Record-Breaking DDoS Attack Peaks At 22 Tbps and 10 Bpps

Cloudflare blocked the largest-ever DDoS attack against a European network infrastructure company, which peaked at 22.2 Tbps and 10.6 Bpps. The hyper-volumetric attack has been linked to the Aisuru botnet and lasted just 40 seconds, but was double the size of the previous record. SecurityWeek reports: Cloudflare told SecurityWeek that the attack was aimed at a single IP address of an unnamed European network infrastructure company. Cloudflare has yet to determine who was behind the attack, but believes it may have been powered by the Aisuru botnet, which was also linked earlier this year to a massive 6.3 Tbps attack on the website of cybersecurity blogger Brian Krebs. Aisuru has been around for more than a year. The botnet is powered by hacked IoT devices such as routers and DVRs that have been compromised through the exploitation of known and zero-day vulnerabilities.

According to Cloudflare, the 22 Tbps attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. "Based on internal analysis using a proprietary system, the source IPs were not spoofed," the company explained. The security firm described it as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47k ports, all of a single IP address. Cloudflare revealed in July that the number of DDoS attacks it blocked in the first half of 2025 had already exceeded all the attacks mitigated in 2024.

Yikes!

[zurkeyon]

It takes a serious amount of bot controlled metal to do such a thing. Between this and the Sim Bot farms they are starting to find... Stuff is about to get real. (Grabs popcorn)

Re:

[RitchCraft]

Shazam!

Re:

[Uldis Segliņš]

How exactly would Rust solve default, unchangeable passwords and hidden backdoors?

Re: These kinds of things

[Al_Lapalme]

I'm pretty sure (or at least hope) that the parent was being satirical. There is a constant push from rust fans to rewrite everything in rust and the parent's post sounded like a mockery of that.

Re:

[phantomfive]

You make a joke, but tomorrow I'll be flying around in my car with antigravity.

Re:

[phantomfive]

Just ask ChatGPT to make the Rust solve the unchangeable passwords and hidden backdoors. Problem solved.

Re:These kinds of things (wrong)

[whitroth]

That's stupid. The main issue, in addition to compromised computers, are all the "smart crap", Internet of Pointlessly Connected Things - fridges, toasters, toothbrushes, whose makers shove them out, then say "what's a security update?"

Re:

[phantomfive]

If you need security updates, your approach was wrong to begin with.

Security updates are not security, they are a security blanket, and only protect against script kiddies.

I'm not worried

[PPH]

My site is hosted on a pretty fast [postimg.cc] connection.

IoT

[RitchCraft]

The gift that keeps on giving.

According to Cloudflare, Cloudflare is necessary

[ihadafivedigituid]

Having dealt with their sales department, I don't trust anything they say.

stop feeding the trolls

[v1]

1. you're boosting their ego
2. you're adding to their portfolio they show their customers

This short attack was almost certainly not intended to cause problems, it was intended to advertise their services and show off their capabilities.

Stop feeding the trolls. I get it, I KNOW, it gets clicks, but please just STOP.

Look for the motivation

[Uldis Segliņš]

Who has Brian Krebs's security research offended the most? I could bet that is some dictatorship. Or less likely a wannabe dictatorship. Doubt so large scale offensive campaigns are offered on the DDOS market, but who knows, money does wonders.

Re:

[unrtst]

How does CloudFlare know that the source addresses of UDP traffic were not spoofed? We are all aware that many ISPs don't follow 'best current practices' and prohibit traffic sourced from non-controlled addresses.

Well... "404,000 unique source IPs across over 14 ASNs worldwide". They have sufficient information to make that claim. Maybe *some* of the traffic had spoofed source addresses, but that's not what they're dealing with overall.

What the f is a Bpps?

[Vihai]

Learn the proper use of units of measurement, for god's sake!

Re:

[tlhIngan]

Learn the proper use of units of measurement, for god's sake!

Bpps is billion packets per second.

It is a unit of measurement - because the time it takes to process one packet is fixed whether the payload is minimum (64 bytes) or maximum (1500 bytes).

You can have say, a router capable of wire speed 10Gbps routing, but the dirty little secret is you can flood it with 64 byte packets and watch the throughput drop below 1Gbps because the routing engine is maxed out processing per packet.

It's why early gigabit E

Re:

[allo]

Billion packets per second, as stated in the article.

Cloudflare sucks

[dwater]

I routinely use a vpn and Cloudflare absolutely sucks. They're the single biggest bane of the Internet and worse than any censorship.
I seriously hate that company, with a passion.

Re:

[tlhIngan]

I routinely use a vpn and Cloudflare absolutely sucks. They're the single biggest bane of the Internet and worse than any censorship.
I seriously hate that company, with a passion.

They only suck for you because you use a public VPN. Which are used and abused for DDoS attacks like this, so VPN public IPs have a poor reputation.

Maybe your VPN provider needs to do packet filtering so they don't participate in attacks or other things that go against the whole notion of a VPN?

VPN IPs are abused, and using it to h