Cloudflare announced on Thursday that it autonomously blocked the largest distributed denial-of-service (DDoS) attack ever recorded, which peaked at 7.3 terabits per second (Tbps) in mid-May 2025. The attack targeted an unnamed hosting provider that was using Cloudflare’s Magic Transit service for network defense.
Key details of the attack
The 7.3 Tbps DDoS attack delivered 37.4 terabytes of data in just 45 seconds—equivalent to streaming nearly a year’s worth of high-definition video or downloading over 9 million songs in under a minute. The attack was 12% larger than the previous record (6.5 Tbps) set in April 2025 and 1 Tbps greater than another recent high-profile attack reported by security journalist Brian Krebs.
The attack “carpet-bombed” an average of 21,925 destination ports on a single IP address, peaking at 34,517 destination ports per second. The vast majority (99.996%) of the attack traffic consisted of UDP floods, with the remainder being reflection and amplification attacks such as QOTD, Echo, NTP, Mirai UDP, Portmap, and RIPv1. The attack originated from over 122,000 source IPs across 161 countries, highlighting its scale and global distribution.
Cloudflare’s fully automated mitigation systems detected and blocked the attack without human intervention, ensuring service continuity for the targeted customer and demonstrating the growing sophistication and scale of DDoS threats in 2025.
