Top Source ASNs Behind DDoS Attacks — Cloudflare’s Q1 2025 DDoS Threat Report

Motion3549

In 2025 Q1, the German-based Hetzner (AS24940) retained its position as the largest source of HTTP DDoS attacks. It was followed by the French-based OVH (AS16276) in second, the US-based DigitalOcean (AS14061) in third, and another German-based provider, Contabo (AS51167), in fourth.

Ganonk

thankyou

Dyingcat

I read the whole article.

Besides tech, Cloudflare is smart enough to use 'China Taiwan' in its Chinese version, while 'Taiwan' in other languages.

Motion3549

@Dyingcat said:
I read the whole article.

Besides tech, Cloudflare is smart enough to use 'China Taiwan' in its Chinese version, while 'Taiwan' in other languages.

They probably hire a professional translator who is also a technical writer.

jsg

For your convenience, listed in order (worst at the top):

• Hetzner (AS24940)
• OVH (AS16276)
• DigitalOcean (AS14061)
• Contabo (AS51167)
• ChinaNet Backbone (AS4134)
• Tencent (AS132203)
• Drei (AS200373)
• Microsoft (AS8075)
• Oracle (AS31898)
• Google Cloud Platform (AS396982)

Note: These are the major sources of http(s) attacks. Gladly all of them (AFAIK) are hosters and not ISPs, so simply blocking them should do the trick in many (most?) cases.

PineappleM

Too bad ASN blacklisting doesn’t work with UDP attacks since the IP can be spoofed. Definitely useful for protecting HTTP servers though.

Since there’s a bunch of OVH people here, does anyone know how one can blacklist an ASN on OVH’s firewall?

sillycat

@jsg said: Gladly all of them (AFAIK) are hosters

AS200373 is a proxy provider. The most abusive ASN I've ever personally seen.

zGato

@sillycat said:

@jsg said: Gladly all of them (AFAIK) are hosters

AS200373 is a proxy provider. The most abusive ASN I've ever personally seen.

More than CHINANET?

ilikebeans

@sillycat said:

@jsg said: Gladly all of them (AFAIK) are hosters

AS200373 is a proxy provider. The most abusive ASN I've ever personally seen.

Hahaha didn’t even have to search up that ASN to know what is it. 3xK, the notorious proxy provider everyone uses.

hyperblast

@sillycat said:

@jsg said: Gladly all of them (AFAIK) are hosters

AS200373 is a proxy provider. The most abusive ASN I've ever personally seen.

what exactly is their business?

miHoYo

all service provider should block that asn for network safety

sillycat

@hyperblast said:

@sillycat said:

@jsg said: Gladly all of them (AFAIK) are hosters

AS200373 is a proxy provider. The most abusive ASN I've ever personally seen.

what exactly is their business?

They're infiniteproxies.com. They're pretty much who everyone resells.

gremeyer

Why is Hetzner always at the top of that list? They have a rigorous KYC process and they send you notices if they detect any kind of abuse (port scan, outgoing DDoS, open/vulnerable ports, etc.). That is, unless the IPs were spoofed.

PineappleM

@gremeyer said:
Why is Hetzner always at the top of that list? They have a rigorous KYC process and they send you notices if they detect any kind of abuse (port scan, outgoing DDoS, open/vulnerable ports, etc.). That is, unless the IPs were spoofed.

IPs can be spoofed on UDP, but it’d be a weird pick to use a Hetzner IP. Anyone with an upstream firewall that has no business with a Hetzner server can just drop all packets from a Hetzner IP and call it a day.

webcraft

@gremeyer said:
Why is Hetzner always at the top of that list? They have a rigorous KYC process and they send you notices if they detect any kind of abuse (port scan, outgoing DDoS, open/vulnerable ports, etc.). That is, unless the IPs were spoofed.

The first few at the top of the list are significantly less expensive then the other hyperscalers, also there're many resellers (of dedi's as well as vps). Even though Hetzner or OVH strictly do KYC, in general they're quite liberal and accept if there's no super red flags.