Full Report
Cloudflare says it mitigated a record-breaking distributed denial of service (DDoS) attack in May 2025 that peaked at 7.3 Tbps, targeting a hosting provider. [...]
Analysis Summary
# Incident Report: Record 7.3 Tbps DDoS Attack Mitigation
## Executive Summary
Cloudflare successfully mitigated a record-breaking Distributed Denial of Service (DDoS) attack reaching an unprecedented 7.3 Terabits per second (Tbps) targeting one of its hosting provider customers. The attack primarily utilized UDP floods (99.996% of traffic) exploiting misconfigured services, but also incorporated several reflection and amplification techniques. The incident demonstrated the effectiveness of Cloudflare’s automated, global defense mechanisms, which mitigated the traffic without human intervention.
## Incident Details
- Discovery Date: Not explicitly stated, but mitigated in real-time by Cloudflare's systems.
- Incident Date: Not explicitly stated, but reported recently.
- Affected Organization: An unnamed hosting provider customer.
- Sector: Hosting/Infrastructure Services.
- Geography: Global (Mitigation leveraged Cloudflare's global network).
## Timeline of Events
### Initial Access
- Date/Time: Not specified.
- Vector: Distributed attack traffic generated by a massive botnet.
- Details: Attack traffic primarily constituted UDP floods, aiming to saturate the target's bandwidth.
### Lateral Movement
- N/A. This was a volumetric attack, not an intrusion/data breach scenario.
### Data Exfiltration/Impact
- The attack targeted availability (DoS) rather than data theft. The stated impact was the blockage of 7.3 Tbps of malicious traffic, maintaining service availability for the customer.
### Detection & Response
- **Detection:** Real-time identification by Cloudflare's network monitoring tools.
- **Response:** Automated mitigation using Cloudflare's anycast network, spreading traffic across 477 data centers in 293 locations. The response leveraged techniques like real-time fingerprinting and intra-data center gossiping for automated rule compilation. Mitigation occurred without human intervention.
## Attack Methodology
- Initial Access: DDoS Botnet (implied Mirai botnet mentioned as one vector component).
- Persistence: Not applicable (Volumetric attack).
- Privilege Escalation: Not applicable.
- Defense Evasion: The attack used a scattered traffic pattern across multiple vectors to potentially overwhelm traditional firewalls and IDS systems.
- Credential Access: Not applicable.
- Discovery: Not applicable.
- Lateral Movement: Not applicable.
- Collection: Not applicable.
- Exfiltration: Not applicable.
- Impact: **Volumetric Consumption (Availability Attack).** Dominated by UDP floods (99.996%).
**Secondary/Diversion Vectors Used:**
* QOTD reflection
* Echo reflection
* NTP amplification
* Mirai botnet UDP flood
* Portmap flood
* RIPv1 amplification
## Impact Assessment
- Financial: Not disclosed (Potential significant financial loss for the victim if Cloudflare defenses had failed).
- Data Breach: None, as the attack was volumetric (DDoS).
- Operational: Successfully mitigated, meaning operational availability for the target hosting provider was maintained despite the record-level traffic volume.
- Reputational: Positive for Cloudflare regarding defense capabilities; negative for the attacker attempting the massive strike.
## Indicators of Compromise
* **Network Indicators:** Massive influx of UDP flood traffic sources, traffic patterns consistent with known DDoS botnets (including Mirai components).
* **File Indicators:** Not applicable.
* **Behavioral Indicators:** Sustained, high-volume traffic spikes designed to saturate network links.
## Response Actions
- **Containment:** Instantaneous dispersal of attack traffic across Cloudflare's global network (anycast infrastructure).
- **Eradication:** Automated real-time filtering and rule application based on fingerprinting and intelligence sharing.
- **Recovery:** Full service continuity maintained for the client.
## Lessons Learned
- **Botnet Scale:** Attackers possess the capacity to generate network saturation attacks far exceeding previous records (7.3 Tbps).
- **Defense Automation Necessity:** Success in mitigating such colossal attacks relies entirely on highly automated, distributed defense infrastructure capable of instant response.
- **Exploitation of Legacy Services:** Even minor vector components (reflection/amplification) relied on exploiting legacy or poorly configured services, highlighting persistent infrastructure weaknesses.
## Recommendations
- **Adopt Advanced DDoS Protection:** Organizations, especially hosting providers, should utilize advanced, globally distributed DDoS mitigation services capable of handling multi-Tbps attacks.
- **Proactive Threat Intelligence:** Subscribe to and implement threat intelligence feeds, such as Cloudflare's DDoS Botnet Threat Feed, to block known malicious sources preemptively.
- **Service Hardening:** Audit and disable or properly configure legacy services commonly exploited for amplification/reflection (e.g., NTP, QOTD, RIPv1) to minimize their use by attackers.