Cloudflare thwarted the largest distributed denial-of-service (DDoS) attack ever recorded, a colossal 7.3 terabits per second (Tbps) torrent of malicious data aimed at one of its customers.
The event, which took place in mid-May, was 12 percent larger than Cloudflare’s previous recorded peak and surpassed another recent attack by a full 1 Tbps. The firm had only recently published its DDoS threat report for the first quarter of 2025, which had highlighted previous attacks reaching 6.5 Tbps.
The target of this immense cyberattack was a hosting provider that utilises Cloudflare’s Magic Transit service to protect its IP network. This aligns with a trend observed by the company where hosting providers and other critical internet infrastructure are increasingly finding themselves in the crosshairs of DDoS campaigns.
To put the sheer volume of the attack into perspective, the 7.3 Tbps assault delivered 37.4 terabytes of data in just 45 seconds. While 37.4 terabytes might not seem staggering on its own, delivering it in under a minute is the equivalent of flooding a network with the data of over 9,350 full-length high-definition films.
According to Cloudflare, the DDoS was not a simple flood but a complex, multi-vector assault. The majority of the traffic, almost 100 percent, was identified as a UDP flood, a common method that attempts to saturate a target’s internet link with more packets than it can process. However, a smaller fraction of the attack consisted of more sophisticated reflection and amplification techniques—including QOTD, Echo, and NTP reflection attacks, alongside floods from the notorious Mirai botnet.
These reflection attacks abuse legitimate but often obsolete internet protocols. For instance, an Echo DDoS attack exploits a diagnostic tool on UDP/TCP port 7 that replies with the same data it receives. Attackers spoof the victim’s IP address, causing numerous devices to reflect data back and amplify the assault. Similarly, the QOTD attack abuses the “Quote of the Day” protocol on UDP port 17. Experts advise that since these protocols are outdated, disabling them should have no negative impact on modern systems.
Cloudflare notes the digital fingerprints of the DDoS attack point to a vast and distributed network of compromised devices. The malicious traffic originated from over 122,145 unique IP addresses, spread across more than 5,400 autonomous systems in 161 countries. Almost half of the attack traffic came from just two countries: Brazil and Vietnam. A further third was sourced from a combination of Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the US, and Saudi Arabia.
Analysis of the networks involved revealed that Telefonica Brazil was the single largest source, accounting for 10.5 percent of the attack traffic. It was followed closely by Viettel Group from Vietnam, which contributed 9.8 percent.
Cloudflare uses a global anycast network to mitigate DDoS attacks, which means that when an IP address under its protection is attacked, the malicious traffic is routed to the nearest of Cloudflare’s 477 data centres. This distributes the load across the globe, effectively using the distributed nature of the attack against itself.
When packets enter a Cloudflare data centre, a sample is analysed in real-time by a system named ‘dosd’ (denial of service daemon). This engine identifies suspicious patterns in the data.
Once a threat pattern is confirmed, the system generates a fingerprint to surgically match the malicious traffic while avoiding any impact on legitimate users. A mitigation rule is then compiled and deployed to drop any packets that match the attack pattern. This entire process happens autonomously and when the attack subsides, the mitigation rule is automatically removed.
Each server in Cloudflare’s network communicates threat intelligence with its peers, both within its own data centre and globally. This “gossiping” about attacks ensures that real-time intelligence is shared, enhancing the mitigation efficacy and resilience of the entire network.
Cloudflare’s successful defence against this 7.3 Tbps DDoS demonstrates the critical importance of automated, distributed security architectures in an era of escalating cyber threats.
(Image by Karen)
See also: Russian ‘PathWiper’ malware targets Ukraine’s critical infrastructure
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
👇Follow more 👇
👉 bdphone.com
👉 ultractivation.com
👉 trainingreferral.com
👉 shaplafood.com
👉 bangladeshi.help
👉 www.forexdhaka.com
👉 uncommunication.com
👉 ultra-sim.com
👉 forexdhaka.com
👉 ultrafxfund.com
👉 bdphoneonline.com
👉 dailyadvice.us