The most important distributed denial-of-service (DDoS) assault ever documented was efficiently stopped by Cloudflare in mid-Might 2025, with attackers unleashing a devastating 7.3 terabits per second (Tbps) assault that delivered 37.4 terabytes of malicious visitors in simply 45 seconds.
Abstract
1. Cloudflare blocked a document 7.3 Tbps DDoS assault in mid-Might 2025, delivering 37.4 TB of malicious visitors in 45 seconds.
2. Concentrating on a internet hosting supplier utilizing Cloudflare’s Magic Transit, the assault surpassed the earlier document by 12%.
3. It used subtle multi-vector strategies, primarily UDP floods (99.996%), with extra amplification assaults.
4. Zero-touch structure with anycast routing and gossip protocol shortly contained the assault, showcasing unparalleled scalability.
This unprecedented cyberattack focused a internet hosting supplier buyer utilizing Cloudflare’s Magic Transit service and represents a 12% enhance over the earlier document, demonstrating the escalating scale and class of recent DDoS campaigns.
Multi-vector DDoS Assault
The large assault employed a multi-vector method, with 99.996% of the assault visitors consisting of UDP floods focusing on a mean of 21,925 vacation spot ports on a single IP deal with, peaking at 34,517 ports per second.
The remaining 0.004% utilized subtle reflection and amplification strategies, together with Quote of the Day (QOTD) protocol exploitation on UDP port 17, Echo protocol assaults on UDP/TCP port 7, and Community Time Protocol (NTP) amplification utilizing the monlist command.
Further assault vectors included Mirai botnet UDP floods, Portmap service exploitation on UDP port 111, and Routing Data Protocol model 1 (RIPv1) assaults on UDP port 520.
The assault demonstrated a outstanding geographical distribution, originating from 122,145 distinctive supply IP addresses spanning 5,433 Autonomous Programs (AS) throughout 161 international locations.
Brazil and Vietnam emerged as the first assault sources, every contributing roughly 25% of the whole visitors quantity, whereas Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the US, and Saudi Arabia collectively accounted for one more third of the malicious visitors.
Telefonica Brazil (AS27699) led the collaborating networks with 10.5% of assault visitors, adopted carefully by Viettel Group (AS7552), contributing 9.8%.
Autonomous Detection and Mitigation Expertise
Cloudflare’s protection programs leverage superior packet sampling expertise utilizing eXpress Knowledge Path (XDP) and prolonged Berkeley Packet Filter (eBPF) applications inside the Linux kernel to investigate visitors patterns in real-time, in line with the report.
The corporate’s proprietary heuristic engine, dubbed “dosd” (denial of service daemon), mechanically generated a number of fingerprint permutations to establish assault patterns whereas minimizing impression on reliable visitors.
The assault was detected and mitigated throughout 477 information facilities in 293 world areas utilizing anycast routing, which distributed the assault visitors throughout Cloudflare’s community infrastructure.
Every information heart maintained localized risk intelligence caches up to date by a gossip protocol, guaranteeing sub-second propagation of rising assault signatures throughout your complete community.
This built-in autonomous framework achieved zero-touch mitigation for the 7.3 Tbps assault, totally containing the incident inside its 45-second period with out triggering incident response protocols.
Your complete mitigation course of occurred autonomously with out human intervention, alerts, or service incidents, showcasing the effectiveness of recent cloud-based DDoS safety programs in defending towards more and more subtle cyber threats.
Are you from SOC/DFIR Groups! – Work together with malware within the sandbox and discover associated IOCs. – Request 14-day free trial
