Record-Breaking 3.8 Tbps Distributed Denial-of-Service (DDoS) attack
In October 2024, Cloudflare faced and successfully mitigated the largest Distributed Denial-of-Service (DDoS) attack ever recorded. This unprecedented event saw traffic volumes peak at a staggering 3.8 terabits per second (Tbps), setting a new record for volumetric DDoS attacks. The assault was part of a broader campaign that spanned over a month, featuring more than 100 attacks targeting industries like financial services, telecommunications, and internet infrastructure.
Understanding the Scale of the Attack
A DDoS attack involves overwhelming a target with a flood of data, consuming bandwidth or depleting server resources, and making legitimate access impossible. In this case, the attack was primarily volumetric, focused on saturating network bandwidth with an extraordinary amount of malicious data—reaching up to two billion packets per second (pps) during certain waves of the attack. This type of DDoS attack is particularly damaging because it targets the network’s infrastructure at the network and transport layers (L3/L4), aiming to paralyze its ability to manage traffic.
What made this attack even more remarkable was the scale and speed of the data being transmitted. The record-breaking 3.8 Tbps peak represented an immense challenge for any infrastructure. For comparison, Microsoft previously held the record at 3.47 Tbps in 2021, which targeted an Azure customer. The Cloudflare attack broke this record and introduced a new benchmark in the evolution of DDoS threats
The Cloudflare BlogBleepingComputer.
Attack Methodology: Devices and Techniques
The attack exploited a vast network of compromised devices, including Asus home routers, MikroTik systems, DVRs, and web servers from various regions across the globe, including Russia, Vietnam, Brazil, the United States, and Spain. These infected devices formed a botnet—a network of devices controlled by the attacker—that could be activated to launch the DDoS assault. By leveraging the User Datagram Protocol (UDP), a protocol that doesn’t require a formal connection between devices, attackers were able to rapidly send data across the internet, further amplifying the scale of the attack
Such devices are often vulnerable to exploitation due to poor security configurations or outdated firmware, making them easy targets for cybercriminals seeking to build a botnet. In addition to these compromised devices, the attackers used amplification techniques, where a small request generates a much larger response, further boosting the attack’s magnitude without needing vast computational resources
Cloudflare’s Defense: Anycast and Automated Mitigation
Cloudflare’s success in mitigating this colossal DDoS attack lies in the strength of its global network and advanced automated defenses. The Anycast network, a key component of Cloudflare's infrastructure, allows multiple machines across the globe to share a single IP address. This capability enables traffic from an attacker’s botnet to be distributed across Cloudflare’s data centers, with each data center processing packets from its local region. By spreading the attack across many locations, no single data center becomes overwhelmed
Beyond the global distribution, Cloudflare used real-time traffic sampling to detect malicious patterns and trigger mitigation rules. Leveraging technologies like eXpress Data Path (XDP) and extended Berkeley Packet Filter (eBPF), Cloudflare was able to process and drop malicious packets at the network interface card level, significantly reducing the strain on CPU resources and ensuring legitimate traffic could continue to flow
Once malicious traffic was identified, Cloudflare's dosd (Denial of Service Daemon) generated signatures to surgically block the attack, further ensuring that only the harmful traffic was filtered out. These steps were crucial in mitigating the attack without impacting normal operations, allowing Cloudflare to defend against the assault autonomously
The Implications of Record-Breaking DDoS Attacks
The sheer size of the attack highlights the evolving threat landscape. As botnets become more sophisticated, capable of leveraging a wider variety of devices and techniques, the potential damage from DDoS attacks grows. The successful mitigation of this attack by Cloudflare underscores the need for robust, global infrastructure and advanced mitigation strategies to combat these increasingly large-scale cyber threats.
Cloudflare’s response also raises important considerations for future security planning. Companies must not only protect their servers but also consider how everyday devices—such as home routers and DVRs—can become part of a global attack network if left unsecured. This event serves as a reminder of the critical role that advanced cybersecurity infrastructure plays in maintaining the stability of the internet in the face of evolving threats.
In conclusion, the 3.8 Tbps DDoS attack on Cloudflare represents a new milestone in the scale of internet attacks, but also a testament to the effectiveness of modern, automated defense systems. As cyber threats continue to grow in both sophistication and magnitude, companies like Cloudflare will need to stay one step ahead to protect the global internet ecosystem.
For more information on how to secure your infrastructure against DDoS threats, visit Cloudflare’s Blog.
Summary of some of the biggest DDoS attacks over the years:
1. GitHub DDoS Attack (2018) – 1.35 Tbps
In February 2018, GitHub, the world's largest platform for software developers, was hit by a DDoS attack that peaked at 1.35 terabits per second (Tbps). The attack involved a memcached amplification technique, where the attackers exploited vulnerable memcached servers to amplify their traffic. GitHub was able to mitigate the attack within 10 minutes using their DDoS protection services.
2. Amazon Web Services (AWS) DDoS Attack (2020) – 2.3 Tbps
In February 2020, AWS experienced one of the largest volumetric DDoS attacks in history, peaking at 2.3 Tbps. The attackers leveraged a CLDAP reflection technique, using compromised servers to overwhelm AWS’s infrastructure. Despite the size, AWS's defenses managed to absorb the attack without significant disruption.
3. Google DDoS Attack (2017) – 2.54 Tbps
Google revealed in 2020 that in 2017, it had mitigated a 2.54 Tbps DDoS attack. The attack, originating from a state-sponsored group, was the largest DDoS attack ever reported at that time. Google Cloud’s infrastructure was able to withstand the massive traffic surge without major outages.
4. Microsoft Azure DDoS Attack (2021) – 3.47 Tbps
In late 2021, Microsoft reported mitigating a DDoS attack on its Azure cloud infrastructure that peaked at 3.47 Tbps. This attack was primarily aimed at a customer in Asia and involved a massive influx of junk data aimed at overwhelming Azure’s servers. Microsoft's distributed mitigation platform was able to neutralize the attack with minimal downtime.
5. Cloudflare DDoS Attack (2024) – 3.8 Tbps
As discussed earlier, the largest known DDoS attack occurred in October 2024, targeting multiple sectors with traffic peaking at 3.8 Tbps. This attack was significant not only for its size but also for the fact that it involved more than 100 hyper-volumetric attacks over the course of a month. Cloudflare's global infrastructure was key in mitigating the attack efficiently.
6. Mirai Botnet Attack (2016) – 1.2 Tbps
The Mirai botnet attack in 2016 targeted Dyn, a major DNS provider, and resulted in widespread internet outages, including sites like Twitter, Netflix, and Reddit. The attack, powered by a botnet of IoT devices, peaked at 1.2 Tbps and highlighted the vulnerabilities in connected devices. The Mirai botnet infected IoT devices such as cameras and DVRs and used them to launch massive attacks.
These DDoS attacks demonstrate the increasing scale and sophistication of cyberattacks over time, emphasizing the need for strong defensive measures like those employed by Cloudflare, AWS, Google, and other major infrastructure providers.
