Saturday, June 28, 2025
Latest:
ZDNet | Security

Cloudflare blocks largest DDoS attack – here’s how to protect yourself

TH Author
gettyimages-683593418-cropped

oxygen/Getty

Cloudflare is a robust content delivery network (CDN) that specializes in providing protection against distributed denial of service (DDoS) attacks. Last month, Cloudflare blocked the largest DDoS attack in internet history

This assault peaked at a staggering 7.3 terabits per second (Tbps). That’s a data deluge, equivalent to streaming nearly 10,000 high-definition movies in under a minute. 

 The attack targeted an unnamed hosting provider using Cloudflare’s Magic Transit DDoS protection service and delivered a record-breaking 37.4 terabytes of data in just 45 seconds. The attack consisted almost entirely (99.996%) of User Datagram Protocol (UDP) flood attacks

Also: How to protect your site from DDoS attacks – before it’s too late

Thanks to its high data transmission speeds, UDP is commonly used for real-time applications such as gaming and streaming. That same feature lends itself to attacks. UDP-based floods have become increasingly common in hyper-volumetric attacks, which Cloudflare defines as those exceeding 1 Tbps. 

The minute remainder, 0.004%, 1.3 GigaByte per second (GBps), was made up of these other attack types — QOTD reflection, Echo reflection, NTP reflection, Mirai UDP flood, Portmap flood, and RIPv1 amplification. That 0.004% alone would have been enough to knock most unprotected sites off the internet. 

The 7.3 Tbps attack represents a 12% increase over the previous record and outpaces the infamous DDoS attack on security journalist Brian Krebs by a full terabit per second. That attack was foiled by Project Shield, a free Google service for organizations at risk from massive DDoS attacks.

While 37.4 TB may not seem extraordinary in today’s data terms, the velocity of the attack — blasting that volume in less than a minute — set a new benchmark for DDoS intensity. The attack carpet-bombed an average of 21,925 destination ports per second, peaking at 34,517 ports per second on a single IP address.

This particular assault was highly distributed, originating from 122,145 source IP addresses across 161 countries. The majority of this malicious traffic came from Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine.

According to Cloudflare, this record-setting attack comes amid a dramatic surge in DDoS assaults. In the first quarter of 2025 alone, Cloudflare mitigated 20.5 million DDoS attacks. That’s a 358% increase year-over-year and nearly matches the total for all of 2024. The company reported blocking approximately 700 hyper-volumetric attacks in Q1, averaging eight per day, with the vast majority being network-layer attacks leveraging UDP-based floods.

Also: Why AI-powered security tools are your secret weapon against tomorrow’s attacks

Earlier in 2025, Cloudflare successfully defended against a 6.5 Tbps attack attributed to the Eleven11bot botnet, composed of tens of thousands of compromised webcams and video recorders. There will be more such attacks, and they’ll be even bigger.

For example, while things have cooled off with Iran (for now), cloud security company Radware’s director of threat intelligence Pascal Geenens told me, “Between June 21-22, 2025, hacktivist DDoS attack claims against the United States surged 800% following its involvement in the Israel-Iran conflict.” 

Earlier, Radware’s 2025 Global Threat Analysis Report stated there has been a “550% rise in web DDoS attacks” globally, with “nearly 400% year-over-year growth in DDoS attack volume.” My friend, it’s only going to get worse. 

Also: Navigating AI-powered cyber threats in 2025: 4 expert security tips for businesses

What can you do about it? There are numerous ways to mitigate DDoS attacks. Here’s a summary:

Partner with DDoS mitigation providers: If you haven’t already, get a contract with a DDoS defense outfit such as Akamai, Cloudflare, Imperva, or Radware. They have the expertise and infrastructure to handle large-scale attacks; you almost certainly don’t.

Block traffic from known bad Autonomous System Numbers (ASNs): This can prevent some malicious activities, such as spam, botnets, and DDoS attacks, by filtering out traffic from sources with a history of abuse. Closely related to this is geoblocking. Here, the trick is to block traffic from a specific country or region. 

However, this is not nearly as effective as you might think. The problem is that most savvy attackers can circumvent geoblocking by using techniques such as Internet Protocol IP spoofing or using botnets running on a wireless router, DVR, or webcam to attack you.

Also: Were 16 billion passwords from Apple, Google, and Facebook leaked? How to protect yourself

Distributed network: Spreading out your network infrastructure helps avoid single points of failure and bottlenecks that DDoS attacks can exploit.

Router and firewall configuration: Your own routers and firewalls can help. Set them to drop junk packets and block unsafe protocols such as ICMP, FTP, and telnet at the network edge. If you don’t have firewalls and intrusion prevention systems (IPS) that are tough enough to handle large traffic volumes without degrading performance, buy them.

Upstream ISP cooperation: Work with your Internet Service Provider (ISP)  to block unnecessary or unwanted upstream traffic. For instance, if you don’t need UDP traffic, why let it reach your front-end servers at all? Block it already!

Also: Why no small business is too small for hackers – and 8 security best practices for SMBs

Web Application Firewalls (WAFs): These specialized defenses against Layer 7 application attacks are essential for blocking malicious traffic targeting web applications.

Multiple DNS providers and DNSSEC: Using more than one DNS provider, secured with DNSSEC, can help maintain site availability even if one provider is taken down by a DDoS attack.

Specific Software Defenses: Certain programs, such as WordPress, can benefit from using specialized applications designed to protect them. For example, I would never run WordPress without Wordfence.

Layered defenses: It’s not enough to use only one or even two or three of these defenses. Businesses need multiple, overlapping security measures to ensure they can keep doing so if one or more of their defensive walls are breached. 

Also: How AI will transform cybersecurity in 2025 – and supercharge cybercrime

Red team testing: Finally, proactively test your defenses by simulating attacks with tools like GoldenEye, hping3, and HULK to identify and address vulnerabilities before your website or company network access is compromised. 

If you think your company or organization is too small to worry about defending your sites and networks against a DDoS attack, think again. 

I have a small site, Practical Technology, whose only job is to host copies of my stories. On the hardware behind the site, I also maintain my own NextCloud server, an email server, an off-site backup server, and multiple test Linux servers. On average — average — I get a dozen DDoS attacks a week. These days, maintaining a stout DDoS defense isn’t just a good idea, it’s a necessity. 

Stay ahead of security news with Tech Today, delivered to your inbox every morning.

READ MORE HERE