Cloudflare blocks record-setting 11.5Tbps DDoS attack two months after the previous record-setting DDoS attack

News
By published

The DDoS keep comin' and they d-don't stop comin'.

af
(Image credit: Shutterstock)

Cloudflare announced today that it blocked a record-setting distributed denial-of-service (DDoS) attack, which bombarded its target with 11.5 Tbps of traffic for approximately 35 seconds.

"Cloudflare's defenses have been working overtime," the company said in an X post. "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud."

The company later issued an update, saying the attack had come from a combination of IoT and cloud providers. Cloudflare said it plans to reveal more information about these attacks in an upcoming report.

Note the different initialisms within Cloudflare's announcement. The 5.1Bpps refers to "billions of packets per second," while the 11.5Tbps refers to "Terabits per second." (Or, for those of us who think in bytes rather than bits, 0.125 Terabytes.) That would be enough traffic to knock over most websites—it will be interesting to find out if the attack's intended target managed to remain online despite the flood of traffic.

As for how these attacks work, DDoS mitigation firm Akamai said that UDP flood attacks in particular see "attackers send large amounts of UDP traffic with spoofed IP addresses to random ports on a targeted system," and "because the system must check the port specified in each incoming packet for a listening application and issue a response, the targeted server’s [resources] can quickly be exhausted."

Unfortunately, these record-breaking DDoS attacks seem to be arriving every few months. Cloudflare's previous record-breaking attack hit 7.3 Tbps back in June. BleepingComputer reported that before that incident, "the previous record was of 3.8 Tbps and [2Bpps] in an attack that Cloudflare also blocked in October 2024."

Those attacks dwarf their predecessors. I reported in 2021 that Cloudflare had mitigated the largest DDoS attack it had seen up to that point... and it relied on a mere 1.9Tbps of traffic. Now we're seeing attacks nearly 10x the size of that three-year-old record taking advantage of the infrastructure operated by cloud service providers. So far, companies like Cloudflare are keeping pace, but that might not always be the case.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

5 Comments Comment from the forums
  • M0rtis
    I'm with what is probably India's largest ISP and I as well as several other users have been having issues accessing several Cloudflare based websites since the past year. Random regular websites like car forums, blogs and such nothing shifty or political. I dont know enough about networking to elaborate but its something to do with the DNS and common pool IPs and the routing with IPV6 or something.
    Other, more tech savvy users have been contacting the ISP and Cloudflare to try and resolve it but havent been successful in getting either end to resolve it.

    Although no one will say it outright, its probably because of the large number of online scammers in India, being on the largest ISP and the common address pool. Extremely annoying and Im stuck on this ISP because the next best ISP is only available at the end of my lane which is 300m away...
    Reply
  • Vanderlindemedia
    Above has nothing todo with ... the DDOS.

    In reality those cloud providers are nothing but hosting company's on which there's a majority of insecure websites simply being part of a botnet. If wordpress would only integrate, a very basic malware scan feature and cleanup upon updating, it will likely brick a bunch of sites but it will at the same time stop a massive amount of infected websites out there running part of a botnet.

    Cloud providers can also integrate things like Imunify360 which is stuff on a hosting based level, for regular malware scans and checks, and even blocking malware uploads or malware execution. On top of that any IOT should be removed from the internet if it does not have a proper use. Better internet starts at you.
    Reply
  • M0rtis
    Vanderlindemedia said:
    Above has nothing todo with ... the DDOS.

    In reality those cloud providers are nothing but hosting company's on which there's a majority of insecure websites simply being part of a botnet. If wordpress would only integrate, a very basic malware scan feature and cleanup upon updating, it will likely brick a bunch of sites but it will at the same time stop a massive amount of infected websites out there running part of a botnet.

    Cloud providers can also integrate things like Imunify360 which is stuff on a hosting based level, for regular malware scans and checks, and even blocking malware uploads or malware execution. On top of that any IOT should be removed from the internet if it does not have a proper use. Better internet starts at you.
    I posted because I was assuming that my issues with my ISP and Cloudflare based websites could be due to bad traffic (DDoS) originating from people using my ISP maybe ? Or is that a stretch ?
    Reply
  • Vanderlindemedia
    If your ISP has a bad reputation, then yes Cloudflare might trigger for verification to determine if your a bot or not. but it's not always like that, some website owners who run through cloudflare have no idea of how to properly set it up, and turn on a knob that's named "I"m under attack" and it starts to spam a verification page upon every page onsite.

    Really all you have to protect is any elements that require a login, a POST or whatsoever, but not all pages on site unless you really have to. But there's better ways to block Ai bots and stuff then just turning that knob on.

    That i'm under attack thing performs a javascript challenge that normal browsers can process, but bots cannot. It's a really simple math and some other factors. VPN's for example are heavily rammed with those pages.
    Reply
  • dmitche31958
    And what is truly being done to limit this?
    I propose that when IP addresses are detected to be sending out a tremendous amount of “bad data” the first action is to stop all traffic from that IP for (some period of time, 5 minutes). Should it continue then 2 hours , and then 24 hours. Then monthly bands.
    If a block of IP addresses show a pattern that persists that the entire block of IP addresses is blocked.
    Will this impact innocent people? Yes. But it will force those ISPs that allow threat actors to continue to act to take action.
    If they are using VPNs then the VPN will be held accountable and the VPN can address the issue if they want to be back online.
    Blocking MAC addresses will just cause people to spoof them and then the dregs will have gotten someone else to cause their harm.
    Reply