Cloudflare revealed that in May 2025 it managed to stop a DDoS attack unlike anything seen before. The attack, which targeted a web hosting provider, peaked at 7.3 terabits per second, a truly impressive figure.
In case you didn't know, DDoS (or distributed denial-of-service) attacks involve flooding a site or service with tons of fake traffic, with the intention of crashing it, slowing it down, or even taking it completely offline.
In this case, the attack not only broke records, but did so with a vengeance: it was 12% larger than the previous most powerful attack on record. In just 45 seconds, the attackers sent a total of 37.4 terabytes of data, which translates to roughly 7,500 hours of HD video or 12.5 million photos in jpeg format. A veritable digital avalanche.
The record-breaking DDoS attack (Source: Cloudflare)
Read more: Malware Campaign Uses Cloudflare Tunnels in Phishing Attacks
How did Cloudflare defend itself against the attack, and where did it come from?
Cloudflare, known for protecting websites and services against cyberattacks, used its Magic Transit tool to defend the affected customer. This solution acts as a kind of shield for network traffic, filtering threats before they reach the server.
The attack came on strong: it originated from more than 122,000 IP addresses located in 161 different countries. The countries most involved were Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine.
The junk data, sent en masse, was directed at a bunch of different ports on the attacked system. To give you an idea, an average of almost 22,000 ports per second were recorded, with peaks exceeding 34,500 per second.
This technique (distributing traffic across so many points at once) seeks to overload firewalls and detection systems. But despite the massive scale of the attack, Cloudflare says it was able to handle it without human intervention. Everything was automatic, in real time.
Source IP Addresses (Source: Cloudflare)
To contain the attack, Cloudflare used its enormous anycast network, which essentially distributes traffic among hundreds of data centers around the world. In this case, they dispersed the malicious traffic among 477 data centers in 293 different locations.
In addition, they used fairly advanced technology, such as real-time fingerprinting (to identify suspicious traffic patterns) and a kind of internal “gossip” between data centers, where they share information instantly to generate automatic protection rules and block threats as quickly as possible.
Although 99.996% of the attack was based on UDP traffic, which is like sending lots of junk data packets, there were several different methods involved. Some of the most commonly used were:
-
QOTD (Quote of the Day) reflection attacks
-
Echo reflection
-
NTP amplification
- UDP floods using the Mirai botnet
-
Massive port scans
-
RIPv1 amplification
These attacks often exploit old or misconfigured services to multiply the impact. Although they represented only a small part of the total attack, these vectors were used as part of a strategy to evade defenses and detect weaknesses in the victims' systems.
The good news is that Cloudflare not only blocked the attack, but also recorded all the indicators of compromise (IoC) and added them to its DDoS Botnet Threat Feed. This is a free service that allows organizations to block malicious IP addresses before attacks reach them.
According to the company, more than 600 organizations are already subscribed to this feed, and they are inviting any vulnerable company or organization to join. It is an effective way to protect yourself from future attacks without having to react at the last minute.