Cloudflare Mitigates Record 7.3 Tbps DDoS Attack: Largest Ever Recorded
In May 2025, Cloudflare successfully mitigated the largest distributed denial-of-service (DDoS) attack ever recorded, which peaked at an unprecedented 7.3 terabits per second. The target was a major hosting provider protected by Magic Transit, Cloudflare’s cloud-based traffic filtering service.
DDoS attacks, though conceptually simple, are devastating in execution: a barrage of network requests overwhelms a system’s resources, aiming to destabilize or disable it entirely. In this instance, the scale was extraordinary—within just 45 seconds, attackers generated 37.4 terabytes of data, equivalent to approximately 7,500 hours of HD video streaming or 12.5 million JPEG images.
According to Cloudflare, the malicious traffic originated from 122,145 unique IP addresses spanning 161 countries. The most significant activity was traced to Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine—nodes that together formed a globally synchronized botnet.
Most notably, the traffic was highly dispersed, with malicious packets targeting tens of thousands of ports simultaneously. On average, the system received 21,925 network requests per second, with peak bursts reaching 34,517. This distribution strategy overloaded not only the target server but also filtering mechanisms, making it substantially harder to identify and block the threat.
Despite the immense scale, Cloudflare’s automated defenses neutralized the attack entirely without human intervention. The success was largely due to its Anycast architecture, which redistributed the load across 477 data centers in 293 locations worldwide. Real-time traffic analysis and inter-datacenter intelligence sharing allowed the network to generate threat signatures on the fly and deploy filtering rules instantly.
The bulk of the malicious traffic—99.996%—consisted of UDP packets. Additional techniques used to complicate detection and circumvent filters included:
- QOTD (Quote of the Day) reflection
- Echo responses
- NTP amplification
- Mirai botnet floods
- Portmap abuse
- Exploitation of the RIPv1 protocol
Although each of these contributed only a small portion to the overall stream, their collective purpose was to obscure diagnostics, bypass defenses, and probe for vulnerabilities.
Cloudflare emphasized that relevant Indicators of Compromise (IoCs) were gathered during the attack and immediately added to the publicly available DDoS Botnet Threat Feed. This resource, offered freely to organizations across numerous countries and regions, allows proactive blocking of suspicious IPs before an attack occurs.
As of publication, over 600 companies had already subscribed to the platform. Cloudflare strongly encourages additional infrastructure providers and digital service entities to join and employ proactive filtering measures.
Though the incident lasted less than a minute, its sheer scale and sophisticated execution signaled a new echelon of digital threat. DDoS attacks have evolved beyond crude network floods into multilayered, technically intricate operations—demanding not manual responses, but global, network-level countermeasures.
