Cloudflare auto-mitigated a record 11.5 Tbps UDP flood from Google Cloud in 35s amid weeks of hyper-volumetric DDoS waves.

Continue reading
Cloudflare says it has automatically blocked the largest volumetric DDoS attack ever observed, a UDP flood that spiked to 11.5 terabits per second and lasted \~35 seconds. The company added that the traffic mostly originated from Google Cloud and arrived amid “hundreds” of hyper-volumetric attacks seen in recent weeks. (Note: despite the article slug reading “115,” the reported peak is 11.5 Tbps.)
At 11.5 Tbps, the new peak surpasses Cloudflare’s 7.3 Tbps record disclosed in June 2025 and the 3.8 Tbps bar set in October 2024. Microsoft previously reported a 3.47 Tbps mitigation in 2022. The fresh milestone shows attack capacity is still climbing, fast.
Cloudflare’s mitigation is autonomous and distributed. Each edge server runs the in-house `dosd` (denial-of-service daemon) for instant detection and filtering, complemented by `flowtrackd` for stateful protection of complex flows. Decisions happen at the edge without centralized consensus, cutting reaction times to seconds. The scale rides on a 405 Tbps Anycast network designed to soak bandwidth floods before they localize impact.
Cloudflare’s recent threat reports chart an aggressive rise in volumetric events. In Q2 2025, it recorded the then-largest 7.3 Tbps and 4.8 Bpps attacks while blocking 6,500+ hyper-volumetric events that quarter. Earlier, Cloudflare tallied 21.3 million DDoS mitigations across 2024 and 20.5 million in Q1 2025 alone, including 6.6 million strikes directly against its own backbone in an 18-day multi-vector campaign. The new 11.5 Tbps spike extends that arc.
The 11.5 Tbps peak is a step-change, not a blip. Short, furious floods launched from powerful cloud footprints are redefining DDoS economics. Cloudflare’s autonomous edge and massive Anycast backbone proved decisive this time; everyone else should calibrate defenses to match the new tempo.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.