Cloudflare announced on June 19th that it successfully mitigated the largest distributed denial-of-service (DDoS) attack ever recorded, which peaked at 7.3 terabits per second (Tbps). The event occurred in mid-May 2025 and targeted a major hosting provider that uses Cloudflare’s Magic Transit protection platform.
Unprecedented Scale and Volume
The attack delivered 37.4 terabytes of traffic in just 45 seconds, representing one of the highest volumes of data transmission in such a short period ever recorded in a cyberattack. On average, the flood targeted over 21,900 destination ports, with the maximum reaching 34,517 ports on a single IP address. This widespread port targeting significantly increased the complexity of mitigation, aiming to overwhelm the victim’s infrastructure with sheer data volume and multiplicity.
Attack Composition and Vectors
Approximately 99.996% of the attack was composed of User Datagram Protocol (UDP) traffic. The remainder utilized various amplification and reflection vectors. The primary components included:
- UDP floods — A massive volume of direct datagram floods, designed to saturate bandwidth and exhaust server resources.
- QOTD (Quote of the Day) — An outdated protocol often exploited for reflection.
- ECHO and Portmap — Legacy services vulnerable to amplification.
- NTP (Network Time Protocol) — Frequently used in reflection attacks due to its response size versus request size.
- RIPv1 — A deprecated routing protocol occasionally leveraged in network-layer DDoS attacks.
- Mirai variants — Botnet-generated UDP floods linked to compromised IoT devices.
These vectors illustrate a layered, multi-pronged approach designed to evade simple filtering techniques and amplify impact.
Botnet Scope and Geographic Reach
The botnet responsible for the attack consisted of over 122,000 unique IP addresses from 161 countries, spanning 5,433 autonomous systems (ASNs). The top contributing ASNs included providers from Brazil, Vietnam, Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia. The geographic diversity highlights the global nature of modern botnets, often composed of hijacked routers, IoT devices, and unsecured servers.
Cloudflare’s Automated Mitigation
Cloudflare used its Magic Transit platform to absorb and filter malicious traffic at the edge of its global network. The platform operates without the need for manual intervention, enabling near-instant mitigation based on traffic signatures, volumetric analysis, and network behavior.
The mitigation system utilizes Anycast routing to distribute incoming traffic across multiple data centers, preventing overload at any single point. Simultaneously, advanced DDoS detection algorithms analyze patterns in real time to block malicious traffic while preserving access for legitimate users.
Context and Precedents
This was the third record-setting DDoS attack that Cloudflare defended against in 2025, following:
- A 5.6 Tbps attack in January targeting an internet service provider.
- A 6.5 Tbps attack in April directed at a European cloud platform.
The increase in scale reflects an ongoing escalation in DDoS capabilities, fueled by larger botnets, more complex vectors, and improved attack orchestration tools available on underground markets.
Implications for Cybersecurity
The event underscores several key trends in cybersecurity:
- Automation is essential — Human analysts cannot respond quickly enough to mitigate attacks of this size in real time.
- Global exposure — Botnets have a truly international footprint, making takedowns and attribution more difficult.
- Infrastructure-targeted attacks — Rather than web servers or APIs, attackers increasingly aim at core network providers to cause widespread disruption.
For enterprise and infrastructure providers, investing in scalable, real-time DDoS defense solutions is no longer optional but essential to ensure continuity and data integrity.
Read more:
Cloudflare Blog Post on the Attack
Feeling lost in the digital world? Dr. Tom is here to help!
Join Dr. Tom every week in his column, Dr. Tom’s Cyber Bits and Tips, for byte-sized advice on all things cyber and tech. Whether you’re concerned about online safety, curious about the latest cybercrime trends, or simply want to navigate the ever-evolving digital landscape, Dr. Tom has you covered.
From practical cybersecurity tips to insightful breakdowns of current threats, Dr. Tom’s column empowers you to stay informed and protect yourself online. So, dive in and get savvy with the web – with Dr. Tom as your guide!
Sign up for our Sunday Spectator. Delivered to your inbox every Sunday, with all the news from the week.
