Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
Cloudflare has published its inaugural annual threat report, drawing on data from a network that handles over 20% of global web traffic. The numbers paint a stark picture of the current threat landscape: the company blocks more than 230 billion threats daily, DDoS attacks doubled year-over-year to 47.1 million incidents, and the largest single attack reached a record-breaking 31.4 terabits per second.
DDoS at Scale
The doubling of DDoS attacks in 2025 was driven by both volumetric and application-layer campaigns. Network-layer attacks tripled year-over-year, with the 31.4 Tbps UDP flood — attributed to the Aisuru botnet — dwarfing the previous record by roughly six times. The attack targeted a hosting provider and lasted approximately eight minutes, during which the botnet mobilized an estimated 200,000 compromised devices across 30 countries.
Application-layer DDoS attacks showed increasing sophistication, with attackers using residential proxy networks to disguise traffic as legitimate user requests. Cloudflare notes that traditional rate limiting is becoming less effective against these attacks because each source IP sends a low volume of requests, staying below per-IP thresholds while the aggregate traffic overwhelms the target.
The Credential Crisis
Perhaps the most alarming finding is that bots account for 94% of all login attempts observed across Cloudflare's network. Of the remaining 6% — login attempts from actual humans — 46% use credentials that have appeared in known breach databases. The implication is that nearly half of legitimate users are logging in with compromised passwords, creating a massive attack surface for credential stuffing campaigns.
The LummaC2 infostealer has emerged as a primary tool for credential harvesting, specifically targeting browser session tokens that bypass multi-factor authentication entirely. Once an attacker has a valid session token, they can impersonate the user without needing their password or MFA device.
Nation-State Activity
The report documents continued pre-positioning by the Salt Typhoon and Linen Typhoon groups in North American telecommunications infrastructure, as well as North Korean operatives using AI-generated deepfake profiles to obtain employment at Western technology companies. Cloudflare recommends that organizations implement phishing-resistant MFA (FIDO2 security keys), monitor for anomalous session token usage, and deploy bot management solutions at their authentication endpoints.
Related Articles
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.
OpenSSL 4.0 Alpha Arrives with Encrypted Client Hello and Post-Quantum Cryptography
The OpenSSL project has released version 4.0.0-alpha1, introducing Encrypted Client Hello (ECH) per RFC 9849 to hide TLS SNI from network observers, alongside new post-quantum cryptographic algorithms. The release also removes the deprecated ENGINE interface and drops SSLv3 support entirely.