Cloudflare announced today that it blocked a record-setting distributed denial-of-service (DDoS) attack, which bombarded its target with 11.5 Tbps of traffic for approximately 35 seconds.
"Cloudflare's defenses have been working overtime," the company said in an X post. "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud."
UPDATE: The 11.5 Tbps attack in fact came from a combination of several IoT and cloud providers. While Google Cloud was one source, it was not the majority. Stay tuned for a full breakdown in our next report. https://t.co/MOBVRmmPqWSeptember 2, 2025
The company later issued an update, saying the attack had come from a combination of IoT and cloud providers. Cloudflare said it plans to reveal more information about these attacks in an upcoming report.
Note the different initialisms within Cloudflare's announcement. The 5.1Bpps refers to "billions of packets per second," while the 11.5Tbps refers to "Terabits per second." (Or, for those of us who think in bytes rather than bits, 0.125 Terabytes.) That would be enough traffic to knock over most websites—it will be interesting to find out if the attack's intended target managed to remain online despite the flood of traffic.
As for how these attacks work, DDoS mitigation firm Akamai said that UDP flood attacks in particular see "attackers send large amounts of UDP traffic with spoofed IP addresses to random ports on a targeted system," and "because the system must check the port specified in each incoming packet for a listening application and issue a response, the targeted server’s [resources] can quickly be exhausted."
Unfortunately, these record-breaking DDoS attacks seem to be arriving every few months. Cloudflare's previous record-breaking attack hit 7.3 Tbps back in June. BleepingComputer reported that before that incident, "the previous record was of 3.8 Tbps and [2Bpps] in an attack that Cloudflare also blocked in October 2024."
Those attacks dwarf their predecessors. I reported in 2021 that Cloudflare had mitigated the largest DDoS attack it had seen up to that point... and it relied on a mere 1.9Tbps of traffic. Now we're seeing attacks nearly 10x the size of that three-year-old record taking advantage of the infrastructure operated by cloud service providers. So far, companies like Cloudflare are keeping pace, but that might not always be the case.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
