Cloudflare Mitigates Record-Breaking 3.8 Tbps DDoS Attack

Cloudflare announced today it has mitigated what the company describes as the largest publicly disclosed distributed denial-of-service (DDoS) attack ever recorded, peaking at 3.8 terabits per second of inbound traffic.

The attack, which lasted approximately 65 seconds, targeted a Cloudflare customer in the financial services sector. According to Cloudflare's incident report, the flood originated from a botnet of roughly 152,000 compromised devices, predominantly MikroTik routers and Asus home gateways.

"This was a hyper-volumetric UDP flood, with a small number of packets but enormous payload sizes," wrote Omer Yoachimik, senior product manager at Cloudflare. "The attack was mitigated autonomously by our edge without operator intervention."

The previous record, set last summer, was 2.6 Tbps and targeted a gaming platform. Cloudflare's data shows DDoS volumes have grown roughly 220 percent year-over-year as IoT botnets continue to swell.

Cloudflare attributes the rise in attack size to widespread, unpatched router firmware exposing UPnP services to the internet, as well as the emergence of new botnet variants forked from the leaked Mirai source code.

CISA reiterated guidance issued earlier this year urging consumer-router vendors to ship devices with default-deny external management interfaces, a recommendation that has been adopted unevenly across the industry.