Full Report
Cloudflare on Wednesday said it detected and mitigated the largest ever distributed denial-of-service (DDoS) attack that measured at 29.7 terabits per second (Tbps). The activity, the web infrastructure and security company said, originated from a DDoS botnet-for-hire known as AISURU, which has been linked to a number of hyper-volumetric DDoS attacks over the past year. The attack lasted for 69
Analysis Summary
# Incident Report: Record 29.7 Tbps Hyper-Volumetric DDoS Attack
## Executive Summary
Cloudflare detected and mitigated an unprecedented distributed denial-of-service (DDoS) attack reaching a peak volume of 29.7 Terabits per second (Tbps). The attack, which lasted 69 seconds, originated from the AISURU botnet, known for large-scale hyper-volumetric threats. The incident highlights the rapidly evolving scale of modern DDoS threats, which Cloudflare successfully blocked, mitigating a major operational disruption.
## Incident Details
- **Discovery Date:** Wednesday (Implied detection date during attack)
- **Incident Date:** Undisclosed (Reported in December 2025 context)
- **Affected Organization:** Not publicly disclosed (Cloudflare was the defender/mitigator)
- **Sector:** Not disclosed (Botnet targets include Telecommunication providers, Gaming, Hosting, Financial Services)
- **Geography:** Attack sources distributed globally, concentrated in Asia (e.g., Indonesia, Thailand, India).
## Timeline of Events
### Initial Access
- **Date/Time:** Attack duration was 69 seconds.
- **Vector:** Hyper-volumetric DDoS attack, specifically UDP carpet-bombing.
- **Details:** The traffic bombarded an average of 15,000 destination ports per second, utilizing randomized packet attributes to evade defenses.
### Lateral Movement
- Not applicable for a network-layer volumetric DDoS attack. The attack targeted availability via flooding.
### Data Exfiltration/Impact
- No data exfiltration was reported, as the attack was focused on disruption of service availability.
### Detection & Response
- **How it was discovered:** Detected by Cloudflare's infrastructure monitoring.
- **Response actions taken:** The 29.7 Tbps attack was fully mitigated. Cloudflare also tackled a subsequent 14.1 Bpps attack from the same botnet.
## Attack Methodology
- **Initial Access:** Massive volumetric flooding using UDP packets (Carpet-bombing).
- **Persistence:** Not applicable (Volumetric attack is short-lived).
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Attackers randomized various packet attributes.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable (Target was likely chosen prior to the attack).
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Attempted denial of service due to overwhelming bandwidth capacity.
## Impact Assessment
- **Financial:** Undisclosed, mitigated by Cloudflare.
- **Data Breach:** None reported.
- **Operational:** Potential for full service outage or severe degradation for the targeted organization had the mitigation failed.
- **Reputational:** None for the protected organization; highlights the growing threat landscape for cybersecurity providers.
## Indicators of Compromise
- **Network Indicators (Characteristics of the attack traffic):**
- Peak Volume: 29.7 Tbps (Bandwidth saturation).
- Packet Rate: Average of 15,000 destination ports hit per second.
- Protocol used: Primarily UDP traffic.
- Associated Botnet: AISURU (estimated 1-4 million compromised hosts).
- **File Indicators:** Not applicable (Attack was network-based).
- **Behavioral Indicators:** Hyper-volumetric, randomized packet attribute flooding, focusing on network layer.
## Response Actions
- **Containment measures:** Immediate filtering and absorption of 29.7 Tbps traffic volume by Cloudflare's global network capacity.
- **Eradication steps:** Not applicable to perimeter defense; focus was on blocking the flood volume.
- **Recovery actions:** Service availability was maintained throughout the 69-second attack, resulting in minimal to zero operational impact for the target.
## Lessons Learned
- The magnitude of volumetric DDoS attacks continues to rise exponentially, exceeding historical records and stressing current network protection thresholds.
- Botnets like AISURU represent a significant, ongoing threat capable of launching hyper-volumetric assaults regularly (1,304 hyper-volumetric attacks from AISURU in Q3 2025 alone).
- Resilience requires continuous investment in scaling capacity and enhancing real-time anomaly detection based on packet attributes.
## Recommendations
- Organizations utilizing third-party DDoS protection services must regularly test and validate mitigation capabilities against attacks exceeding 10 Tbps.
- Diversify reliance on multiple defense layers, as attackers continuously probe for weaknesses in single points of failure.
- Maintain high availability standards for critical services, given that 71% of HTTP DDoS attacks and 89% of network layer attacks conclude quickly (under 10 minutes).