Cloudflare recently mitigated the largest distributed denial-of-service (DDoS) attack on record: a massive 7.3 terabits-per-second (Tbps) surge of malicious traffic aimed at one of its customers.
The incident, which occurred in mid-May, exceeded Cloudflare’s previous recorded peak by 12 percent and was 1 Tbps larger than another recent high-water mark. The company had just published its DDoS threat report for the first quarter of 2025, which documented prior attacks reaching 6.5 Tbps.
The target was a hosting provider using Cloudflare’s Magic Transit service to protect its IP network. This follows a pattern Cloudflare has observed, where hosting providers and other pieces of critical internet infrastructure are increasingly targeted by large-scale DDoS campaigns.
To illustrate the attack’s scale: the 7.3 Tbps assault delivered 37.4 terabytes of data in just 45 seconds. While 37.4 terabytes alone may not sound unprecedented, pushing that volume in under a minute is comparable to flooding a network with the equivalent of more than 9,350 full-length high-definition movies.
Cloudflare reports the attack was a multi-vector campaign rather than a single flood. Nearly all of the traffic—almost 100 percent—was identified as a UDP flood, a common approach intended to overwhelm a target’s internet link with excessive packets. A smaller portion of the assault relied on reflection and amplification techniques, including QOTD, Echo, and NTP reflection attacks, along with traffic generated by the Mirai botnet.
Reflection attacks exploit legitimate, often obsolete network services to magnify traffic. For example, an Echo DDoS abuses the diagnostic service on UDP/TCP port 7 that echoes back received data. Attackers spoof the victim’s IP address so many devices reply to the victim, amplifying the load. The QOTD (Quote of the Day) protocol on UDP port 17 can be abused similarly. Security experts recommend disabling such outdated services where possible, as modern systems generally do not rely on them.
Cloudflare’s analysis shows the malicious traffic came from a vast and geographically dispersed set of compromised devices. The attack used more than 122,145 unique IP addresses across over 5,400 autonomous systems in 161 countries. Almost half the traffic originated from just two countries: Brazil and Vietnam. Another third came from a mix of Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.
Network-level analysis identified Telefonica Brazil as the single largest contributor, responsible for 10.5 percent of the malicious traffic, closely followed by Vietnam’s Viettel Group at 9.8 percent.
Cloudflare mitigates DDoS attacks using a global anycast network: when an IP address under protection is targeted, incoming malicious traffic is routed to the nearest of Cloudflare’s 477 data centers. This distribution turns the attack’s global scale into an advantage by spreading the load across the company’s infrastructure.
Inside each data center, incoming packets are sampled and analyzed in real time by Cloudflare’s denial-of-service daemon, “dosd.” This engine looks for suspicious patterns and, when it confirms malicious activity, generates a fingerprint that precisely matches the attack traffic while minimizing disruption to legitimate users.
Once the system produces a fingerprint, it compiles and deploys a mitigation rule to drop packets matching the attack signature. The entire process is automated: mitigation rules are applied while the attack continues and are removed automatically once the threat subsides.
Servers across Cloudflare’s network share threat intelligence continuously with peers inside their data center and across the globe. This real-time “gossip” about active attacks improves the network’s overall responsiveness and resilience by ensuring mitigation knowledge propagates quickly.
Cloudflare’s successful defense against this 7.3 Tbps attack highlights the importance of automated, distributed security architectures in an age when cyber threats are growing in scale and complexity.
(Image by Karen)
Interested in learning more about cybersecurity and cloud technologies from industry experts? Consider attending Cyber Security & Cloud Expo events held in Amsterdam, California, and London. These events are co-located with related conferences covering digital transformation, IoT, data centers, and AI & big data.
Explore other upcoming enterprise technology events and webinars powered by TechForge.