In mid-May 2025, Cloudflare blocked the largest DDoS attack ever recorded: a staggering 7.3 terabits per second (Tbps). This comes shortly after the publication of our DDoS threat report for 2025 Q1 on April 27, 2025, where we highlighted attacks reaching 6.5 Tbps and 4.8 billion packets per second (pps). The 7.3 Tbps attack is 12% larger than our previous record and 1 Tbps greater than a recent attack reported by cyber security reporter Brian Krebs at KrebsOnSecurity.
New world record: 7.3 Tbps DDoS attack autonomously blocked by Cloudflare
The attack targeted a Cloudflare customer, a hosting provider, that uses Magic Transit to defend their IP network. Hosting providers and critical Internet infrastructure have increasingly become targets of DDoS attacks, as we reported in our latest DDoS threat report. Pictured below is an attack campaign from January and February 2025 that blasted over 13.5 million DDoS attacks against Cloudflare’s infrastructure and hosting providers protected by Cloudflare.
DDoS attack campaign target Cloudflare infrastructure and hosting providers protected by Cloudflare
Let's start with some stats, and then we’ll dive into how our systems detected and mitigated this attack.
The 7.3 Tbps attack delivered 37.4 terabytes in 45 seconds
37.4 terabytes is not a staggering figure in today’s scales, but blasting 37.4 terabytes in just 45 seconds is. It’s the equivalent to flooding your network with over 9,350 full-length HD movies, or streaming 7,480 hours of high-definition video nonstop (that’s nearly a year of back-to-back binge-watching) in just 45 seconds. If it were music, you’d be downloading about 9.35 million songs in under a minute, enough to keep a listener busy for 57 years straight. Think of snapping 12.5 million high-resolution photos on your smartphone and never running out of storage—even if you took one shot every day, you’d be clicking away for 4,000 years — but in 45 seconds.
The record-breaking 7.3 Tbps DDoS attack delivered 37.4 TB in 45 seconds
The attack carpet-bombed an average of 21,925 destination ports of a single IP address owned and used by our customer, with a peak of 34,517 destination ports per second. The attack also originated from a similar distribution of source ports.
Distribution of destination ports
The 7.3 Tbps attack was a multivector DDoS attack. Around 99.996% of the attack traffic was categorized as UDP floods. However, the remaining 0.004%, which accounted for 1.3 GB of the attack traffic, were identified as QOTD reflection attacks, Echo reflection attack, NTP reflection attack, Mirai UDP flood attack, Portmap flood, and RIPv1 amplification attacks.
The attack vectors other than UDP floods
Breakdown of the attack vectors
Below are details about the various attack vectors seen in this attack, how organizations can avoid becoming a reflection and amplification participant, and recommendations on how to defend against these attacks whilst avoiding impact to legitimate traffic. Cloudflare's customers are protected against these attacks.
UDP DDoS attack
Type: Flood
How it works: A high volume of UDP packets is sent to random or specific ports on the target IP address(es). It may attempt to saturate the Internet link or overwhelm its in-line appliances with more packets than it can handle.
How to defend against the attack: Deploy cloud-based volumetric DDoS protection, apply smart rate-limiting on UDP traffic, and drop unwanted UDP traffic altogether.
How to avoid unintended impact: Aggressive filtering may disrupt legitimate UDP services such as VoIP, video conferencing, or online games. Apply thresholds carefully.
QOTD DDoS attack
Type: Reflection + Amplification
How it works: Abuses the Quote of the Day (QOTD) Protocol, which listens on UDP port 17 and responds with a short quote or message. Attackers send QOTD requests to exposed servers from a spoofed IP address, causing amplified responses to flood the victim.
How to prevent becoming a reflection / amplification element: Disable the QOTD service and block UDP/17 on all servers and firewalls.
How to defend against the attack: Block inbound UDP/17. Drop abnormal small-packet UDP request spikes.
How to avoid unintended impact: QOTD is an obsolete diagnostic/debugging protocol and is not used by modern applications. Disabling it should not have any negative effect on legitimate services.
Echo DDoS attack
Type: Reflection + Amplification
How it works: Exploits the Echo protocol (UDP/TCP port 7), which replies with the same data it receives. Attackers spoof the victim’s IP address, causing devices to reflect the data back, amplifying the attack.
How to prevent becoming a reflection / amplification element: Disable the Echo service on all devices. Block UDP/TCP port 7 at the edge.
How to defend against the attack: Disable the Echo service and block TCP/UDP port 7 at the network perimeter.
How to avoid unintended impact: Echo is an obsolete diagnostic tool; disabling or blocking it has no negative effect on modern systems.
NTP DDoS attack
Type: Reflection + Amplification
How it works: Abuses the Network Time Protocol (NTP), used to sync clocks over the Internet. Attackers exploit the monlist command on old NTP servers (UDP/123) which returns a large list of recent connections. Spoofed requests cause amplified reflections.
How to prevent becoming a reflection / amplification element: Upgrade or configure NTP servers to disable monlist. Restrict NTP queries to trusted IP addresses only.
How to defend against the attack: Disable the monlist command, update NTP software, and filter or rate-limit UDP/123 traffic.
How to avoid unintended impact: Disabling monlist has no effect on time synchronization. However, filtering or blocking UDP/123 could affect time syncing if done too broadly — ensure only untrusted or external sources are blocked.
Mirai UDP attack
Type: Flood
How it works: The Mirai botnet, made up of compromised IoT devices, floods victims using random or service-specific UDP packets (e.g., DNS, game services).
How to prevent becoming part of the botnet: Secure your IoT devices, change default passwords, upgrade to the latest firmware versions, and follow IoT security best practices to avoid becoming part of the botnet. When possible, monitor outbound traffic to detect irregularities.
How to defend against the attack: Deploy cloud-based volumetric DDoS protection and rate-limiting for UDP traffic.
How to avoid unintended impact: First, understand your network and the type of traffic that you receive, specifically the protocols, their sources and their destinations. Identify services that run over UDP that you want to avoid impacting. Once you have identified those, you can apply rate-limiting in a way that excludes those end points, or takes into account your regular traffic levels. Otherwise, aggressively rate-limiting UDP traffic can impact your legitimate traffic and impact services that run over UDP such as VoIP calls and VPN traffic.
Portmap DDoS attack
Type: Reflection + Amplification
How it works: Targets the Portmapper service (UDP/111) used by Remote Procedure Call (RPC)-based applications to identify available services. Spoofed requests result in reflected responses.
How to prevent becoming a reflection / amplification element: Disable the Portmapper service if not required. If needed internally, restrict it to trusted IP addresses only.
How to defend against the attack: Disable the Portmapper service if not needed, block inbound UDP/111 traffic. Use Access Control Lists (ACLs) or firewalls to restrict access to known RPC services.
How to avoid unintended impact: Disabling Portmapper may disrupt applications relying on RPC (e.g., Network File System protocol). Validate service dependencies before removal.
RIPv1 DDoS attack
Type: Reflection + (Low) Amplification
How it works: Exploits the Routing Information protocol version 1 (RIPv1), an old unauthenticated distance-vector routing protocol that uses UDP/520. Attackers send spoofed routing updates to flood or confuse networks.
How to prevent becoming a reflection / amplification element: Disable RIPv1 on routers. Use RIPv2 with authentication where routing is needed.
How to defend against the attack: Block inbound UDP/520 from untrusted networks. Monitor for unexpected routing updates.
How to avoid unintended impact: RIPv1 is mostly obsolete; disabling it is generally safe. If legacy systems rely on it, validate routing behavior before changes.
All recommendations here should be taken into consideration with the context and behavior of each unique network or application to avoid any unintended impact to legitimate traffic.
The attack originated from over 122,145 source IP addresses spanning 5,433 Autonomous Systems (AS) across 161 countries.
Almost half of the attack traffic originated from Brazil and Vietnam, with approximately a quarter each. Another third, in aggregate, originated from Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.
Top 10 source countries of the attack traffic
The average number of unique source IP addresses per second was 26,855 with a peak of 45,097.
Distribution of unique source IP addresses
The attack originated from 5,433 different networks (ASes). Telefonica Brazil (AS27699) accounted for the largest portion of the DDoS attack traffic, responsible for 10.5% of the total. Viettel Group (AS7552) follows closely with 9.8%, while China Unicom (AS4837) and Chunghwa Telecom (AS3462) contributed 3.9% and 2.9% respectively. China Telecom (AS4134) accounted for 2.8% of the traffic. The remaining ASNs in the top 10, including Claro NXT (AS28573), VNPT Corp (AS45899), UFINET Panama (AS52468), STC (AS25019), and FPT Telecom Company (AS18403), each contributed between 1.3% and 1.8% of the total DDoS attack traffic.
Top 10 source autonomous systems
To help hosting providers, cloud computing providers, and any Internet service providers identify and take down the abusive accounts that launch these attacks, we leverage Cloudflare’s unique vantage point to provide a free DDoS Botnet Threat Feed for Service Providers. Over 600 organizations worldwide have already signed up for this feed. It gives service providers a list of offending IP addresses from within their ASN that we see launching HTTP DDoS attacks. It’s completely free and all it takes is opening a free Cloudflare account, authenticating the ASN via PeeringDB, and then fetching the feed via API.
How the attack was detected and mitigated
Using the distributed nature of DDoS attacks against it
The attacked IP address was advertised from Cloudflare’s network using global anycast. This means that the attack packets that targeted the IP were routed to the closest Cloudflare data center. Using global anycast allows us to spread the attack traffic and use its distributed nature against it, enabling us to mitigate close to the botnet nodes and continue serving users from the data centers closest to them. In the case of this attack, it was detected and mitigated in 477 data centers across 293 locations around the world. In high-traffic locations, we have presence in multiple data centers.
Autonomous DDoS detection and mitigation
The Cloudflare global network runs every service in every data center. This includes our DDoS detection and mitigation systems. This means that attacks can be detected and mitigated fully autonomously, regardless of where they originate from.
When a packet enters our data center, it is intelligently load-balanced to an available server. We then sample packets directly from within the depths of the Linux kernel, from the eXpress Data Path (XDP) using an extended Berkley Packer Filter (eBPF) program to route packet samples to the user space where we run the analysis.
Our system analyzes the packet samples to identify suspicious patterns based on our unique heuristic engine named dosd (denial of service daemon). Dosd looks for patterns in the packet samples, such as finding commonality in the packet header fields and looking for packet anomalies, as well as applying other proprietary techniques.
Flow diagram of the real-time fingerprint generation
To our customers, this complex fingerprinting system is encapsulated as a user-friendly group of managed rules, the DDoS Protection Managed Rulesets.
When patterns are detected by dosd, it generates multiple permutations of those fingerprints in order to find the most accurate fingerprint that will have the highest mitigation efficacy and accuracy, i.e. to try and surgically match against attack traffic without impacting legitimate traffic.
Diagram of Cloudflare’s DDoS Protection systems
We count the various packet samples that match each fingerprint permutation, and using a data streaming algorithm, we bubble up the fingerprint with the most hits. When activation thresholds are exceeded, to avoid false positives, a mitigation rule using the fingerprint syntax is compiled as an eBPF program to drop packets that match the attack pattern. Once the attack ends, the rule times out and is automatically removed.
As we mentioned, each server detects and mitigates attacks fully autonomously — making our network highly efficient, resilient, and fast at blocking attacks. In addition, each server gossips (multicasts) the top fingerprint permutations within a data center, and globally. This sharing of real-time threat intelligence helps improve the mitigation efficacy within a data center and globally.
Our systems successfully blocked this record-breaking 7.3 Tbps DDoS attack fully autonomously without requiring any human intervention, without triggering any alerts, and without causing any incidents. This demonstrates the effectiveness of our world-leading DDoS protection systems. We built this system as part of our mission to help build a better Internet committed to provide free unmetered DDoS protection.