Cloudflare managed to deflect what has now become the biggest distributed denial-of-service (DDoS) attack on record. Cloudflare quietly handled the largest-ever DDoS attack, peaking at 7.3 Tbps, without any manual intervention. The surge in traffic, detected in mid-May 2025, reached an astonishing 7.3 terabits per second at its peak, hitting a hosting provider that has not been publicly identified. The flood of data—37.4 terabytes in just 45 seconds—was fully absorbed by Cloudflare’s global infrastructure.
Cloudflare’s Omer Yoachimik noted that web hosting platforms and essential online infrastructure are increasingly being targeted. This latest attack stands as proof of that shift. In fact, this event topped a previous DDoS attempt from April 2025, which peaked at 6.5 Tbps and was linked to the Eleven11botnet, a network of compromised IoT devices like video recorders and webcams.
Image Source: Cloudflare
Back in January, a 5.6 Tbps attack hit an ISP in East Asia. That one came from a variant of the infamous Mirai botnet, showing a clear trend: these attacks are growing not just in size but also in complexity.
This May’s record-breaking wave of traffic wasn’t a simple case of high-volume data. The attackers hit over 21,900 different ports per second on a single IP address, peaking at over 34,000 ports. Most of the data (nearly 100%) came through UDP flooding, though smaller portions used multiple amplification tactics—some as obscure as QOTD (Quote of the Day) protocol or NTP reflection via monlist.
Other less-common methods involved Echo attacks, Portmap abuse, and even RIPv1 amplification—all rolled into a multi-pronged effort to overwhelm the system.
The hostile traffic didn’t originate from one place. Instead, it came from more than 122,000 IP addresses across 5,433 networks in 161 countries. Brazil and Vietnam each contributed roughly a quarter of the traffic, with Taiwan, China, Ukraine, Ecuador, and the U.S. also on the list.
ISPs like Telefonica Brazil (AS27699) and Viettel Group (AS7552) were the top contributors, with 10.5% and 9.8% of the total traffic, respectively.
Cloudflare’s response was entirely automated. Using packet-level analysis powered by XDP and eBPF on Linux systems, their engine—internally called “dosd”—spotted the threat patterns and launched mitigation in real-time. This defense system can create on-the-fly fingerprints of suspicious behavior without disrupting legitimate user activity.
The company’s anycast routing and gossip protocol allowed its 477 data centers to share intelligence instantly, cutting response times to fractions of a second. Everything was handled internally; no human team had to be paged.
Meanwhile, security analysts in China reported fresh activity from RapperBot, a botnet that’s been around since 2022 and was involved in a February 2025 DDoS strike against AI firm DeepSeek. What’s new is that RapperBot now demands “protection payments” to avoid future attacks—a disturbing sign of extortion-style DDoS campaigns.
RapperBot compromises routers, NAS units, and similar devices by exploiting default credentials and firmware bugs. Once infected, the devices contact a remote server using encrypted DNS TXT records, ready to carry out future DDoS attacks.
Since March, RapperBot has reportedly launched attacks against over 100 targets per day, with more than 50,000 bots involved. It has gone after organizations in public services, tech, finance, and manufacturing across the U.S., China, Israel, Greece, and more.
