A new report from Cloudflare reveals that Indonesia has become the world’s largest source of hacking activity for four consecutive quarters, surpassing Russia and Ukraine. This finding appears in the Q3 DDoS Threat Report, released on December 3. The report highlights that seven of the ten biggest origins of DDoS attacks are located in Asia, with Indonesia maintaining the top spot.

“Indonesia is the biggest origin of DDoS attacks and has ranked first globally for an entire year since Q3 2024,” Cloudflare stated in its report, quoted Wednesday (Dec 10).

Before this period, Indonesia had already been among the main contributors to global DDoS attacks. In Q2 2024, it placed second, rising sharply from near the bottom in earlier quarters. This reflects a substantial increase in DDoS activity originating from Indonesia.

Over the past five years since Q3 2021, HTTP-based DDoS attack requests from Indonesia rose by 31.9 percent.

Here are the top source countries for DDoS attacks and their ranking changes:

1. Indonesia (no change)

2. Thailand (+8)

3. Bangladesh (+14)

4. Ecuador (+3)

5. Russia (+1)

6. Vietnam (+2)

7. India (+32)

8. Hong Kong (−5)

9. Singapore (−7)

10. Ukraine (−5)

Cloudflare also highlighted that the third quarter of 2025 was dominated by the Aisuru botnet, believed to control 1–4 million infected hosts globally. Aisuru launched hyper-volumetric attacks frequently exceeding 1 Tbps and 1 Bpps.

The number of these attacks surged 54 percent quarter-over-quarter, averaging 14 hyper-volumetric strikes per day. The largest attack peaked at 29.7 Tbps and 14.1 Bpps. Telecommunications firms, gaming companies, hosting providers, and financial services were among its main targets.

These attacks caused “major internet disruptions in the United States,” according to Krebs on Security, primarily due to the massive influx of botnet traffic overwhelming Internet Service Providers.

While many DDoS attacks were relatively small, attacks exceeding 100 Mpps grew 189 percent QoQ, and those above 1 Tbps jumped 227 percent. On the HTTP layer, four out of every 100 attacks surpassed one million requests per second.

Most attacks—about 71% of HTTP and 89% of network-layer attacks—ended within 10 minutes. This duration is too short for humans or on-demand services to respond. Even brief attacks can cause significant outages, and restoring systems takes much longer.

Engineering teams must then undertake complex, step-by-step procedures to recover critical infrastructure, validate data consistency across distributed systems, and safely bring services back online.

CNNIndonesia.com contacted National Cyber and Crypto Agency spokesperson Ariandi Putra and Kominfo Digital Space Oversight Director General Alexander Sabar for comment, but neither has responded.

Understanding DDoS attacks

A DDoS attack works by overwhelming a target server with fake traffic, preventing real users from accessing it. One challenge in identifying these attacks is that their symptoms often resemble everyday connectivity issues.

Typical signs include slow upload or download speeds, inaccessible websites, unstable internet connections, unusual media/content, or abnormal spikes in spam. DDoS attacks can last from hours to months, with widely varying intensity.

The main types include volumetric attacks, protocol-based attacks, and application-layer attacks.