Cloudflare thwarts record 7.3 Tbps DDoS attack with automation
The attack, which occurred in mid-May 2025, targeted a hosting provider customer utilising Cloudflare's Magic Transit service for network defence. According to Cloudflare data, this incident follows closely on the heels of attacks recorded at 6.5 Tbps and 4.8 billion packets per second, illustrating that DDoS attacks are continuing to increase in both scale and complexity.
Cloudflare stated that the 7.3 Tbps attack was 12% larger than its previous record and 1 Tbps greater than another recent attack reported by security journalist Brian Krebs.
Attack analysis
The 7.3 Tbps DDoS attack delivered a total of 37.4 terabytes of data within a 45-second window. During the attack, the targeted IP address was bombarded across an average of 21,925 destination ports, reaching a peak of 34,517 destination ports per second. The distribution of source ports mirrored this targeting method.
The attack employed several vectors but was dominated by UDP floods, constituting 99.996% of total traffic. The residual traffic, amounting to 1.3 GB, involved QOTD reflection, Echo reflection, NTP reflection, Mirai UDP floods, Portmap flood, and RIPv1 amplification techniques. Each vector was identified and catalogued, with Cloudflare detailing how organisations could protect both themselves and the broader Internet from such forms of abuse.
Cloudflare explained that the UDP DDoS component worked by sending large volumes of UDP packets to random or specific destination ports, either to saturate the Internet link or overwhelm network appliances. Other vectors, such as the QOTD (Quote of the Day), Echo, NTP, Portmap, and RIPv1, exploited vulnerabilities in legacy protocols and services to reflect and amplify attack traffic onto target systems.
Global scale
The attack was notable for its global reach. Traffic originated from more than 122,145 source IP addresses across 5,433 autonomous systems in 161 countries. Nearly half of the attack traffic came from Brazil and Vietnam, accounting for around twenty-five percent each. The remainder was largely attributable to sources in Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.
At an autonomous system level, Telefonica Brazil (AS27699) contributed 10.5% of attack traffic, with Viettel Group (AS7552), China Unicom (AS4837), Chunghwa Telecom (AS3462), and China Telecom (AS4134) among the other major sources. The attack saw an average of 26,855 unique source IP addresses per second, peaking at 45,097.
Technical response
Cloudflare utilised the global anycast architecture to divert and dissipate the massive influx of traffic. As packets arrived at Cloudflare's network edge, they were routed to the closest data centre. This incident was managed across 477 data centres in 293 locations worldwide, with some regions operating multiple facilities due to traffic volume.
Detection and mitigation were handled by Cloudflare's automated systems, which operate independently in each data centre. The Cloudflare global network runs every service in every data centre. This includes our DDoS detection and mitigation systems. This means that attacks can be detected and mitigated fully autonomously, regardless of where they originate from.
Upon arrival, data packets were intelligently distributed to available servers where they were sampled for analysis. Cloudflare employed the denial of service daemon (dosd), a heuristic engine that reviews packet headers and anomalies for malicious patterns. The system then generated multiple permutations of digital fingerprints specific to the attack, seeking patterns that maximised blocking efficacy while minimising impact on legitimate traffic.
Within data centres, real-time intelligence was shared by servers multicasting fingerprint information, refining mitigation on both a local and global scale. When a fingerprint surpassed predefined thresholds, mitigation rules were compiled and deployed as extended Berkeley Packet Filter (eBPF) programs to block the offending traffic. Once the attack ceased, associated rules were removed automatically.
Botnet feed and future mitigation
Cloudflare also maintains a free DDoS Botnet Threat Feed to help Internet service providers and hosting companies identify malicious traffic originating within their own infrastructure. The company said that over 600 organisations have subscribed to this service, allowing them to receive up-to-date lists of offending IP addresses engaged in DDoS attacks.
Recommendations from Cloudflare emphasise tailored defences to address the unique characteristics of each network or application, with care taken to ensure that mitigation steps do not inadvertently disrupt legitimate traffic, particularly for services that depend on UDP or legacy protocols.
Cloudflare's team highlighted that these successful defences occurred entirely without human intervention, alerting, or incident escalation, underscoring the shift towards fully autonomous, distributed mitigation strategies in response to modern DDoS threats.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
5 days ago
- Techday NZ
LevelBlue & Akamai launch managed service for web app security
LevelBlue and Akamai have announced a partnership to deliver new managed web application and API protection services designed to aid organisations in consolidating, simplifying, and scaling their security operations. Service overview The partnership introduces LevelBlue Managed Web Application and API Protection (WAAP), a security service built to provide adaptive, continuous protection to help mitigate risks and reduce the operational demands linked with securing web applications and APIs. The service incorporates Akamai's App & API Protector technology, featuring web application firewall (WAF), distributed-denial-of-service (DDoS) mitigation, bot protection, and foundational API security. This technology is integrated with expertise from LevelBlue's dedicated WAAP Operations team. Against a backdrop of expanding application deployment and usage of APIs, organisations worldwide are facing increased challenges. Research from Enterprise Strategy Group highlights that the average number of web applications per organisation is expected to rise from 145 to more than 200 over two years. The proportion of organisations with over half of their applications using APIs is forecasted to climb from 32% to 80% over the same period. Challenges for security teams Security teams are contending with several critical challenges, including the need to discover application and API deployments, scale protections appropriately, swiftly identify and mitigate attacks, and ensure that security measures do not detract from performance. Added to these obstacles are staff shortages and a proficiency gap, with half of midmarket organisations reporting it is harder to secure web apps and APIs than it was two years ago. Many seek external support and more straightforward, consolidated solutions as environments grow more complex. LevelBlue Managed WAAP aims to tackle these requirements by delivering measurable outcomes in security and simplifying operational processes. Industry perspectives "Today, a surprising number of organisations rely on multiple tools that are not purpose-built for web application and API security - leading to complexity, silos, and rising costs," said Sundhar Annamalai, President of LevelBlue. "LevelBlue offers an alternative: proven services that consolidate and simplify protections with predictable investment. By combining LevelBlue's operational expertise with Akamai's proven technology, organisations can stay ahead of evolving threats and create cyber resilience for critical digital capabilities." The service is available in two tiers, Essential and Advanced, giving organisations flexibility to select the level of support most suited to their requirements. Key features include: Round-the-clock support and advisory from a fully operational team of WAAP specialists Automatic identification and classification of web applications and APIs, with scalable protection prioritised for exposed or sensitive data-handling assets AI-powered threat detection combined with global threat intelligence to identify anomalies and adapt to emerging attack vectors Expert-led, automated policy management to improve efficiency, reduce false positives, and align with contemporary DevOps workflows The prevalence and complexity of online threats continues to increase. In 2024, Akamai reported witnessing over 311 billion web application attacks, highlighting the need for robust protection as organisations accelerate digital adoption and AI-powered attacks become more sophisticated. "In 2024 alone, Akamai saw over 311 billion web app attacks. As AI accelerates, threats are harder to spot, and security is tougher to control," said Rupesh Chokshi, Senior Vice President and General Manager of Akamai's Application Security Portfolio. "Akamai and LevelBlue's partnership gives customers access to a trusted, reliable team that combines industry-leading technology with the deep operational expertise of one of the world's largest MSSPs. It's a powerful combination with a flexible solution that can fast-track organisations to resilient protection and compliance." Follow us on: Share on:
RNZ News
5 days ago
- RNZ News
Extra Techverse: A tariff for A.I. crawlers?
A 1950s toy robot Photo: T-Bone Sandwich // CC-BY-NC-SA 2.0 You might have heard of Crawler bots before. In fact, they are how search engines populate and index their search results. But A.I. Crawlers are very different. After scraping data on mass, indiscriminately, then storing said data in its ever-growing knowledge base - the next time you ask an LLM (Large Language Model) a question, it doesn't matter where its summerised information comes from, in most cases there's no source attribution and websites lose out on valuable traffic. However, Cloudflare's new private beta programme may see A.I. Crawlers hit a paywall of their own, and the two other giant Content Delivery Network providers may be allowing their customers to do the same thing soon: Fastly (they do this already) and Akamai. Hearing this for the first time made our own Corey Fuimaono think what ramifications this might have for the media, content creators, and A.I. companies? To discuss more, they spoke with Kelly Shortridge, VP of Security at Fastly.
Techday NZ
08-08-2025
- Techday NZ
DDoS attacks surge 364% in APAC, driven by AI & hacktivists
Radware has reported a significant escalation in Distributed Denial of Service (DDoS) attack activity across the Asia-Pacific (APAC) region, with average attack volumes increasing by 364% compared to the previous year. The data from Radware's threat intelligence research, which encompasses information from the company's cloud and managed services along with publicly available data from the Telegram messaging platform, provides a detailed overview of recent trends and targets in network and application-based cyberattacks. Sharp escalation According to the company, the frequency and intensity of DDoS incidents are outpacing previous years in the region. Kenichiro Sasaki, Country Manager for Radware in Japan, noted the changing landscape of threats facing organisations: "Across APAC, there has been a sharp escalation in the frequency and intensity of cyberattacks and DDoS incidents are leading the charge. Multiple catalysts are driving the threat revolution, including geopolitical conflicts, bigger and more complex threat surfaces, and more sophisticated and persistent threats. Add to that the impact of Al, which is lowering barriers to entry, and what you have is a highly dynamic threat environment that demands equally dynamic defense strategies." The company's analysis reveals that, from 2023 to 2024, the average number of network DDoS attacks per customer increased by 72%. Service providers were the primary targets, receiving 55% of the attack volume, while the technology and gaming sectors followed with 21% and 11% respectively. Network-layer and application-layer attacks Network-layer DDoS attacks have increased threefold in average size during this period. Concurrently, Layer 7 (application-layer) DNS DDoS attacks have also grown considerably, with the number of DNS flood queries and malicious DNS volumes both rising by 93% over the previous year. The manufacturing sector was most impacted by these DNS flood activities, accounting for 43% of the malicious queries, while telecom and energy sectors comprised 40% and 14% respectively. Radware's research indicates that the broadening digital infrastructure in APAC, coupled with persistent global tensions and the emergence of advanced AI capabilities, are increasing the region's susceptibility to a diverse range of cyber threats. Hacktivist campaigns intensify Hacktivist-led cyberattack campaigns have maintained their momentum globally and regionally, with targeted DDoS attacks surging in response to ongoing political and ideological unrest. Data gathered from Telegram indicates a 20% global rise in hacktivist-claimed attacks between 2023 and 2024. Within APAC, India emerged as the most targeted country with 761 claimed attacks, followed by Indonesia with 614, Taiwan with 281, Thailand with 220, and Bangladesh with 188. The report identifies government institutions as the most commonly targeted group among hacktivists in the region, accounting for 17% of the activity. This was followed by the education sector at 12% and the finance sector at 9%. The threat actor known as Executor DDoS was the most active in APAC, laying claim to 513 DDoS attacks. This was followed by RipperSec with 467 attacks and NoName057(16) with 362 attacks. Industry perspectives The findings reflect broader industry concerns regarding the increasing complexity of cyberattacks and the involvement of AI, which is perceived as reducing the technical barrier of entry for attackers and enabling more frequent and complex campaigns. As the threat landscape evolves, the need for adaptable and advanced defensive strategies is highlighted across affected sectors such as service providers, technology, gaming, manufacturing, telecoms, and energy. Radware's intelligence underscores the ongoing challenges facing APAC organisations as they address the growing risks and implement strategies aimed at safeguarding their digital operations against a changing backdrop of cyber threats.
