Record Breaking 7.3 Tbps DDoS Attack Blasting 37.4 Terabytes in Just 45 Seconds

The largest distributed denial-of-service (DDoS) attack ever documented was successfully stopped by Cloudflare in mid-May 2025, with attackers unleashing a devastating 7.3 terabits per second (Tbps) attack that delivered 37.4 terabytes of malicious traffic in just 45 seconds. 

Summary
1. Cloudflare blocked a record 7.3 Tbps DDoS attack in mid-May 2025, delivering 37.4 TB of malicious traffic in 45 seconds.
2. Targeting a hosting provider using Cloudflare's Magic Transit, the attack surpassed the previous record by 12%. 
3. It used sophisticated multi-vector techniques, mainly UDP floods (99.996%), with additional amplification attacks.
4. Zero-touch architecture with anycast routing and gossip protocol quickly contained the attack, showcasing unparalleled scalability.

This unprecedented cyberattack targeted a hosting provider customer using Cloudflare’s Magic Transit service and represents a 12% increase over the previous record, demonstrating the escalating scale and sophistication of modern DDoS campaigns.

Multi-vector DDoS Attack 

The massive attack employed a multi-vector approach, with 99.996% of the attack traffic consisting of UDP floods targeting an average of 21,925 destination ports on a single IP address, peaking at 34,517 ports per second. 

The remaining 0.004% utilized sophisticated reflection and amplification techniques, including Quote of the Day (QOTD) protocol exploitation on UDP port 17, Echo protocol attacks on UDP/TCP port 7, and Network Time Protocol (NTP) amplification using the monlist command. 

Additional attack vectors included Mirai botnet UDP floods, Portmap service exploitation on UDP port 111, and Routing Information Protocol version 1 (RIPv1) attacks on UDP port 520.

The attack demonstrated a remarkable geographical distribution, originating from 122,145 unique source IP addresses spanning 5,433 Autonomous Systems (AS) across 161 countries. 

Brazil and Vietnam emerged as the primary attack sources, each contributing approximately 25% of the total traffic volume, while Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia collectively accounted for another third of the malicious traffic. 

Telefonica Brazil (AS27699) led the participating networks with 10.5% of attack traffic, followed closely by Viettel Group (AS7552), contributing 9.8%.

Autonomous Detection and Mitigation Technology

Cloudflare’s defense systems leverage advanced packet sampling technology using eXpress Data Path (XDP) and extended Berkeley Packet Filter (eBPF) programs within the Linux kernel to analyze traffic patterns in real-time, according to the report.

The company’s proprietary heuristic engine, dubbed “dosd” (denial of service daemon), automatically generated multiple fingerprint permutations to identify attack patterns while minimizing impact on legitimate traffic. 

The attack was detected and mitigated across 477 data centers in 293 global locations using anycast routing, which distributed the attack traffic across Cloudflare’s network infrastructure. 

Each data center maintained localized threat intelligence caches updated through a gossip protocol, ensuring sub-second propagation of emerging attack signatures across the entire network. 

This integrated autonomous framework achieved zero-touch mitigation for the 7.3 Tbps attack, fully containing the incident within its 45-second duration without triggering incident response protocols.

The entire mitigation process occurred autonomously without human intervention, alerts, or service incidents, showcasing the effectiveness of modern cloud-based DDoS protection systems in defending against increasingly sophisticated cyber threats.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial