Defending the Internet: how Cloudflare blocked a monumental 7.3 Tbps DDoS attack

43 methuselah_in 12 6/20/2025, 6:34:21 PM blog.cloudflare.com ↗

Comments (12)

kevmo314 · 7h ago

This article taught be about the QOTD protocol: https://datatracker.ietf.org/doc/html/rfc865

Cool artifact of the internet!

sparrish · 6h ago

Anybody know who the "Cloudflare customer, a hosting provider" was and what IP they were targeting and why? I'm curious why someone would go to such great lengths to try to take down a service.

toast0 · 21m ago

The article says it was a 45 second attack. I used to run a high profile website which used to get a lot of 90 second attacks. Best I could figure was some of the ddos as a services would give a short attack as a free sample, and people picked us cause we were high profile. Thankfully, these would almost always attack our website rather than our service, and availability for our website didn't really matter. Most of the attacks weren't a big deal, and they'd get bored and move on to something else. The ones that did take a web server down were kind of nice... I could use those to tune both the webservers and the servers doing real work.

password4321 · 7h ago

← Inserting standard complaint about Cloudflare protecting the sites selling these DDoS attacks here (at best: a conflict of interest selling the cure while protecting the disease).

candiddevmike · 7h ago

What does this botnet do when it's not performing a 7.3 Tbps DDoS? Yea it's probably regular folks computers, but what "wakes up" the botnet to attack? What makes an attack target worthwhile? Presumably something this large would be on someone's radar...

jamessinghal · 7h ago

The Command-and-Control part of the botnet would be whatever component they build to instruct it to attack; often using some dummy website they register and have the compromised clients poll for changes with instructions.

I think an increasing amount of them are state actors or groups offering the botnet as a service.

esseph · 6h ago

also add in DNS fastflux

https://www.cisa.gov/news-events/cybersecurity-advisories/aa...

https://www.cloudflare.com/learning/dns/dns-fast-flux/

toast0 · 14m ago

I mean... 7 Tbps sounds like a lot, but 1Gbps symetric connections are common in many areas. 7,000 botnet nodes with good connectivity can deliver that. The article says the attack traffic came from 122,145 source IPs, but I would expect at least some traffic to be spoofed.

lordnacho · 7h ago

Possibly the only kind of advertising that I actually like. Informative, engaging, no overselling.

victorstanciu · 7h ago

@tete called it: https://news.ycombinator.com/item?id=44262324

haxton · 7h ago

Unrelated. Has nothing to do with the gcp outage that was related to.

esseph · 6h ago

No, this is old.