In mid-May 2025, Cloudflare, a leading web infrastructure and cybersecurity company, successfully mitigated the largest distributed denial-of-service (DDoS) attack ever recorded, peaking at an unprecedented 7.3 terabits per second (Tbps). This monumental attack, which delivered 37.4 terabytes of malicious traffic in just 45 seconds, targeted a hosting provider using Cloudflare’s Magic Transit service. Below, we explore the details of this historic cyber event, its implications, and how Cloudflare’s advanced defenses neutralized the threat.

The Scale of the Attack

The 7.3 Tbps attack surpassed the previous record by 12%, outstripping a 6.5 Tbps attack mitigated by Cloudflare in April 2025 and a 6.3 Tbps assault reported by cybersecurity journalist Brian Krebs. Originating from 122,145 source IP addresses across 161 countries, including Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine, the attack carpet-bombed an average of 21,925 destination ports on a single IP address, peaking at 34,517 ports per second. This staggering volume is equivalent to streaming 7,480 hours of HD video or transmitting 12.5 million JPEG images in under a minute.

The attack was a sophisticated multi-vector campaign, with 99.996% of the traffic consisting of UDP floods, designed to overwhelm network bandwidth and exhaust server resources. The remaining 0.004% (1.3 GB) included a mix of amplification attacks, such as QOTD reflection, Echo reflection, NTP reflection, Mirai UDP floods, Portmap floods, and RIPv1 amplification attacks. These techniques exploit vulnerabilities in internet-connected devices to amplify malicious traffic, making them particularly challenging to mitigate.

Cloudflare’s Autonomous Defense

Cloudflare’s ability to block this attack without human intervention highlights the power of its global network and zero-touch mitigation systems. The company’s 477 data centers across 293 locations leveraged anycast routing to distribute the attack traffic, ensuring it was absorbed and mitigated close to the source. Localized threat intelligence caches, updated via a gossip protocol, enabled sub-second propagation of attack signatures across the network, allowing Cloudflare to contain the assault within its 45-second duration.

The Magic Transit service, used by the targeted hosting provider, played a pivotal role in protecting the customer’s IP network. By routing attack packets to the nearest data center, Cloudflare’s infrastructure effectively diluted the traffic’s impact, preventing service disruptions. This autonomous framework underscores the scalability and resilience of modern cloud-based DDoS protection systems.

The Growing DDoS Threat Landscape

This record-breaking attack is part of a broader surge in DDoS activity. In Q1 2025, Cloudflare mitigated 20.5 million DDoS attacks, a 358% year-over-year increase, including 700 hyper-volumetric attacks exceeding 1 Tbps or 1 billion packets per second. Hosting providers and critical internet infrastructure have become prime targets, with over 13.5 million attacks aimed at such entities in January and February 2025 alone. The rise of botnets like Mirai and Eleven11bot, which exploit vulnerable IoT devices such as webcams, routers, and video recorders, has fueled these hyper-volumetric campaigns.

The attack also highlights the evolving sophistication of DDoS tactics. Multi-vector attacks, combining UDP floods with amplification techniques, aim to overwhelm both network bandwidth and CPU resources, making them harder to defend against. Additionally, botnets like RapperBot, active since 2022, have been linked to extortion schemes, demanding “protection fees” from victims to avoid further attacks.

Implications and Recommendations

The 7.3 Tbps attack underscores the escalating scale and complexity of DDoS threats in 2025. Organizations, particularly hosting providers and critical infrastructure operators, must prioritize robust DDoS protection. Cloudflare recommends several strategies to mitigate such attacks:

  • Deploy Cloud-Based Protection: Services like Magic Transit can absorb and neutralize large-scale attacks by distributing traffic across a global network.
  • Patch Vulnerabilities: Regularly update IoT devices, routers, and servers to prevent exploitation by botnets.
  • Monitor Traffic Patterns: Use real-time analytics to detect and respond to anomalous traffic spikes.
  • Avoid Amplification Vectors: Configure devices to disable protocols like QOTD, NTP, and RIPv1 that can be exploited for amplification attacks.

As cybercriminals leverage increasingly powerful botnets and exploit unpatched devices, the importance of scalable, autonomous defenses cannot be overstated. Cloudflare’s successful mitigation of this historic attack demonstrates the critical role of advanced cybersecurity infrastructure in safeguarding the internet.

For more details, refer to Cloudflare’s official blog post and The Hacker News coverage of the event.

Sources: Cloudflare Blog (June 20, 2025), The Hacker News (June 20, 2025)