Overview
In September 2025, Cloudflare successfully mitigated the largest distributed denial-of-service (DDoS) attack ever recorded, peaking at 11.5 terabits per second (Tbps). The attack lasted just 35 seconds but set a new industry record for malicious network bandwidth.
Comparison Chart: Largest DDoS Attacks by Bandwidth
| Date | Target | Peak Bandwidth | Duration | Attack Type | Notable Source(s) |
|---|---|---|---|---|---|
| Sep 2025 | Cloudflare | 11.5 Tbps | 35 sec | UDP flood | Google Cloud, IoT devices |
| Jun 2025 | Cloudflare | 7.3 Tbps | 45 sec | UDP flood, multi | Unknown (cloud, botnets) |
| Feb 2023 | Cloudflare | 71M rps* | 1 min | HTTP/HTTPS flood | Cloud botnets |
| Nov 2021 | 2.54 Tbps | 2 min | UDP reflection | Meris botnet | |
| Feb 2020 | AWS | 2.3 Tbps | 5 min | CLDAP reflection | Compromised servers |
| Mar 2018 | GitHub | 1.35 Tbps | <10 min | Memcached amp. | Exposed memcached servers |
*Note: The Feb 2023 attack on Cloudflare was measured in requests per second (rps), not bandwidth, but is included for scale.
Deep Research & Technical Analysis
Attack Vectors and Sources
- The 11.5 Tbps DDoS attack was a 35-second UDP flood, primarily from compromised IoT devices and Google Cloud infrastructure (though Google disputes this).
- The attack targeted a single hosting customer and was 60% larger than previous records.
- Traffic ramped from normal to peak in under 10 seconds, overwhelming traditional defenses before Cloudflare’s automated mitigation kicked in.
Technical and Industry Context
- This was the third record-breaking DDoS event in just a few months, following a 7.3 Tbps attack in June 2025 (delivering 37.4 TB in 45 seconds).
- UDP floods are favored for their statelessness, allowing attackers to saturate bandwidth and CPU with minimal effort.
- Attackers increasingly leverage public cloud and IoT resources for short, high-impact bursts that can saturate backbone links.
- The attack was part of a broader trend of hyper-volumetric, short-lived DDoS campaigns, with multiple events exceeding 1 Tbps and one reaching 5.1 billion packets per second (Bpps).
Defense and Mitigation
- Cloudflare’s AI-driven, automated defenses neutralized the attack with rate-limiting and IP filtering, preventing downtime.
- Experts emphasize that true DDoS resilience is measured by user experience: did web pages stay up, did APIs respond, did businesses keep running?
- The short duration (35 seconds) shows that size alone is not the best metric; persistent or complex, multi-vector attacks can be equally or more damaging.
- End-to-end planning, combining capacity with intelligence, is required for true resilience—not just raw bandwidth.
Broader Implications
- The event highlights the escalating sophistication of DDoS threats and the need for robust, collaborative cybersecurity measures, especially for critical sectors.
- Speed of escalation and the use of cloud-scale adversary resources mean manual intervention is no longer viable; automation is essential.
- Industry experts urge continuous review of DDoS response strategies and enhanced security for cloud and IoT infrastructure.
Expert Commentary
“An 11.5 terabit flood sounds dramatic, but its short 35-second duration shows why size alone is the wrong metric. The attacks that demand real attention are those that combine volume with persistence or complexity—multivector campaigns that quietly congest links, trigger reroutes, and degrade real user experience.” — William Manzione, RETN
“True resilience means customers never even realize an attack happened—and achieving that requires end-to-end planning, combining capacity with intelligence, not just raw bandwidth.”
This document summarizes the record-breaking DDoS attack on Cloudflare in September 2025 and its broader significance for network security.