Back to blog

Follow and Subscribe

DDoS in November

David King

Senior Product Marketing Manager, Security

Liam Mayron

Principal Product Manager

SecurityIndustry insights
DDoS Weather Report: Attackers Largely Missing from Black Friday 2025

Fastly’s instant global network has stopped trillions of attempted DDoS attacks at layers 3 and 4. However, sophisticated new layer 7 attacks are harder to detect and potentially far more dangerous. This significant threat to any internet-facing app or API’s performance and availability puts users and organizations at risk. Fastly uses telemetry from our 498 Terabits per second* global edge network servicing 1.8 trillion requests per day** and Fastly DDoS Protection to inform a unique set of insights into the global application DDoS “weather”— the only monthly report of its kind. Leverage anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

Key Findings:

  • November is the latest consecutive month of lower DDoS attack volume despite an increase in overall attacks

  • DDoS attack volume on Commerce customers didn’t significantly deviate from the rest of the month during Cyber 5, despite likely heightened awareness, preparation, and eyes on glass from security teams. Attacks on this industry were spread throughout the month.

  • While attack volume on Commerce companies during Cyber5 was comparatively low, what attacks were observed primarily targeted well-known enterprise-sized companies on the Sunday of Cyber 5

November traffic trends

Security teams spent months preparing for peak traffic; however, November marked the fourth consecutive month of decreased DDoS attack volume.  Comparing attack volume to the rest of what we’ve seen this year, even the spikes in traffic are relatively small in comparison to what was observed as recently as June and August (Image 1). 

Shifting the data into this view of cumulative monthly attack volume shows just how stark this dropoff has been (Image 2). 

 While we can say confidently that there’s been less attack volume than in previous quarters, a small portion of the dropoff is reflective of the efficacy improvements we’ve made to our solution. In October, we released and later publicly announced our Adaptive Threat Engine update, which brought increased accuracy and approximately 72% faster mitigation to Fastly DDoS Protection. The result is that there are even fewer false positives, and we’re catching more short-lived bursty attacks. Taking a look at the last 6 months, we can clearly see the impact that the update has made (Image 3).

Comparing this surge in events (individual attacks) to the decreased volume implies that attackers may have shifted their focus from performance and availability impacts to those that directly hit the bottom line via operational costs. Considering that each time a request gets sent to origin, it hits the operational budget via downstream infrastructure vendors and egress to origin costs, attacks like these can add up over time.

Cyber 5 Deep Dive

The Cyber 5 represents what have been historically seen as the five most important American shopping days spanning Thanksgiving through Cyber Monday. Given their importance to revenue, these are often some of the most stressful days of the year for security teams as they ensure that nothing gets in the way of customers and completing their purchases. Looking at this period across the primary industries attacked, it’s clear that Commerce organizations weren’t under as much DDoS threat as other organizations on Fastly’s network (Image 4).

Interestingly, commerce attacks peaked on November 30th, a day not traditionally associated with Black Friday or Cyber Monday. This raises the question: why then? Did attackers think that the organizations would be too prepared on the two biggest shopping days and adjust accordingly? While we can’t look at previous data to see if there’s a trend here, we’ll monitor it next year to see if it is consistent. 

While Cyber 5 attack volume was comparatively low, it’s important to remember that this data still reflects billions of DDoS attack requests over the five-day period (Images 5 and 6). For those new to these reports, we break down company size by annual revenue:

  1. Enterprise: Greater than $1 billion

  2. Commercial: Between $100 million and $1 billion

  3. Small and Medium Businesses (SMB): Less than $100 million

Expanding our view to all of November, our findings found that the influx of traffic Commerce organizations can expect is actually spread throughout the month instead of primarily the Cyber 5 (. While you can read the other blog to learn more about general traffic patterns, this shift means that security teams must maintain heightened awareness for far longer than they may have initially planned for.  False positives are a common concern of automated solutions during busy traffic periods, as an influx of traffic could, at a glance, be mistaken for an attack. However, as we look at the flagged traffic across all of November, we can see that clearly wasn’t the case for Fastly customers (Image 7). 

In a month of lower overall volume, Commerce DDoS attacks accounted for only a small portion, though they undoubtedly saw unpredictable spikes in legitimate traffic as consumers filled their carts after the latest sale. This is indicative of the adaptive and accurate nature of the proprietary Adaptive Threat Engine on which our solution is built. 

Actionable guidance

So, what should you take away from all of this information?

  1. The days you’re most prepared to battle bad actors won’t always be the days you see combat. We run tabletop exercises and drills so performance and availability stay rock-solid during peak moments like Black Friday and Cyber Monday—but attackers don’t always show up when expected. Vigilance has to be constant.

  2. Attacks aren’t always designed to take you offline. Our efficacy enhancements show just how many attacks are out there, not impacting availability oftentimes – as seen by the decline in monthly attack volume since August – but slowly inflating operational costs.

  3. While traffic was on the rise for Commerce customers throughout November, as seen in our recap blog, Fastly DDoS Protection didn’t see any significant spikes in attack traffic, an indication of the accuracy despite fluctuating traffic volumes that other solutions may incorrectly detect as an attack.

Automatically mitigate disruptive and distributed attacks

 Despite heightened awareness and additional eyes on glass during Cyber 5, DDoS attacks (and general increased volume) were spread throughout November. This reality reinforces the need for automation, and Fastly DDoS Protection is designed for this reality. The solution automatically mitigates the distributed, multi-vector attacks detailed in this report. Let our adaptive technology absorb the next spike so you don't have to. Contact our team or start your free trial today.


* As of 2025-03-31

** As of 2023-07-31

© Fastly 2025