Cloudflare Blocks Biggest-Ever DDoS Attack at 7.3 Tbps

Cloudflare, a leading web security and infrastructure company, announced on Thursday that it successfully blocked the largest DDoS (Distributed Denial-of-Service) attack ever recorded. The attack reached a peak of 7.3 terabits per second (Tbps) and was aimed at an unnamed hosting provider in mid-May 2025.

According to Cloudflare's Omer Yoachimik, the massive cyberattack lasted only 45 seconds but delivered a total of 37.4 terabytes of data in that short time. The attack targeted one IP address and flooded it with data from an average of 21,925 destination ports, peaking at 34,517 ports per second.

DDoS Attacks on the Rise

DDoS attacks attempt to crash websites or servers by overwhelming them with massive amounts of internet traffic. Cloudflare said this particular attack was multi-vector, meaning it used several different types of methods, including:

• UDP floods

• QOTD (Quote of the Day) reflection

• Echo and NTP reflection attacks

• Portmap and RIPv1 amplification

• A Mirai botnet variant

Nearly 99.996% of the traffic came from UDP floods. The attack originated from over 122,000 IP addresses across 161 countries, hitting from networks in Brazil, Vietnam, Taiwan, China, Indonesia, and several others.

Main Sources of Attack

Cloudflare noted that Telefonica Brazil was the largest source of attack traffic, accounting for 10.5% of it. Other major sources included:

• Viettel Group (Vietnam) – 9.8%

• China Unicom – 3.9%

• Chunghwa Telecom (Taiwan) – 2.9%

• China Telecom – 2.8%

This was the third massive DDoS attack Cloudflare blocked in recent months. In January, it mitigated a 5.6 Tbps attack on an internet provider in East Asia. In April, it defended against a 6.5 Tbps attack likely launched by the Eleven11bot botnet made up of 30,000 hacked webcams and DVRs.

RapperBot Attacks AI Company

Meanwhile, Chinese cybersecurity firm QiAnXin revealed that another botnet called RapperBot was behind a DDoS attack on AI company DeepSeek in February 2025. The malware is now being used to extort victims by threatening further attacks unless a "protection fee" is paid.

RapperBot, active since 2022, mainly infects routers, storage devices, and video recorders with weak passwords or old firmware. It communicates with its command center using encrypted DNS TXT records.

Since March 2025, the botnet has become highly active, with over 50,000 infected devices and more than 100 targets daily. Its victims range across public services, internet platforms, manufacturing, finance, and more, located in countries like China, the U.S., Israel, the U.K., Iran, Australia, and Malaysia.