internet infrastructure, including DNS, networks and applications.

Michael Smith, AppSec CTO at DigiCert, said the changes are reshaping assumptions about resilience during peak periods.

"What Q4 reinforces is that resilience is no longer about absorbing isolated spikes in traffic and attacks," said Michael Smith, AppSec CTO at DigiCert. "With the ever-increasing scale of internet bandwidth and the creation of the Aisuru and Kimwolf botnets, organizations must be prepared to operate under prolonged demand and sustained attack pressure across DNS, network, and application layers simultaneously."

DigiCert said it publishes the RADAR briefing quarterly to distil trends from its global network data and provide threat intelligence for security and operations teams planning for future demand and attack conditions.