Full Report
Internet infrastructure company Cloudflare said it recently blocked the largest recorded volumetric distributed denial-of-service (DDoS) attack, which peaked at 11.5 terabits per second (Tbps). [...]
Analysis Summary
# Incident Report: Cloudflare Blocks Record 11.5 Tbps Volumetric DDoS Attack
## Executive Summary
Cloudflare recently mitigated the largest recorded volumetric Distributed Denial of Service (DDoS) attack, peaking at an unprecedented 11.5 Terabits per second (Tbps). The attack, which was a UDP flood originating primarily from compromised Google Cloud resources, lasted approximately 35 seconds and successfully demonstrated the capability of attackers to overwhelm system bandwidth. Cloudflare's automated defenses successfully absorbed the massive traffic surge without significant impact to its customers.
## Incident Details
- Discovery Date: Recent (Stated in a September 2, 2025 report, based on recent mitigation)
- Incident Date: Within the "past few weeks" leading up to the Sep 2, 2025 announcement.
- Affected Organization: Cloudflare (Mitigating on behalf of its customers/infrastructure)
- Sector: Internet Infrastructure/Security Services
- Geography: Global Infrastructure
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Occurred during the measured period)
- Vector: UDP Flood (Amplification/Reflection attack likely)
- Details: Attack directed at Cloudflare services, peaking at 11.5 Tbps.
### Lateral Movement
- N/A (This was a volumetric flood event, not an internal compromise)
### Data Exfiltration/Impact
- Impact: Service disruption due to bandwidth exhaustion for targeted systems if not mitigated. The attack was blocked, minimizing impact.
- Duration: Approximately 35 seconds.
### Detection & Response
- How it was discovered: Autonomous monitoring and defense systems at Cloudflare detected the hyper-volumetric flood.
- Response actions taken: Cloudflare's automated defenses autonomously blocked the attack.
## Attack Methodology
- Initial Access: Volumetric DDoS via UDP Flood.
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A (Focused on overwhelming capacity rather than stealth.)
- Credential Access: N/A
- Discovery: N/A
- Lateral Movement: N/A
- Collection: N/A
- Exfiltration: N/A
- Impact: Network saturation, aiming to cause Denial of Service.
## Impact Assessment
- Financial: Not quantified, but the sustained existence of such large attacks indicates increasing infrastructure cost pressures on target and mitigation providers.
- Data Breach: None indicated; this was a denial-of-service event, not a data breach.
- Operational: No service outage reported due to successful mitigation.
- Reputational: Positive for Cloudflare's defense capabilities; negative for the security posture of the compromised cloud resources used in the botnet.
## Indicators of Compromise
- Network indicators: Traffic peaking at 11.5 Tbps (UDP protocol suspected).
- File indicators: N/A
- Behavioral indicators: Sudden, massive inbound traffic spike consistent with a UDP flood vector. Source attributed primarily to compromised **Google Cloud** instances/resources.
## Response Actions
- Containment measures: Automated DDoS mitigation systems were engaged immediately.
- Eradication steps: Attack traffic was filtered from reaching target infrastructure.
- Recovery actions: Services continued uninterrupted due to successful defense.
## Lessons Learned
- The scale of volumetric DDoS attacks continues to increase rapidly, exceeding prior records (e.g., 7.3 Tbps in June, 3.8 Tbps in Oct 2024).
- Cloud infrastructure providers (like Google Cloud, in this instance) can be sources for large botnets if their resources are compromised and utilized for reflection/amplification attacks.
- Cloudflare's automated, heuristic-based defense mechanisms are proving effective at stopping "hyper-volumetric" attacks very quickly (35 seconds).
## Recommendations
- Cloud providers and large organizations must continually audit configurations to prevent their infrastructure from being weaponized in reflection/amplification DDoS attacks.
- Security providers must continue investing in infrastructure bandwidth and automated anomaly detection to handle Tbps-scale attacks.