Full Report
Cloudflare on Thursday said it autonomously blocked the largest ever distributed denial-of-service (DDoS) attack ever recorded, which hit a peak of 7.3 terabits per second (Tbps). The attack, which was detected in mid-May 2025, targeted an unnamed hosting provider. "Hosting providers and critical Internet infrastructure have increasingly become targets of DDoS attacks," Cloudflare's Omer
Analysis Summary
# Incident Report: Record-Breaking 7.3 Tbps Volumetric DDoS Attack
## Executive Summary
In mid-May 2025, an unnamed hosting provider was targeted by the largest distributed denial-of-service (DDoS) attack ever recorded, peaking at an unprecedented 7.3 Terabits per second (Tbps). This hyper-volumetric, multi-vector attack delivered 37.4 terabytes of data over a mere 45 seconds. The incident was automatically mitigated by Cloudflare, preventing operational failure for the victim, which is categorized as a critical infrastructure provider (hosting).
## Incident Details
- **Discovery Date:** Mid-May 2025
- **Incident Date:** Mid-May 2025 (Lasted approximately 45 seconds)
- **Affected Organization:** Unnamed Hosting Provider
- **Sector:** Hosting / Critical Internet Infrastructure
- **Geography:** Not explicitly stated for the target, but attack sources spanned 161 countries.
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-May 2025
- **Vector:** Multi-vector DDoS attack utilizing a botnet.
- **Details:** The attack targeted a single IP address owned by the hosting provider, hitting an average of 21,925 destination ports per second, peaking at 34,517 destination ports per second.
### Lateral Movement
*(Not applicable for volumetric DDoS attacks targeting external infrastructure.)*
### Data Exfiltration/Impact
- **Impact:** The attack delivered 37.4 Terabytes of traffic in 45 seconds, aiming to cause a complete service outage (Denial of Service).
### Detection & Response
- **How it was discovered:** The attack was detected automatically by Cloudflare's DDoS mitigation systems.
- **Response actions taken:** Cloudflare autonomously blocked the attack flood.
## Attack Methodology
- **Initial Access:** Volumetric amplification and reflection attacks.
- **Persistence:** Not applicable (DDoS is typically short, high-volume events).
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Leveraging high-volume, dispersed sources to overwhelm defenses.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Service disruption via overwhelming network capacity (Denial of Service).
**Primary Attack Vectors:** Combination of UDP flood (accounting for 99.996% of traffic), QOTD reflection, echo reflection, NTP reflection, Mirai UDP flood, portmap flood, and RIPv1 amplification attack.
## Impact Assessment
- **Financial:** Not disclosed, but likely significant downtime cost potential had the attack succeeded.
- **Data Breach:** None suggested; the attack was focused on availability (DDoS).
- **Operational:** The upstream hosting provider was protected by Cloudflare and likely maintained minimum operational impact.
- **Reputational:** Threat actor's reputation for large-scale attacks is reinforced; Cloudflare's reputation for defense is enhanced.
## Indicators of Compromise
*(Note: For DDoS, Indicators focus on traffic patterns rather than traditional malware IOCs.)*
- **Network indicators (Defanged):** Traffic volume exceeding 7.3 Tbps.
- **File indicators:** N/A
- **Behavioral indicators:** Simultaneous hitting of over 122,145 source IP addresses; targeting extreme numbers of destination ports (peak >34,000/sec).
**Key Source ASNs identified:**
- Telefonica Brazil (AS27699) - 10.5%
- Viettel Group (AS7552) - 9.8%
- China Unicom (AS4837) - 3.9%
- Chunghwa Telecom (AS3462) - 2.9%
- China Telecom (AS4134) - 2.8%
## Response Actions
- **Containment measures:** Autonomous mitigation by Cloudflare's scrubbing centers, absorbing and filtering the multi-vector flood.
- **Eradication steps:** (Not applicable, as the attack source was external botnets).
- **Recovery actions:** Service continuation for the hosting provider.
## Lessons Learned
- Volumetric DDoS attacks continue to increase in scale, setting new records (7.3 Tbps is the new benchmark).
- Hosting providers and critical infrastructure must employ powerful, automated edge protection to survive hyper-volumetric attacks.
- Attacks remain multi-vector, though **UDP Flood** remains the most dominant component.
- Attacks are highly distributed, involving over 122,000 source IPs across 161 countries.
## Recommendations
- Internet service providers and hosting companies must continuously review and ensure their capacity and DDoS mitigation policies can handle attacks exceeding 8 Tbps.
- Investigate security posture concerning potential Mirai-variant or RapperBot infected devices within own network infrastructure, as these botnets are known actors in large-scale attacks.
- Implement highly granular BGP/port filtering as a first line of defense against known amplification services before traffic reaches application layers.