Cloudflare reports neutralizing the largest hyper‑volumetric distributed denial‑of‑service (DDoS) attack observed to date, with peak bandwidth hitting 11.5 Tbps and throughput reaching 5.1 billion packets per second (pps). The UDP flood lasted roughly 35 seconds, delivering a short but extreme burst aimed at exhausting both transit capacity and network processing planes.
Record DDoS dimensions: bandwidth, packet rate, and traffic sources
Over recent weeks, Cloudflare says it has mitigated hundreds of hyper‑volumetric events, with the most powerful peaking at 11.5 Tbps. The vector was a UDP flood, a connectionless barrage that does not require session setup and is difficult to filter at line rate.
According to the company, traffic originated from subnets associated with multiple cloud and IoT providers; Google Cloud was named among observed sources. Cloudflare plans to publish a detailed post‑incident analysis with additional technical indicators.
bps vs pps: what each metric means in DDoS operations
Bits per second (bps) measures raw bandwidth pressure—an attacker’s ability to fill the pipe and saturate links, cross‑connects, and peering edges. Packets per second (pps) reflects the stress on the data plane and control plane: CPU cycles, route lookups, state tables, and queueing within routers, switches, load balancers, and servers.
When an attack combines very high bps and very high pps, defenders must simultaneously preserve capacity and maintain packet processing. This dual stress profile often forces traffic offload to scrubbing centers, aggressive rate limits, and rapid BGP‑based rerouting to protect core infrastructure.
Attack mechanics: why UDP floods scale so quickly
UDP is connectionless and commonly permits source spoofing, which lets adversaries generate large streams that evade stateful checks. Campaigns frequently blend direct attack traffic from cloud compute with IoT botnets for scale and geographic spread, raising both bps and pps.
While Cloudflare has not disclosed the exact techniques for this incident, the industry routinely sees reflective/amplification abuse of exposed UDP services—such as DNS, NTP, CLDAP, and Memcached—to multiply attacker output. The combination of on‑demand cloud bandwidth and persistent IoT nodes enables short, destructive spikes that complicate geofencing and static filtering.
2025 trendline: records fall faster, defenses are stress‑tested
The new peak builds on a rapid escalation. In June 2025, Cloudflare observed a 7.3 Tbps attack against an unnamed hosting provider—about 12% above the previous January record of 5.6 Tbps. That 45‑second surge moved roughly 37.4 TB of data.
Cloudflare’s Q1 2025 DDoS report notes 21.3 million attacks aimed at customers over the prior year, plus more than 6.6 million attacks targeting the company’s own infrastructure. The figures reinforce a steady rise in frequency and intensity, driven by automation, inexpensive compute, and globally distributed bandwidth.
Practical DDoS risk reduction: architecture and operational readiness
Distribute and absorb. Use Anycast and globally distributed scrubbing centers to dissipate regional spikes and keep attack traffic closer to its source.
Automate detection and control. Apply behavioral anomaly detection, adaptive rate limiting, protocol/port enforcement, and proactive filtering of malformed or spoofed packets.
Engineer for failure modes. Prepare BGP RTBH/blackholing, traffic diversion to scrubbing providers, and pre‑vetted reroute playbooks for rapid cutover under load.
Harden UDP services. Disable unused ports, limit responses, and tighten server configs. Encourage ISPs and hosting providers to implement BCP 38/84 egress filtering to reduce spoofed packets at the source.
Test and rehearse. Maintain an up‑to‑date asset inventory, run stress tests, measure pps and bps limits in real time, and conduct regular incident‑response exercises with clear escalation paths to upstream carriers and cloud providers.
The 11.5 Tbps milestone confirms a shift toward brief, ultra‑intense DDoS bursts designed to overwhelm both links and packet processing. Organizations that depend on online services should revisit threat models, pre‑negotiate mitigation with providers, and validate that routing, capacity, and runbooks are prepared for hyper‑volumetric spikes. Monitor for Cloudflare’s forthcoming technical report and use its findings to fine‑tune controls, tighten UDP exposure, and raise operational readiness.
