Cloudflare reports neutralizing the most powerful distributed denial‑of‑service event seen to date: a 22.2 Tbps burst peaking at 10.6 billion packets per second (pps). The attack lasted roughly 40 seconds, arriving less than a month after an earlier record of 11.5 Tbps. The rapid escalation underscores how quickly adversaries are scaling bandwidth and packet‑rate output, particularly via compromised Internet‑of‑Things (IoT) devices.
DDoS scale explained: throughput vs. packet rate
Bandwidth (measured in bits per second) reflects the sheer volume of data. A surge of 22.2 Tbps is comparable to the simultaneous streaming of around a million 4K videos. Packet rate (pps) captures how many individual packets are delivered each second. At 10.6 bpps, the pressure on routing, state tables, and firewalls is extreme—akin to every person on Earth refreshing a web page more than once per second.
Short, high‑intensity bursts are designed to overwhelm L3/L4 defenses before automated mitigations fully adapt. In particular, high‑pps UDP/TCP floods aim to exhaust CPU, memory, and forwarding capacity on edge routers, load balancers, and stateful inspection devices—not just raw link bandwidth. Even large networks can experience transient saturation of routing control planes and session tables when packet rates spike.
Attribution landscape: AISURU botnet in focus
While Cloudflare has not disclosed details about the last two incidents, prior analysis by Qianxin Xlabs linked the 11.5 Tbps event to the AISURU botnet. According to their reporting, AISURU has compromised more than 300,000 devices worldwide, with a sharp expansion in April 2025 following the compromise of a Totolink router update server.
Qianxin’s research indicates AISURU exploits weaknesses across IP cameras, DVR/NVR systems, components built on Realtek chipsets, and consumer routers from vendors such as T‑Mobile, Zyxel, D‑Link, and Linksys. This footprint is consistent with typical IoT botnets: broad attack surface, legacy firmware, weak credential policies, and uneven patch cycles. Industry reporting from providers like Cloudflare and NETSCOUT has repeatedly documented the role of vulnerable IoT fleets in scaling modern DDoS campaigns.
Why DDoS attacks are shorter—but more intense
Adversaries increasingly favor sub‑minute “burst” attacks to outpace detection, saturate links, and trigger failovers. High‑pps floods degrade network and device stability before scrubbing policies and rate‑limiters converge. This trend aligns with observations in public DDoS threat reports: packet amplification and multi‑vector campaigns are rising, while time‑to‑impact is shrinking thanks to automated botnet orchestration.
Mitigation strategies for enterprises and service providers
Adopt cloud DDoS scrubbing with anycast. Distribute inbound traffic across a global mitigation network capable of automatic detection and activation. Anycast absorption plus dynamic signatures is critical for riding out short, extreme peaks.
Coordinate with upstream carriers. Implement ACLs and BGP Flowspec at the uplink, use targeted blackholing for clearly malicious destinations, and pre‑arrange BGP announcements to scrubbing centers. This reduces the chance of last‑mile congestion and preserves core capacity.
Harden the perimeter and the IoT estate. Keep firmware current, disable unnecessary services (for example, UPnP), enforce strong authentication, and isolate IoT into dedicated network segments. Network‑level segmentation limits lateral movement and dampens outbound participation in botnets.
Practice incident response. Run regular DDoS exercises, validate runbooks, and track SLO/SLI for mitigation timelines. Maintain telemetry such as NetFlow/sFlow for rapid vector identification and policy tuning during live events.
Protect Layer 7. Even if the latest event was largely network‑layer, supplement defenses with a WAF, request‑rate limiting, and application resource controls to handle HTTP floods and slow‑drain attacks.
The 22.2 Tbps benchmark illustrates how attacker capabilities continue to expand through mass‑compromised IoT infrastructure and automated botnets. Organizations should reassess DDoS readiness now: validate that scrubbing can auto‑activate within seconds, confirm upstream filtering agreements, segment and patch IoT assets, and rehearse operational playbooks. Fast, coordinated mitigation measurably reduces downtime, reputational risk, and financial impact.
