Cloudflare mitigates yet another record-breaking DDoS attack—which, at 22.2 Tbps, makes it nearly twice as big as the last hyper-volumetric attack
Seems like it was only the other week I was writing about Cloudflare throwing up its shields against a record-breaking DDoS attack—because it was. Yup, an attack pelting the servers with 11.5 Tbps (terabits per second) of data in less than a minute is more than enough to make me break out in a sweat. But Cloudflare have now shared they've mitigated an even larger-scale attack.
Earlier this week, Cloudflare shared via X that it had "autonomously blocked hyper-volumetric DDoS attacks twice as large as anything seen on the Internet before." This reached a peak of 10.6 Bpps (that's billion packets per second), battering Cloudflare's defences with 22.2 Tbps of data. Yes, that's almost twice as large as the attack reported earlier this month.
Cloudflare just autonomously blocked hyper-volumetric DDoS attacks twice as large as anything seen on the Internet before — peaking at 22.2 Tbps & 10.6 Bpps. Can your mitigation provider’s scrubbing capacity handle that scale? pic.twitter.com/cSYiPZ8WA8September 22, 2025
Looking for a small number in this story? Well, this massive DDoS attack lasted only 40 seconds—not exactly a comfort, I know.
In the past, we've seen hackers hijack various internet-of-things devices to fuel large-scale attacks like this (just in case you were looking for one more reason not to get a fridge with a WiFi connection). But unlike last time, Cloudflare has yet to share any details about where exactly this attack came from or how it was executed.
Cloudflare shared it is working on a report that would go into more detail about the DDoS attack it mitigated earlier this month. That has yet to materialise, but I've little doubt this even larger-scale attack will also make an appearance in the upcoming report. When I do get my mitts on that, you can likely expect another of my tried and true club-going metaphors to simplify what went down.
In the meantime, I'm left to wonder just how big a DDoS attack Cloudflare can mitigate. Obviously, Cloudflare getting toppled by an absolute unit of a DDoS attack would be disastrous for a not insignificant portion of the internet (if even some of the names among these client case studies is anything to go by), and I'm definitely not living in hope that it ever happens.
However, if I'm thinking about it, you can bet there's an enterprising hacker or hacker group who reckons the resulting level of infamy might be worth the attempt.