Cloudflare Defends Against Unprecedented 3.8Tbps DDoS Assault

Distributed Denial-of-Service (DDoS) attacks have grown more sophisticated and destructive, and a recent campaign has set a new benchmark for scale and impact. The attack, which targeted organizations across the financial services, internet, and telecommunications sectors, was marked by an unprecedented volumetric assault, reaching a peak of 3.8 terabits per second (Tbps)—the largest publicly recorded DDoS attack to date. This “month-long” barrage consisted of more than 100 hyper-volumetric DDoS attacks that flooded network infrastructure with immense volumes of garbage data, severely disrupting services and highlighting vulnerabilities in network defenses.

Volumetric DDoS attacks are designed to overwhelm a target’s network infrastructure by flooding it with massive amounts of data. These attacks exploit the available bandwidth or resources of applications and devices, effectively rendering them incapable of processing legitimate user requests. As a result, users experience slow performance or complete unavailability of services. In this particular campaign, many of the attacks focused on the network and transport layers (Layers 3 and 4 of the OSI model), overwhelming them with more than two billion packets per second (pps) and peaking at 3.8 terabits per second. This volume of traffic can devastate network operations, leaving businesses paralyzed for the duration of the attack.

The devices used in these attacks were widespread, including compromised routers, digital video recorders (DVRs), and web servers. Specifically, Asus routers, MikroTik systems, and DVRs were frequently compromised, indicating that home devices are becoming an increasingly common vector for large-scale DDoS attacks.

Researchers from Cloudflare, an internet infrastructure company, identified that the DDoS attacks involved a large network of infected devices—known as a botnet—spread across various regions of the world. Notably, many of these devices were located in countries like Russia, Vietnam, the United States, Brazil, and Spain. This geographic distribution is typical of large botnet-driven DDoS campaigns, which leverage globally compromised devices to generate massive amounts of traffic directed at their targets.

Botnets are created by infecting internet-connected devices with malware, turning them into “zombies” that can be controlled remotely by a threat actor. These infected devices are then used to launch DDoS attacks without the knowledge of their owners. In this case, a wide range of compromised devices was employed to conduct a barrage of hyper-volumetric DDoS attacks that would be impossible to orchestrate with fewer systems. The DDoS attacks primarily used the User Datagram Protocol (UDP) on a fixed port, which is favored by attackers because it allows fast data transmission without the need to establish formal connections, unlike the Transmission Control Protocol (TCP). This makes it easier for attackers to flood targets with enormous amounts of traffic quickly.

The campaign’s peak, 3.8 Tbps, marks a new high in the scale of DDoS attacks. For comparison, the previous record for the largest volumetric DDoS attack was held by Microsoft, which mitigated an attack of 3.47 Tbps that targeted one of its Azure customers in Asia. The increase in the scale of these attacks reflects the growing threat posed by DDoS campaigns, as more devices become connected to the internet and more vulnerabilities are discovered and exploited.

Cloudflare successfully mitigated all of the DDoS attacks autonomously, with the record-setting attack lasting just 65 seconds at its peak. The rapid response and mitigation demonstrate how advances in network security are evolving to address the increasing frequency and scale of DDoS attacks, but they also highlight the immense challenges organizations face in protecting their network infrastructures from these threats.

In addition to using botnets to launch DDoS attacks, threat actors also rely on techniques to amplify the volume of traffic sent to a target, reducing the number of compromised devices needed to cause significant damage. One method of amplification involves exploiting vulnerabilities in widely used systems. A recent report by cloud computing company Akamai revealed that a set of vulnerabilities in the Common Unix Printing System (CUPS) on Linux systems could be exploited to launch DDoS attacks. CUPS is an open-source printing system used on many Unix-like operating systems, including Linux and macOS. The vulnerabilities in question could allow attackers to amplify DDoS attacks by repeatedly sending requests that trigger the CUPS servers to respond endlessly, consuming resources and bandwidth in the process.

Akamai’s researchers scanned the public internet for systems vulnerable to these CUPS flaws and found more than 58,000 systems exposed to potential DDoS attacks. In testing, some of these systems demonstrated significant amplification potential, with servers continuously sending thousands of requests in response to simple HTTP/404 errors, indicating that the exploitation of these vulnerabilities could significantly exacerbate the impact of DDoS attacks.

The ever-growing scale of DDoS attacks, as demonstrated by this recent 3.8 Tbps peak, highlights the critical need for continued investment in network security and DDoS mitigation strategies. Organizations must be proactive in addressing vulnerabilities and securing devices, particularly as the number of internet-connected devices continues to expand with the proliferation of the Internet of Things (IoT).

Cloudflare’s ability to autonomously mitigate the largest recorded DDoS attack is a testament to the effectiveness of modern mitigation tools, but it also underscores the need for ongoing vigilance. Threat actors are constantly seeking out new vulnerabilities and refining their techniques to launch more potent attacks. The exploitation of CUPS vulnerabilities is just one example of how attackers are leveraging security weaknesses in common systems to increase the impact of their campaigns.

Organizations must adopt a multi-layered approach to defending against DDoS attacks. This includes deploying robust security solutions that can detect and mitigate attacks in real time, patching known vulnerabilities in software and hardware, and educating employees and users on the importance of cybersecurity best practices. Additionally, internet service providers (ISPs) and cloud service providers play a critical role in identifying and addressing threats before they reach end users.

As volumetric DDoS attacks continue to grow in size and complexity, it is clear that no organization is immune to the threat. The 3.8 Tbps attack serves as a stark reminder that DDoS attacks remain one of the most disruptive forms of cyberattacks, capable of inflicting substantial financial and operational damage on organizations of all sizes. Moving forward, the focus must remain on strengthening defenses, improving response times, and developing more effective strategies to mitigate the growing threat of hyper-volumetric DDoS attacks.