Cloudflare Says It Mitigated a Record 11.5 Tbps Volumetric DDoS Attack

What Cloudflare reported

Cloudflare announced that its network automatically mitigated a volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). In the same post the company said its systems had “autonomously blocked hundreds of hyper-volumetric DDoS attacks” over recent weeks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps.

“Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps,” the web infrastructure and security company said in a post on X.

The company did not publish full technical feeds in that post; the statement highlights both bits-per-second volume (Tbps) and packet-per-second intensity (Bpps), two complementary dimensions that determine how an attack stresses infrastructure.

Why this matters — background and context

Volumetric DDoS attacks aim to saturate the bandwidth or packet-processing capacity of a target or of upstream infrastructure, rendering services unavailable. Over the past decade the scale of such attacks has risen from gigabit-class events to terabit-class events, driven by factors including large botnets, amplification techniques, and the availability of misconfigured UDP services that can be abused for reflection amplification.

Two metrics are commonly used to describe volumetric attacks:

• Tbps (terabits per second) — the raw bandwidth or throughput used by the attack.
• Bpps (billions of packets per second) — the packet rate, which stresses router/switch CPU and flow-table capacity even when average packet sizes are small.

Both dimensions matter operationally: an attack with extreme Tbps can exhaust link capacity, while an attack with extreme Bpps can overwhelm network hardware that cannot handle very high packet rates even if byte throughput is lower.

Historically visible milestones include the 2018 memcached amplification attacks that produced terabit-scale traffic to targets and a general trend of increasing scale as attackers leverage amplification and botnet resources. Cloudflare’s publicized 11.5 Tbps event, if sustained and validated, is notable as another step upward in volumetric capability and underscores why network resilience is a strategic concern for operators.

Technical analysis and implications for practitioners

For network and security practitioners, this report has several concrete technical implications:

• Capacity is multi-dimensional. Planning solely for link bandwidth is insufficient; packet-per-second handling must also be tested. Network devices have both throughput (Gbps/Tbps) and PPS limits that can be reached independently.
• Amplification/reflection risks persist. Misconfigured public-facing UDP services continue to enable amplification vectors. Routine scanning and lockdown of legacy UDP services (e.g., memcached, CLDAP, NTP, DNS when misconfigured) remain critical.
• Edge and scrubbing capacity matter. Large-scale anycast CDNs and scrubbing networks are designed to absorb and mitigate such volumetric surges. Smaller providers and enterprises that rely on a single upstream transit link remain vulnerable to link saturation even if their origin is protected.
• Autonomous mitigation and automation are essential. The ability to detect, classify and mitigate attacks without manual intervention reduces time-to-mitigate and helps prevent collateral damage from slow human reaction cycles.

Operational questions practitioners should ask their vendors and peers include: What are your PPS limits? How do you differentiate between attack traffic and flash crowds? What automated thresholds and playbooks are in place for escalation and communication with upstream ISPs?

Comparable cases and industry trends

While specific historical records vary by measurement and reporting standard, the industry has seen a steady increase in volumetric attack sizes. Well-known past incidents, such as the 2018 amplification attacks, marked the move into terabit-scale attacks. Since then, DDoS-as-a-service offerings, large botnets, and exploitable UDP services have contributed to an environment where multi-terabit attacks are increasingly feasible.

Two high-level, non-controversial trends to note:

• Attack sophistication is rising: adversaries combine high-volume floods with stateful targeting and application-layer probing to increase impact and complicate mitigation.
• Mitigation has become more distributed: major content-delivery and security providers operate large, geographically dispersed anycast networks and scrubbing centers to absorb volumetric traffic spikes and maintain service availability.

Risks, implications and actionable recommendations

Risks and implications:

• Collateral damage and upstream saturation: Even if a target is protected by a scrubbing provider, the attack may saturate upstream links or transit providers, causing broader outages.
• Hardware exhaustion: High Bpps attacks can overload routers, firewalls and load balancers due to per-packet processing limits.
• Economic and reputational impact: Repeated or persistent attacks can impose direct costs (mitigation services, increased transit) and indirect costs (downtime, customer churn).
• Operational complexity: Successful mitigation requires coordination among cloud/CDN providers, ISPs, and the target’s security and networking teams.

Actionable recommendations for organizations and network operators:

• Validate vendor claims and SLAs: Ask providers for documented mitigation capacity (Gbps/Tbps and PPS), automated detection timeframes, and runbooks for escalation to human operators and upstream providers.
• Design for both throughput and PPS: Test firewalls, routers and load balancers under realistic high-PPS conditions. Ensure network hardware supports required flow and packet rates.
• Use distributed edge defense: Employ anycast CDNs or multi-region scrubbing so that volumetric traffic can be dispersed geographically rather than funneled into a single choke point.
• Harden UDP services: Disable or isolate unused UDP services; apply response-rate limiting to DNS servers; ensure no open reflectors (e.g., memcached) are exposed to the public Internet.
• Establish runbooks and exercise them: Maintain playbooks for identification, mitigation, communications and rollback; run tabletop exercises with ISPs and vendors to validate coordination paths.
• Implement ingress filtering (BCP38) where possible: Source-address validation at network edges reduces the effectiveness of spoofing-dependent amplification attacks.
• Collaborate with upstream carriers: Pre-established relationships and contacts with transit providers shorten mitigation time and enable coordinated filtering or blackholing when necessary.
• Monitor both volumetrics and packets: Use telemetry that tracks both traffic volume and packet rates, and alert on anomalies for each metric independently.

Conclusion

Cloudflare’s report of an 11.5 Tbps mitigation highlights the continued escalation of volumetric DDoS capabilities and the parallel escalation of defense scale and automation. For practitioners, the event underscores that resilience must be multi-dimensional: sufficient bandwidth is necessary but not sufficient without packet-rate handling, distributed edge capacity, robust automation, and operational coordination with providers. Maintaining hardened UDP posture, validating vendor capabilities, exercising runbooks, and ensuring hardware can handle both throughput and PPS are immediate, practical steps to reduce exposure to future hyper-volumetric events.

Source: thehackernews.com