In May 2025, Cloudflare, a leading internet security company, successfully mitigated a record-breaking Distributed Denial-of-Service (DDoS) attack that peaked at 7.3 terabits per second (Tbps). This unprecedented assault targeted a hosting provider utilizing Cloudflare’s Magic Transit service, highlighting the escalating scale and sophistication of cyber threats.
The Scale of the Attack
The DDoS attack, which lasted just 45 seconds, inundated the targeted system with a staggering 37.4 terabytes of data. To put this into perspective, this volume is equivalent to streaming over 9,350 full-length HD movies or downloading approximately 9.35 million songs in under a minute. The sheer magnitude of the attack underscores the potential for disruption that such cyber assaults can cause to online services and infrastructure.
Attack Vectors and Techniques
The attackers employed multiple vectors to amplify the assault’s impact. The majority of the traffic—99.996%—consisted of User Datagram Protocol (UDP) floods. UDP is a connectionless protocol that allows for rapid data transmission, making it a preferred method for DDoS attacks due to its efficiency in overwhelming target systems.
Keep your data secure with TrueNASs self-healing and high-availability technology.
In addition to UDP floods, the attackers utilized reflection and amplification techniques, including QOTD (Quote of the Day) reflection, Echo reflection, Network Time Protocol (NTP) amplification, Mirai botnet UDP floods, Portmap floods, and RIPv1 amplification. These methods exploit vulnerabilities in legacy protocols and services, enabling attackers to amplify the volume of malicious traffic directed at the target system.
Global Distribution of Attack Sources
The attack originated from a vast network of compromised devices, with traffic emanating from over 122,145 unique IP addresses across 161 countries. Notably, nearly half of the attack traffic originated from Brazil and Vietnam, each accounting for approximately 25% of the total volume. Other significant sources included Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.
Cloudflare’s Mitigation Response
Cloudflare’s global anycast network, comprising 477 data centers in 293 locations worldwide, played a pivotal role in mitigating the attack. Upon detection, Cloudflare’s automated DDoS protection mechanisms were instantly triggered, dispersing the malicious traffic across its extensive network infrastructure. This decentralized approach ensured that the attack was absorbed and neutralized without impacting legitimate user traffic.
The mitigation process involved several key components:
-
Real-Time Fingerprinting: Cloudflare’s systems analyzed incoming traffic to identify patterns indicative of the DDoS attack. This real-time analysis enabled the rapid generation of mitigation rules tailored to the specific attack vectors employed.
-
Automated Rule Deployment: Once attack patterns were identified, Cloudflare’s systems autonomously deployed mitigation rules across its network. This automated response ensured a swift and efficient defense against the assault.
-
Intra-Data Center Intelligence Sharing: Servers within Cloudflare’s data centers shared threat intelligence in real-time, refining detection accuracy and enhancing the overall effectiveness of the mitigation efforts.
Implications for Cybersecurity
This record-breaking DDoS attack serves as a stark reminder of the evolving nature of cyber threats. The scale and sophistication of the assault highlight the necessity for organizations to implement robust, automated defense mechanisms capable of responding to high-capacity attacks without human intervention.
Cloudflare’s successful mitigation underscores the effectiveness of distributed, algorithmic defenses against hyper-scale threats. As cybercriminals continue to develop more advanced attack strategies, the reliance on automated systems becomes increasingly critical to maintaining the security and availability of online services.
References
-
“Massive DDoS attack delivered 37.4TB in 45 seconds, equivalent to 10,000 HD movies, to one victim IP address — Cloudflare blocks largest cyber assault ever recorded.” Tom’s Hardware, June 21, 2025. (tomshardware.com)
-
“Defending the Internet: how Cloudflare blocked a monumental 7.3 Tbps DDoS attack.” Cloudflare Blog, June 19, 2025. (blog.cloudflare.com)
-
“Cloudflare blocks record 7.3 Tbps DDoS attack against hosting provider.” BleepingComputer, June 20, 2025. (bleepingcomputer.com)
-
“Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps.” BleepingComputer, October 3, 2024. (bleepingcomputer.com)
-
“Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack.” Cloudflare Blog, November 13, 2021. (blog.cloudflare.com)
The global distribution of attack sources across 161 countries highlights the challenges in attributing and preventing these large-scale DDoS attacks. What international collaborations or policies could be implemented to better address the issue of compromised devices being used for malicious purposes?
That’s a great point! Addressing compromised devices through international cooperation is key. Perhaps standardized security protocols for IoT devices, combined with global information sharing on botnet activities, could be a starting point for building resilience against these attacks.
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The speed of Cloudflare’s automated response is impressive. How can organizations with less extensive infrastructure leverage similar real-time fingerprinting and automated rule deployment to protect against these evolving threats?