Follow ZDNET: Add us as a preferred source<!–> on Google.
ZDNET’s key takeaways
The biggest, baddest DDoS attack to date was just fended off.
The attack used the trivial, but nasty, UDP flood attack.
You must protect yourself against DDoS attacks.
Over the Labor Day weekend, Cloudflare says it successfully stopped–> a record-breaking distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). This came only a few months after Cloudflare blocked a then all-time high DDoS attack of 7.3 Tbps. This latest attack was almost 60% larger.
According to Cloudflare, the assault was the result of a hyper-volumetric User Datagram Protocol (UDP) flood attack that lasted about 35 seconds. During that just more than half-minute attack, it delivered over 5.1 billion packets per second.
<!–>
–>
Cloudflare
This attack, Cloudflare reported<!–>, came from a combination of several IoT and cloud providers. Although compromised accounts on Google Cloud were a major source, the bulk of the attack originated from other sources.
Hyper-volumetric UDP flood attacks–> are simple, but they’re becoming more common and nasty. The assault seeks to overwhelm a target with an immense volume of UDP packets ranging from millions to billions of UDP packets per second. This works by saturating a target’s bandwidth. In addition, since the target must process each packet and, for unused ports, typically respond with Internet Control Message Protocol (ICMP) “Destination Unreachable” ping messages, this quickly exhausts the target’s compute resources.
Also: How to protect your site from DDoS attacks – before it’s too late
The specific target of this attack has not been publicly disclosed, but we can be sure the intent was to overwhelm the victim’s network and render online services inoperative. Cloudflare says its globally distributed, fully autonomous DDoS mitigation network detected and neutralized the threat in real time, without notable impact on customer services or requiring manual intervention. This operation highlights both the rising sophistication of attack methods and the resilience of modern internet infrastructure defenses, especially Cloudflare’s use of real-time packet analysis, fingerprinting, and rapid threat intelligence<!–> sharing across its network.
The Labor Day event capped weeks of elevated DDoS activity. Cloudflare is reporting a dramatic year-over-year increase in the overall frequency and volume of attacks. Overall, Cloudflare has reported that in Q2 2025, hyper-volumetric DDoS attacks have skyrocketed–>.
During these months, Cloudflare blocked over 6,500 hyper-volumetric DDoS attacks, for an average of 71 per day. The content delivery network (CDN) and internet security company also reported in July that “so far Cloudflare has already blocked 27.8 million DDoS attacks, equivalent to 130% of all the DDoS attacks we blocked in the full calendar year 2024.”
Also: I asked AI to modify mission-critical code, and what happened next haunts me
These DDoS campaigns increasingly exploit cloud resources and IoT botnets, says Cloudflare, to launch ultra-short but extremely intense hyper-volumetric attacks around the world.
Cloudflare says its intervention was a major success. But this incident is also a warning about future risks as attackers continue to enhance their capabilities by misusing legitimate cloud platforms and compromised IoT devices. If you’re not using a DDoS prevention service to protect your business’s websites, it’s time to start. Besides Cloudflare<!–>, other top DDoS prevention services–> come from companies such as Akamai<!–>, Imperva–>, Radware<!–>, F5–>, and Fortinet<!–>.
