7.3 Tbps DDoS Attack Delivers Over 37 TB of Malicious Traffic
Large-scale denial-of-service attacks continue their upward trajectory. On June 20, 2025, Internet security and performance provider Cloudflare disclosed a record-breaking distributed denial-of-service (DDoS) assault peaking at 7.3 terabits per second (Tbps). Within just 45 seconds, the malicious traffic volume surpassed 37.4 terabytes—equivalent to streaming over 7,500 hours of HD video or downloading more than 9,300 full‐length HD movies.
Record-Breaking Volume and Vector Composition
Cloudflare’s telemetry revealed the attackers targeted a single IP address assigned to a customer, indiscriminately flooding 34,500 destination ports. On average, nearly 22,000 ports were bombarded per second, highlighting the methodical engineering behind the assault.
UDP Flood Mechanism
The majority of the traffic, over 99.9 percent, consisted of raw User Datagram Protocol (UDP) packets. UDP’s connectionless design—foregoing a three-way handshake and reliability checks—makes it ideal for high-throughput attacks. By sending massive quantities of UDP datagrams to random or specific ports, attackers forced the server to respond with unreachable port messages, saturating both network links and server CPU resources.
- Network Time Protocol (NTP): Exploited for its high amplification factor up to 556×.
- Quote of the Day Protocol (UDP port 17): Returns short text responses, used for low-latency amplification.
- Echo Protocol (UDP port 7): Reflects received data, doubling traffic volume.
- Portmapper Services (RPC): Reveals network resources, enabling further amplification.
Reflection and Amplification Techniques
A small fraction (0.004 percent) of the flood leveraged reflection attacks. By spoofing the victim’s IP, attackers directed third-party servers to send amplified responses to the target. Such techniques multiply traffic volume while obfuscating the true source, complicating mitigation.
“This attack underscores the critical need for network operators to disable unused UDP services and implement ingress filtering (BCP 38),” said Sally Rivera, Principal Security Engineer at Arbor Networks.
Botnet Evolution and IoT Security
Cloudflare attributed the assault to Mirai-based botnets—networks of compromised IoT devices such as home routers, IP cameras, and DVRs. Since Mirai’s emergence in 2016, subsequent variants have expanded target lists and improved propagation, often exploiting default credentials. According to the latest research from the Center for Strategic Cyberspace, over 80 million IoT devices remain vulnerable due to unpatched firmware and poor credential hygiene.
Impact on Industry and Mitigation Strategies
Recent high-profile DDoS incidents—such as Nokia’s Eleven11bot delivering 6.5 Tbps in March and the 6.3 Tbps attack on KrebsOnSecurity in May—prompted service providers to enhance defenses. Leading countermeasures include:
- Anycast Network Architecture: Distributes traffic across global data centers, mitigating volumetric floods.
- Scrubbing Centers: Divert suspicious traffic through specialized appliances for real-time inspection and filtering.
- Machine Learning Anomaly Detection: Identifies attack patterns by analyzing traffic baselines and payload signatures.
- Rate-Limiting and Greylisting: Temporarily throttle or delay traffic from unknown sources.
Future Outlook and Collaborative Defense
As traffic volumes escalate towards the 10 Tbps threshold, collective defense initiatives become imperative. Security vendors are exploring AI-driven threat intelligence sharing via protocols like TAXII and MISP. Regulatory bodies, including the FCC and ENISA, are advocating for mandatory vulnerability disclosure and stronger IoT certification standards.
With global Internet bandwidth and backend capacities continually improving, defenders must stay ahead by automating mitigation pipelines and reinforcing cross-sector partnerships.