Cloudflare recently reported neutralising the largest Distributed Denial of Service (DDoS) attack ever recorded—a jaw-dropping 7.3 terabits per second (Tbps) of malicious traffic. The attack was short but fierce, lasting just 45 seconds and blasting out 37.4 terabytes of data at a target—enough to stream nearly a year’s worth of HD video in under a minute.
The victim was a hosting provider using Cloudflare’s Magic Transit service. This incident not only broke previous records but also confirmed a trend: critical internet infrastructure, especially hosting providers, continues to be in the crosshairs of increasingly aggressive DDoS campaigns.
Anatomy of the attack
The 7.3 Tbps barrage was a multi-vector DDoS campaign. While the bulk of the attack (99.996%) consisted of UDP floods, smaller segments included reflection and amplification techniques using protocols like QOTD, NTP, Portmap, and RIPv1—many of which are considered obsolete but still linger in unpatched legacy systems.
In terms of spread, the attackers used over 122,000 unique IP addresses across 161 countries and 5,400 networks. Most of the attack volume came from Brazil and Vietnam, with notable contributions from China, Taiwan, and the United States.
The scale in perspective
The numbers paint a vivid picture:
- 34,500 ports per second were targeted on a single IP address.
- Traffic rates equalled downloading over 9 million songs or 9,000 HD movies in 45 seconds.
- The Mirai botnet, among other known vectors, played a role—highlighting the persistent risk of unsecured IoT devices being weaponised at scale.
How was it stopped
Cloudflare relied on its globally distributed anycast network, which routed the attack traffic to the closest data centres—477 facilities across 293 cities. This setup allowed Cloudflare to turn the distributed nature of the attack against itself, absorbing the load without disrupting services.
Key elements of the mitigation included:
- Autonomous detection across all data centres.
- Real-time fingerprinting of malicious packet patterns using eBPF and Linux kernel-level sampling.
- Dynamic rule deployment, where attack fingerprints were used to surgically block bad traffic without affecting legitimate users.
- Global threat intelligence sharing through a system that “gossips” attack signatures across servers in real-time.
The bigger picture
While the sheer size of a 7.3 Tbps DDoS attack is headline-grabbing, volume alone isn’t the only threat defenders should worry about. In reality, some of the most damaging attacks today are smaller, more targeted, and strategically designed to bypass traditional defences.
These so-called “low and slow” DDoS attacks may fly under the radar of volumetric detection systems, but they can silently bring services down or degrade performance in ways that are hard to trace. Attackers are becoming smarter, not just louder—and the industry needs to adapt accordingly.
That said, the growth in ultra-high-volume attacks is still a serious concern. What used to be a once-a-year event has become routine: multi-terabit-per-second DDoS attacks are now commonplace. Even more troubling is how cheap and accessible large-scale attacks have become, with booter and stressor services selling them for the price of a lunch.
The takeaway? Defenders must stay vigilant on multiple fronts:
- It’s no longer enough to filter based on size—you need to understand behaviour and intent.
- Traditional infrastructure alone won’t hold. Real-time, automated defence mechanisms are essential.
Final thoughts
The 7.3 Tbps DDoS attack may have set a new benchmark, but it’s unlikely to hold the record for long. As attack tools evolve, defenders must stay nimble, collaborative, and relentless in innovation.
This event proves that with the right tooling and global coordination, even the largest cyber threats can be neutralised in seconds.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com