Cloudflare on Thursday said it autonomously blocked the largest distributed denial-of-service (DDoS) attack ever recorded, which hit a peak of 7.3 terabits per second (Tbps).
The attack, which was detected in mid-May 2025, targeted an unnamed hosting provider.
“Hosting providers and critical Internet infrastructure have increasingly become targets of DDoS attacks,” Cloudflare’s Omer Yoachimik said. “The 7.3 Tbps attack delivered 37.4 terabytes in 45 seconds.”
Earlier this January, the web infrastructure and security company said it had mitigated a 5.6 Tbps DDoS attack aimed at an unnamed internet service provider (ISP) from Eastern Asia. The attack originated from a Mirai-variant botnet in October 2024.
Then in April 2025, Cloudflare revealed it defended against a massive 6.5 Tbps flood that likely emanated from Eleven11bot, a botnet comprising roughly 30,000 webcams and video recorders. The hyper-volumetric attack lasted about 49 seconds.
The 7.3 Tbps DDoS attack, in comparison, carpet-bombed an average of 21,925 destination ports of a single IP address owned and used by the hosting provider, hitting a crest of 34,517 destination ports per second.
The multi-vector attack originated from a similar distribution of source ports and has been identified as a combination of UDP flood, QOTD reflection attack, echo reflection attack, NTP reflection attack, Mirai UDP flood attack, portmap flood, and RIPv1 amplification attack. The UDP flood accounted for 99.996% of the attack traffic.
Cloudflare also pointed out that the attack came from over 122,145 source IP addresses spanning 5,433 Autonomous Systems (AS) across 161 countries. The top sources of attack traffic included Brazil, Vietnam, Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia.
“The average number of unique source IP addresses per second was 26,855 with a peak of 45,097,” Yoachimik said.
“Telefonica Brazil (AS27699) accounted for the largest portion of the DDoS attack traffic, responsible for 10.5% of the total. Viettel Group (AS7552) follows closely with 9.8%, while China Unicom (AS4837) and Chunghwa Telecom (AS3462) contributed 3.9% and 2.9% respectively. China Telecom (AS4134) accounted for 2.8% of the traffic.”
The disclosure comes as the QiAnXin XLab team said the DDoS botnet tracked as RapperBot was behind an attack aimed at artificial intelligence (AI) company DeepSeek in February 2025, and that the latest samples of the malware attempt to extort victims, demanding they pay “protection fees” to avoid being targeted by DDoS attacks in the future.
China, the United States, Israel, Mexico, the United Kingdom, Greece, Iran, Australia, Malaysia, and Thailand are the primary countries where devices infected by RapperBot are located. The botnet is known to be active since 2022.
RapperBot campaigns are known to target routers, network-attached storage devices, and video recorders with default weak passwords or firmware vulnerabilities to obtain initial access, and drop malware that can establish contact with a remote server over DNS TXT records to fetch DDoS attack commands.
The malware also makes use of custom encryption algorithms to encrypt the TXT records and command-and-control (C2) domain names used.
“Since March, its attack behavior has been significantly active, with an average of more than 100 attack targets per day and more than 50,000 bots observed,” the Chinese security vendor said.
“RapperBot’s attack targets are all over the fields of various industries, including public management, social security and social organizations, Internet platforms, manufacturing, financial services, etc.”
