In June 2025, Cloudflare blocked what is currently the largest DDoS attack on record, peaking at 7.3 Tbps and sending 37.4 TB of traffic at a single IP in just 45 seconds. This event surpasses the previous 6.5 Tbps attack in April and signals a sharp escalation in both scale and frequency of hyper-volumetric DDoS campaigns. Recent Cloudflare data shows over 700 such massive attacks occurred in Q1 2025, averaging more than eight per day, with the overall volume of network-layer DDoS surging 509% YoY.

Technical Description

The latest surge in DDoS attacks marks a significant shift in adversarial strategy, with attackers increasingly leveraging high-bandwidth, low-duration bursts that exceed the defensive capacities of many traditional mitigation infrastructures. The 7.3 Tbps attack recorded by Cloudflare in June 2025 exemplifies this evolution delivering a concentrated flood of 37.4 terabytes to a single IP address in under a minute, overwhelming upstream providers before filtering could activate.

‍

Attack Composition and Amplification Techniques

At the core of these hyper-volumetric attacks are reflection and amplification vectors that abuse widely deployed UDP-based services, including:

• CLDAP (Connection-less Lightweight Directory Access Protocol): A legacy protocol exploited to reflect responses many times larger than the original query.
• SSDP (Simple Service Discovery Protocol): Often found on consumer IoT devices, used to generate bursts of discovery replies.
• DNS Amplification: Still one of the most common vectors, leveraging open resolvers to amplify queries into high-volume payloads.
• NTP and Memcached: Though less common in recent months, they remain potent tools for attackers who discover exposed services.

These reflection methods rely on IP spoofing to redirect large quantities of traffic toward a target. By sending forged requests that appear to originate from the victim, attackers exploit these services to flood their target with exponentially larger replies. In these latest incidents, attackers combined multiple reflection techniques simultaneously, creating cross-protocol amplification storms that proved extremely difficult to trace and mitigate in real-time.

‍

‍

Infrastructure Saturation and Rate-Based Overload

While prior DDoS events emphasized long-duration outages, these hyper-volumetric attacks aim to rapidly exhaust bandwidth and overwhelm CPU-bound packet inspection mechanisms through short but intense traffic spikes. Packet-per-second (PPS) metrics regularly exceed 1–4 billion PPS in these cases, which can saturate the routing and firewall infrastructure of even well-prepared organizations.

Attack payloads often include combinations of:

• TCP SYN floods with malformed options to bypass traditional signature-based filtering.
• UDP floods across high-numbered ephemeral ports.
• Fragmented packet floods designed to overload reassembly buffers.

Cloudflare reports a 500% year-over-year increase in such high-intensity bursts, reflecting a broader trend where attackers exploit vulnerabilities in how network hardware and mitigation tools scale under high-throughput loads.

‍

‍

Emergence of DDoS-for-Hire Services

One contributing factor to the frequency and accessibility of these attacks is the continued proliferation of DDoS-for-hire (a.k.a. “booter” or “stresser”) services. These platforms offer web-based interfaces that allow novice users to launch large-scale attacks for a fee, often without requiring technical knowledge. Behind the scenes, many of these services leverage compromised routers, IoT devices, and open proxy servers to assemble disposable botnets capable of launching attacks in the multi-terabit range.

Malware strains like Mirai variants and Mozi continue to compromise embedded systems and contribute to the available infrastructure for these DDoS campaigns. Attackers often rotate C2 servers and use fast-flux DNS to hide command infrastructures, making attribution and takedown efforts more difficult.

‍

‍

Strategic Implications

Unlike application-layer DDoS events which aim to disrupt specific web services, these network-layer volumetric attacks have broader implications. They are designed to cause collateral damage by overwhelming ISP edge routers, regional data centers, or transit providers. This results in packet loss, route flapping, and service degradation across multiple customers—even if only one IP address is targeted.

Organizations relying on a single cloud region, or those without dedicated upstream mitigation providers, are especially vulnerable. In some incidents, entire CIDR blocks were rendered inaccessible due to the collateral saturation caused by attacks targeting a single IP.

‍

‍

Impact

These hyper-volumetric attacks pose an existential threat to network availability. Even the most robust on-premise scrubbing appliances or enterprise firewall stacks can be overwhelmed before mitigation comes online. Such attacks can degrade critical services, interrupt e-commerce platforms, or disrupt national infrastructure links. The massive rise 500% YoY in network-layer attacks reflects a growing dedication by adversaries to cost-effective, massively-scaled assaults, often using vulnerable IoT and amplification endpoints.

‍

IOC and Context Details

Recommended Actions

• Adopt Multi‑Layered DDoS Protection: Use cloud-based scrubbing services with edge-triggered absorption for Tbps-level attacks.
• Implement Real‑Time Traffic Analytics: Monitor for flash floods or reflection indicators in UDP traffic.
• Harden Infrastructure: Apply ingress filtering (BCP‑38), disable unused UDP services (CLDAP, SSDP, NTP), and close port 123 where possible.

‍

References

https://radar.cloudflare.com/reports/ddos-2025-q2

‍