Cloudflare Blocks Largest DDoS Attack Ever: 7.3 Tbps and 37.4 TB in Just 45 Seconds

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...
7.3 Tbps DDoS Attack

Imagine downloading 10,000 HD movies in under a minute. That’s exactly what happened to one hosting provider’s server, only it wasn’t a movie night. It was the largest cyberattack ever recorded.

In mid-May 2025, Cloudflare stopped a 7.3 terabits-per-second (Tbps) DDoS attack dead in its tracks. To put that in perspective, 37.4 terabytes of junk traffic were hurled at a single IP address in just 45 seconds.

DDoS Isn’t New. But This Was a Digital Tsunami

Let’s be clear: DDoS attacks aren’t new. But this one raised the bar and then broke it. Earlier this year:

  • A 6.5 Tbps attack was reported in April 2025.
  • A 5.6 Tbps assault was mitigated in January 2025.
  • Microsoft endured a 3.47 Tbps barrage back in 2022.

But 7.3 Tbps? That’s next level. It’s 12% bigger than any attack Cloudflare had ever recorded. And 1 Tbps larger than the previous public record.

Also Read: Massive DDoS Attacks on Outlook, OneDrive, and other Microsoft 365 Services

DDoS attacks are cheap, scalable, and effective. With a few thousand compromised devices (botnet), attackers can launch massive traffic floods and test your infrastructure’s limits.

What Made This Attack So Unique?

Cloudflare DDoS Attack Block

This wasn’t just a flood. It was a symphony of chaos. The attack was a multi-vector DDoS attack. Here’s what the attackers used:

UDP Flood (99.996% of Traffic)

UDP is fast, connectionless, and doesn’t care if the recipient is ready. That’s what makes it perfect for DDoS. UDP doesn’t ask for permission. It just sends data, and that’s exactly why attackers love it. The attacker carpet-bombed 21,925 ports per second, peaking at 34,517 ports/sec.

Reflection & Amplification Attacks

The remaining 0.004% of the attack traffic, amounting to 1.3 GB, consisted of several reflection and amplification attacks, including QOTD reflection, Echo reflection, NTP reflection, Mirai UDP floods, Portmap floods, and RIPv1 amplification.

All of these amplified traffic against the victim, making it appear as if legitimate servers were attacking them.

Also Read: Palo Alto Urges PAN-OS Users to Update for DoS Flaw Mitigation

What was the Source of the Attack?

It was a worldwide action, with more than 122,145 distinct source IP addresses across 5,433 autonomous systems (AS) and based in 161 countries worldwide.

Top contributors:

  • Brazil 10.5 %
  • Vietnam – 9.8 %
  • Other top 10: China, Taiwan, Saudi Arabia

Top Offending Networks:

  • Telefonica Brazil (AS27699)
  • Viettel Group (AS7552)
  • China Unicom & Chunghwa Telecom

At the peak of the attack, an unbelievable number of 45,097 IP addresses were attacking the server per second to highlight the intense quantity and ferocity of the attack.

How Did Cloudflare Stop It?

Now here’s where things get smart, really smart.

Anycast Routing

The attack was spread across 477 data centres in 293 cities. Anycast made sure traffic hit the nearest Cloudflare node, which reduced pressure and enabled global mitigation.

Autonomous Detection

Cloudflare’s DoSd engine (denial of service daemon) analysed live traffic in real time using eBPF and XDP Linux kernel-level packet filtering.

It fingerprinted malicious traffic. Then created custom filters. And dropped the attack packets without human intervention.

“Gossiping” Servers

Each server in Cloudflare’s network shared live attack data with others, amplifying the defense just like the attackers amplified traffic.

This Isn’t Just a Record. It’s a Warning

Botnets like RapperBot are still active and getting more aggressive, and observed that:

  • 50,000+ bots daily
  • 100+ daily attack targets
  • Attacks on industries like finance, public infrastructure, IoT, and social platforms

Worse, DDoS extortion is growing. Hackers now demand “protection fees” to avoid future attacks. Sound familiar? It’s digital mafia tactics.

What can you do Now?

So what can organisations do about it? Start by understanding your exposure. If you’re a hosting provider or ISP, Cloudflare offers a free DDoS Botnet Threat Feed. It gives you a list of IPs within your network participating in attacks.

Also Read: Is your Site Hacked? Essential Steps to Fix or Repair Hacked Website

Beyond that, you should be auditing your infrastructure for open ports and outdated protocols. Disable anything that doesn’t serve a business purpose. That includes legacy services like QOTD, Echo, or RIPv1.

These old protocols are easy targets. Attackers use them for reflection and amplification. If you’re not using them, kill them.

Also, don’t forget your IoT devices. Change default passwords. Keep firmware updated. Segment your network so that a compromised webcam doesn’t become the doorway for a larger attack.

If you rely on UDP-based services like VoIP or gaming, don’t just block all UDP traffic. Apply intelligent rate-limiting that protects you without disrupting your business.

The goal is balance. Security without disruption.

Conclusion

This wasn’t just another DDoS attack. It was the largest in history, a 7.3 Tbps flood, delivering 37.4 terabytes in just 45 seconds. The message is clear: cyber threats are getting faster, bigger, and smarter. If your defences aren’t evolving, you’re already behind.

Need help assessing your DDoS readiness or securing your infrastructure? Certera offers a wide range of cybersecurity services and solutions, such as SiteLock, which offers all-time protection against all possible cyber threats, including DDoS.

Contact us today for expert cybersecurity consulting and take the first step toward bulletproof protection.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.