On September 10, 2025, one of the largest distributed denial-of-service (DDoS) attacks in internet history was mitigated. Cloudflare announced that they had fended off a record-breaking DDoS attack measuring 11.5 terabits per second (Tbps), surpassing the previous record of 10.1 Tbps set in 2016.
The Scale of the Attack
To put this in perspective, 11.5 Tbps is an absolutely staggering volume of data. To visualize it: if you were to download a gigabyte per second, it would take over 363 years to reach 11.5 terabits. In practical terms, this attack generated enough malicious traffic to flood a mid-sized country's entire internet infrastructure. The attack lasted for approximately 3 hours and 14 minutes, during which Cloudflare's mitigation systems automatically detected and filtered the malicious traffic, protecting the targeted services without any downtime.
Technical Analysis: How the Attack Worked
The attack was identified as a UDP flood attack, one of the most common types of volumetric DDoS attacks. In a UDP flood, attackers send millions of User Datagram Protocol (UDP) packets to a target system. Unlike TCP, which requires a connection handshake, UDP is connectionless, allowing attackers to send packets rapidly without establishing any prior connection.
The real problem with UDP floods is their sheer volume. Hyper-volumetric attacks like this one operate on the principle of overwhelming the target's bandwidth and resources through pure volume rather than exploiting specific vulnerabilities. The source of the botnet was particularly interesting: most of the malicious traffic originated from IoT (Internet of Things) devices that had been compromised and enslaved into a botnet network.
IoT botnets are particularly dangerous because:
- Scale - Millions of devices connected to the internet can be commandeered
- Persistence - IoT devices often run continuously, making them ideal for sustained attacks
- Difficult to detect - Most users are unaware their smart devices are compromised
- Limited security - Many IoT devices lack robust security measures and receive infrequent updates
Cloudflare's Mitigation Strategy
Cloudflare's approach to stopping this attack involved multiple layers of defense:
1. Anycast Network Distribution - Cloudflare uses a global network of data centers. By distributing traffic across these centers, no single location becomes overwhelmed. The attack traffic was automatically spread across multiple geographic locations, preventing any single point from being saturated.
2. Automated Threat Detection - Cloudflare's systems use machine learning and behavioral analysis to identify attack signatures in real-time. The system recognized the attack pattern and automatically activated DDoS mitigation protocols.
3. Rate Limiting and Filtering - Legitimate traffic was prioritized while attack traffic was systematically rate-limited and dropped. Advanced filtering rules specifically targeted the attack's characteristics.
4. BGP Flowspec - Using Border Gateway Protocol Flow Specification, Cloudflare was able to instruct upstream networks to drop malicious traffic closer to its source, reducing the amount of attack traffic that reached their infrastructure.
The Implications
This attack demonstrates a troubling trend: DDoS attacks continue to grow in scale and sophistication. As more devices connect to the internet, the potential pool of compromised devices available for botnet recruitment expands exponentially. Attackers are also becoming more skilled at leveraging these resources effectively.
Moreover, this attack highlights the vulnerability of IoT devices. Many manufacturers prioritize speed-to-market over security, leaving devices with default credentials, unpatched vulnerabilities, and minimal security features. Once compromised, these devices become unwitting soldiers in an attacker's army.
Advice for Protection
While individual users cannot stop attacks at Cloudflare's scale, there are steps you can take to protect your devices and network:
- Change default passwords on all connected devices
- Keep firmware updated - Enable automatic updates when possible
- Use firewalls to limit unnecessary inbound and outbound connections
- Monitor network traffic for unusual patterns
- Limit device connectivity - Only connect devices that need internet access
- Choose reputable brands that prioritize security over cost
