Cloudflare thwarts record 7.3 Tbps DDoS attack with automation
Cloudflare has confirmed it recently mitigated what it describes as the largest distributed denial-of-service (DDoS) attack ever publicly disclosed, clocking in at 7.3 terabits per second (Tbps), surpassing previous known records.
The attack, which occurred in mid-May 2025, targeted a hosting provider customer utilising Cloudflare's Magic Transit service for network defence. According to Cloudflare data, this incident follows closely on the heels of attacks recorded at 6.5 Tbps and 4.8 billion packets per second, illustrating that DDoS attacks are continuing to increase in both scale and complexity.
Cloudflare stated that the 7.3 Tbps attack was 12% larger than its previous record and 1 Tbps greater than another recent attack reported by security journalist Brian Krebs.
Attack analysis
The 7.3 Tbps DDoS attack delivered a total of 37.4 terabytes of data within a 45-second window. During the attack, the targeted IP address was bombarded across an average of 21,925 destination ports, reaching a peak of 34,517 destination ports per second. The distribution of source ports mirrored this targeting method.
The attack employed several vectors but was dominated by UDP floods, constituting 99.996% of total traffic. The residual traffic, amounting to 1.3 GB, involved QOTD reflection, Echo reflection, NTP reflection, Mirai UDP floods, Portmap flood, and RIPv1 amplification techniques. Each vector was identified and catalogued, with Cloudflare detailing how organisations could protect both themselves and the broader Internet from such forms of abuse.
Cloudflare explained that the UDP DDoS component worked by sending large volumes of UDP packets to random or specific destination ports, either to saturate the Internet link or overwhelm network appliances. Other vectors, such as the QOTD (Quote of the Day), Echo, NTP, Portmap, and RIPv1, exploited vulnerabilities in legacy protocols and services to reflect and amplify attack traffic onto target systems.
Global scale
The attack was notable for its global reach. Traffic originated from more than 122,145 source IP addresses across 5,433 autonomous systems in 161 countries. Nearly half of the attack traffic came from Brazil and Vietnam, accounting for around twenty-five percent each. The remainder was largely attributable to sources in Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.
At an autonomous system level, Telefonica Brazil (AS27699) contributed 10.5% of attack traffic, with Viettel Group (AS7552), China Unicom (AS4837), Chunghwa Telecom (AS3462), and China Telecom (AS4134) among the other major sources. The attack saw an average of 26,855 unique source IP addresses per second, peaking at 45,097.
Technical response
Cloudflare utilised the global anycast architecture to divert and dissipate the massive influx of traffic. As packets arrived at Cloudflare's network edge, they were routed to the closest data centre. This incident was managed across 477 data centres in 293 locations worldwide, with some regions operating multiple facilities due to traffic volume.
Detection and mitigation were handled by Cloudflare's automated systems, which operate independently in each data centre. The Cloudflare global network runs every service in every data centre. This includes our DDoS detection and mitigation systems. This means that attacks can be detected and mitigated fully autonomously, regardless of where they originate from.
Upon arrival, data packets were intelligently distributed to available servers where they were sampled for analysis. Cloudflare employed the denial of service daemon (dosd), a heuristic engine that reviews packet headers and anomalies for malicious patterns. The system then generated multiple permutations of digital fingerprints specific to the attack, seeking patterns that maximised blocking efficacy while minimising impact on legitimate traffic.
Within data centres, real-time intelligence was shared by servers multicasting fingerprint information, refining mitigation on both a local and global scale. When a fingerprint surpassed predefined thresholds, mitigation rules were compiled and deployed as extended Berkeley Packet Filter (eBPF) programs to block the offending traffic. Once the attack ceased, associated rules were removed automatically.
Botnet feed and future mitigation
Cloudflare also maintains a free DDoS Botnet Threat Feed to help Internet service providers and hosting companies identify malicious traffic originating within their own infrastructure. The company said that over 600 organisations have subscribed to this service, allowing them to receive up-to-date lists of offending IP addresses engaged in DDoS attacks.
Recommendations from Cloudflare emphasise tailored defences to address the unique characteristics of each network or application, with care taken to ensure that mitigation steps do not inadvertently disrupt legitimate traffic, particularly for services that depend on UDP or legacy protocols.
Cloudflare's team highlighted that these successful defences occurred entirely without human intervention, alerting, or incident escalation, underscoring the shift towards fully autonomous, distributed mitigation strategies in response to modern DDoS threats.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
4 days ago
- Techday NZ
Cloudflare launches Containers beta for flexible edge computing
Cloudflare has announced the public beta release of its Containers product, enabling developers to execute code in a secure, isolated environment as part of its connectivity cloud services. The company said Containers are now accessible to all users on paid plans, providing a platform where applications such as media processing, backend services, and command-line interface tools can run at the edge of the network or in batch workloads. The integration with Cloudflare Workers means developers maintain a simple workflow using familiar tools. Cloudflare Containers are designed to extend the existing Workers platform by allowing more compute-intensive and flexible tasks. Developers can deploy globally without needing to manage configuration across multiple regions. They also have the option to choose between using Workers for lightweight requests or Containers for tasks that require greater resources and full Linux compatibility. The company highlighted the ability to run commonly used developer tools and libraries that were not previously available in the Workers environment. The workflow for deploying applications remains straightforward. Developers define a Container in a few lines of code and deploy it using existing tools. Cloudflare handles the routing, provisioning, and scaling, deploying containers in optimal locations across its global network for reduced latency and rapid start times. This is designed to enable use cases such as code sandboxing, where each user or AI-generated session requires a securely isolated environment, a scenario already adopted by some users including Coder. Configuration is managed via the Container class and a configuration file. Each unique session triggers a new container instance, and Cloudflare automatically selects the best available location to minimise response times for end-users. Initial startup times for containers are typically just a few seconds, according to the company. During development, wrangler dev allows for live iteration on container code, with containers being rebuilt and restarted directly from the terminal. For production deployment, developers use wrangler deploy, which pushes the container image to Cloudflare's infrastructure, handling all artefact management and integration processes automatically so developers can focus solely on their code. Observability and resource tracking are built into the Containers platform. Developers can monitor container status and resource usage through the Cloudflare dashboard, with built-in metrics and access to real-time logs. Logs are retained for seven days and can be exported to external sinks if needed. Application range Cloudflare pointed to a range of new applications enabled by Containers, such as deploying video processing libraries like FFmpeg, running backend services in any language, setting up routine batch jobs, or hosting a static frontend with a containerised backend. Integration with other Cloudflare Developer Platform services—including Durable Objects for state management, Workflows, Queues, Agents, and object storage via R2—expands potential application architectures. "We're excited about all the new types of applications that are now possible to build on Workers. We've heard many of you tell us over the years that you would love to run your entire application on Cloudflare, if only you could deploy this one piece that needs to run in a container." "Today, you can run libraries that you couldn't run in Workers before. For instance, try this Worker that uses FFmpeg to convert video to a GIF. Or you can run a container as part of a cron job. Or deploy a static frontend with a containerized backend. Or even run a Cloudflare Agent that uses a Container to run Claude Code on your behalf. The integration with the rest of the Developer Platform makes Containers even more powerful: use Durable Objects for state management, Workflows, Queues, and Agents to compose complex behaviors, R2 to store Container data or media, and more." Pricing details The Containers platform is available in three instance sizes at launch—dev, basic, and standard—ranging from 256 MiB to 4 GiB of memory and fractional vCPU allocation. Cloudflare charges based on actual resource usage in 10-millisecond increments. Memory is billed at USD $0.0000025 per GiB-second with a 25 GiB-hour monthly allowance, CPU at USD $0.000020 per vCPU-second with 375 vCPU-minutes included, and disk usage at USD $0.00000007 per GB-second with 200 GB-hour included. Network egress rates vary between USD $0.025 per GB for North America and Europe, up to USD $0.050 per GB for Australia, New Zealand, Taiwan, and Korea, with included data transfer varying by region. Charges begin when a container is active and end when it automatically sleeps after a timeout, aiming to ensure efficient scaling down for unpredictable workloads. The company plans to expand available instance sizes and increase concurrent limits over time to support more demanding use cases. Roadmap Cloudflare outlined upcoming features for Containers, including higher memory and CPU limits, global autoscaling, latency-aware routing, enhanced communication channels between Workers and Containers, and deeper integrations with the broader developer platform. Plans are underway to introduce support for additional APIs and easier data storage access. "With today's release, we've only just begun to scratch the surface of what Containers will do on Workers. This is the first step of many towards our vision of a simple, global, and highly programmable Container platform." "We're already thinking about what's next, and wanted to give you a preview: Higher limits and larger instances... global autoscaling and latency-aware routing... more ways for your Worker to communicate with your container... further integrations with the Developer Platform — We will continue to integrate with the developer platform with first-party APIs for our various services. We want it to be dead simple to mount R2 buckets, reach Hyperdrive, access KV, and more. And we are just getting started. Stay tuned for more updates this summer and over the course of the entire year."
Techday NZ
20-06-2025
- Techday NZ
Cloudflare thwarts record 7.3 Tbps DDoS attack with automation
Cloudflare has confirmed it recently mitigated what it describes as the largest distributed denial-of-service (DDoS) attack ever publicly disclosed, clocking in at 7.3 terabits per second (Tbps), surpassing previous known records. The attack, which occurred in mid-May 2025, targeted a hosting provider customer utilising Cloudflare's Magic Transit service for network defence. According to Cloudflare data, this incident follows closely on the heels of attacks recorded at 6.5 Tbps and 4.8 billion packets per second, illustrating that DDoS attacks are continuing to increase in both scale and complexity. Cloudflare stated that the 7.3 Tbps attack was 12% larger than its previous record and 1 Tbps greater than another recent attack reported by security journalist Brian Krebs. Attack analysis The 7.3 Tbps DDoS attack delivered a total of 37.4 terabytes of data within a 45-second window. During the attack, the targeted IP address was bombarded across an average of 21,925 destination ports, reaching a peak of 34,517 destination ports per second. The distribution of source ports mirrored this targeting method. The attack employed several vectors but was dominated by UDP floods, constituting 99.996% of total traffic. The residual traffic, amounting to 1.3 GB, involved QOTD reflection, Echo reflection, NTP reflection, Mirai UDP floods, Portmap flood, and RIPv1 amplification techniques. Each vector was identified and catalogued, with Cloudflare detailing how organisations could protect both themselves and the broader Internet from such forms of abuse. Cloudflare explained that the UDP DDoS component worked by sending large volumes of UDP packets to random or specific destination ports, either to saturate the Internet link or overwhelm network appliances. Other vectors, such as the QOTD (Quote of the Day), Echo, NTP, Portmap, and RIPv1, exploited vulnerabilities in legacy protocols and services to reflect and amplify attack traffic onto target systems. Global scale The attack was notable for its global reach. Traffic originated from more than 122,145 source IP addresses across 5,433 autonomous systems in 161 countries. Nearly half of the attack traffic came from Brazil and Vietnam, accounting for around twenty-five percent each. The remainder was largely attributable to sources in Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia. At an autonomous system level, Telefonica Brazil (AS27699) contributed 10.5% of attack traffic, with Viettel Group (AS7552), China Unicom (AS4837), Chunghwa Telecom (AS3462), and China Telecom (AS4134) among the other major sources. The attack saw an average of 26,855 unique source IP addresses per second, peaking at 45,097. Technical response Cloudflare utilised the global anycast architecture to divert and dissipate the massive influx of traffic. As packets arrived at Cloudflare's network edge, they were routed to the closest data centre. This incident was managed across 477 data centres in 293 locations worldwide, with some regions operating multiple facilities due to traffic volume. Detection and mitigation were handled by Cloudflare's automated systems, which operate independently in each data centre. The Cloudflare global network runs every service in every data centre. This includes our DDoS detection and mitigation systems. This means that attacks can be detected and mitigated fully autonomously, regardless of where they originate from. Upon arrival, data packets were intelligently distributed to available servers where they were sampled for analysis. Cloudflare employed the denial of service daemon (dosd), a heuristic engine that reviews packet headers and anomalies for malicious patterns. The system then generated multiple permutations of digital fingerprints specific to the attack, seeking patterns that maximised blocking efficacy while minimising impact on legitimate traffic. Within data centres, real-time intelligence was shared by servers multicasting fingerprint information, refining mitigation on both a local and global scale. When a fingerprint surpassed predefined thresholds, mitigation rules were compiled and deployed as extended Berkeley Packet Filter (eBPF) programs to block the offending traffic. Once the attack ceased, associated rules were removed automatically. Botnet feed and future mitigation Cloudflare also maintains a free DDoS Botnet Threat Feed to help Internet service providers and hosting companies identify malicious traffic originating within their own infrastructure. The company said that over 600 organisations have subscribed to this service, allowing them to receive up-to-date lists of offending IP addresses engaged in DDoS attacks. Recommendations from Cloudflare emphasise tailored defences to address the unique characteristics of each network or application, with care taken to ensure that mitigation steps do not inadvertently disrupt legitimate traffic, particularly for services that depend on UDP or legacy protocols. Cloudflare's team highlighted that these successful defences occurred entirely without human intervention, alerting, or incident escalation, underscoring the shift towards fully autonomous, distributed mitigation strategies in response to modern DDoS threats.
Techday NZ
11-06-2025
- Techday NZ
APAC financial sector faces 245% surge in DDoS attacks, report finds
Financial institutions in the Asia-Pacific (APAC) region saw a 245% rise in volumetric Layer 3 and 4 distributed denial-of-service (DDoS) attacks last year, accounting for 38% of such incidents globally, according to a new joint report by FS-ISAC and Akamai. The report, titled From Nuisance to Strategic Threat: DDoS Attacks Against the Financial Sector, outlines the growing scale and persistence of DDoS attacks targeting APAC's financial sector. In 2023, APAC only accounted for 11% of these incidents, highlighting the extent of the increase. The analysis found that over 20 financial institutions across six countries were affected by sustained DDoS campaigns in the fourth quarter of 2024, creating downstream risk that could impact up to USD $8 trillion in value. These attacks were notable not for their size, but for their persistence and continuity, a trend not previously seen in APAC. The wave of attacks impacted multiple sectors, including retail banking, payment processing, investment banking, and financial governmental institutions. The report attributes a significant growth in application-level (Layer 7) attacks to the increasing use of application programming interfaces (APIs) within financial services. This expansion of digital infrastructure has introduced new vulnerabilities and a broader attack surface for malicious actors. FS-ISAC's Chief Intelligence Officer and Managing Director, EMEA, Teresa Walsh, commented on the changing character of DDoS threats: "DDoS attacks are becoming increasingly sophisticated, evolving from simple network flooding to targeted, multi-dimensional assaults that exploit intricate vulnerabilities across the entire supply chain. As threat tactics continue to evolve — including those impacting APAC's increasingly digital financial systems — we must ensure our technical defenses evolve and our people, tools, and processes work seamlessly together. It is critical that we harden our infrastructure and foster a culture of continuous vigilance and collaboration to protect continuity and customer trust." Reuben Koh, Director of Security Technology & Strategy, APJ at Akamai, highlighted the changing nature of DDoS campaigns in the region: "DDoS attacks in APAC are no longer blunt-force attempts, but sophisticated multi-vector campaigns that exploit vulnerable systems and exposed APIs. As highly coveted target sectors like financial services, commerce, and manufacturing accelerate digital growth, these continuous attacks pose growing operational and reputational risks, and organizations must work with trusted cybersecurity partners who can provide the intelligence, scalability, and agility needed to defend themselves in today's threat landscape." The joint report also connects the increase in attacks to broader developments, including ongoing geopolitical tensions such as the Israel-Hamas and Russia-Ukraine conflicts. These events have led to a noted rise in ideologically driven hacktivism and blurred the lines between DDoS-for-Hire groups, hacktivists, and state-sponsored actors. The proliferation of DDoS-for-Hire platforms has made these attack tools accessible to a wider range of threat actors. Globally, the financial sector remained the most targeted industry segment for Layer 3 and 4 DDoS attacks, making up 37% of incidents. This marks the second consecutive year that financial services have led in reported attack numbers, followed by gaming at 20% and manufacturing at 17%. No other sector experienced a similar surge, according to the report's findings. The publication discusses strategies for improving defences through the FS-ISAC and Akamai-developed DDoS Maturity Model. This framework provides a benchmark for readiness and recommends targeted investment in defence strategies for organisations managing financial infrastructure and sensitive data. The DDoS Maturity Model highlights several key actions for financial institutions and related entities: Adopt real-time behavioural analytics and traffic baselining Implement threat intelligence-led automation for detection and mitigation Strengthen DNS and API security with continuous testing and hardening Use geo-IP filtering to reduce exposure from high-risk regions The report also contains regional data, profiles of hacktivist groups, and an overview of mitigation strategies and best cyber hygiene practices. It notes the importance of mapping organisational capabilities and practices against different stages of maturity in DDoS defence, offering a structured approach to managing a rising strategic threat. Akamai's collaboration with FS-ISAC on this research builds on the company's involvement in FS-ISAC's Critical Providers Program, which was launched to strengthen supply chain security within the financial sector.
