In mid‑May 2025, Cloudflare successfully deflected the largest DDoS attack ever recorded peaking at 7.3 terabits-per-second targeting a hosting provider using its Magic Transit service, showcasing unparalleled resilience in global cybersecurity.
Cloudflare reported that in mid‑May 2025 it blocked a record-breaking 7.3 Tbps DDoS attack, surpassing previous volumetric records by 12% and claiming the title of the largest-ever online assault. This monumental event underscores the escalating scale of cyber threats and the urgent need for robust cybersecurity services worldwide.
Attack Chronology & Profile
Timeline & Targets
- Mid-May 2025: Cloudflare’s detection systems alerted to a massive attack against a hosting provider using Magic Transit.
- The assault lasted 45 seconds, delivering 37.4 TB of traffic—equivalent to over 9,000 HD movies in under a minute.
Attack Characteristics
- Bandwidth: 7.3 Tbps (12% higher than previous 6.5 Tbps attack).
- Packet volume: Carpet‑bombed an average of 21,925 destination ports, peaking at 34,517 ports per second.
- Vectors: Primarily UDP floods (99.996%), with reflection/amplification via QOTD, Echo, NTP, Mirai botnets, Portmap, and RIPv1 attacks.
- Origin: >122,145 source IPs across 5,433 ASNs in 161 countries; top sources included Brazil (AS27699), Vietnam (AS7552), China Unicom (AS4837), and Saudi Arabia.
Technical Defense Breakdown
All‑Autonomous Mitigation
Cloudflare leveraged global anycast routing to distribute traffic across 477 data centres in 293 locations, leveraging autonomous, in‑line fingerprinting (via Linux XDP + eBPF “dosd”) to drop malicious packets without manual intervention.
MITRE ATT&CK Mapping
Initial Access: T1590 (Network Sniffing)
Impact: T1498 (Network Denial of Service)
Detection, fingerprinting, and blocking were all automated, with no human intervention required.
MEA Perspective & Global Significance
Regional Implications
- MEA hosting providers face rising DDoS threats as adversaries exploit legacy UDP protocols (e.g., NTP, QOTD).
- Regulatory frameworks like UAE NESA, Saudi NCA ECC, and Kenya’s Cybersecurity Strategy must adapt to defend critical infrastructure.
Worldwide Context
- This latest attack dwarfs previous records, including the 5.6 Tbps event in Q4 2024 and a 6.5 Tbps attack in April 2025.
- Reflects a global arms race in DDoS capacity: threat actors are rapidly scaling up, using botnets like Mirai and leveraging reflection/amplification exploits.
Expert Commentary
“Hosting providers and critical Internet infrastructure have increasingly become targets of DDoS attacks,” said Omer Yoachimik, Cloudflare’s DDoS Protection Product Manager.
“The 7.3Tbps attack delivered 37.4terabytes in 45seconds,” he added, emphasizing the fierce acceleration of volumetric onslaughts.
Actionable Takeaways for Defenders
- Deploy Always-on DDoS Protection – Obvious but essential; manual resize and activation are futile.
- Enable Anycast Routing – Distributes traffic globally to reduce regional load.
- Filter Legacy UDP Services – Disable QOTD, Echo, NTP monlist, Portmap, RIPv1 across all networks.
- Protect IoT Devices – Harden firmware, secure default credentials to avoid Mirai-style botnet formation.
- Monitor Reflection Usage – Flag UDP/17, /7, /123 traffic; rate-limit or block as needed.
- Use Packet Fingerprinting (XDP/eBPF) – Enables efficient, high-volume packet filtering at kernel level.
- Adopt Managed Rule Sets – Leverage vendor heuristics to balance defense and business access.
- Exchange Threat Intelligence – Automate lateral “gossip” to share real-time fingerprints.
- Test Infrastructure Resilience Regularly – Simulate DDoS stress in vendor environments.
- Engage Stakeholders – Ensure legal, ops, and communications teams are DDoS-ready.
Conclusion
This 7.3 Tbps DDoS record reveals a perilous reality: cyber threats are scaling at internet-breaking speeds, demanding automated, distributed defenses as standard. For MEA and global operators, the message is clear layered protection, proactive hardening, and continuous monitoring are imperative to safeguard business continuity. Cloudflare’s rapid neutralization sets a new benchmark in cybersecurity preparedness but complacency is not an option in the ongoing battle to defend the digital realm.
Sources
- Cloudflare Blog: “Defending the Internet…7.3 Tbps” (19 June 2025)
- SecurityWeek analysis by Eduard Kovacs (20 June 2025)
- BleepingComputer report (20 June 2025)
- The Hacker News coverage (20 June 2025)
- Ars Technica technical details (20 June 2025)
- Cloudflare DDoS threat report Q1 2025 (27 April 2025)
