Cloudflare mitigated the largest DDoS attack in modern history
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Cloudflare’s own reporting and multiple security outlets document a rapid succession of record-breaking mitigations in 2025, culminating in a December claim that Cloudflare blocked a 29.7 Tbps DDoS peak attributed to the AISURU botnet (29.7 Tbps, 14.1 Bpps) [1] [2]. Earlier in 2025 Cloudflare reported blocking multiple prior records — 7.3 Tbps in May and 11.5 Tbps in September — and said hyper‑volumetric attacks surged across the year [3] [4] [5].
1. What Cloudflare and reporters say happened
Cloudflare’s quarterly DDoS reporting and related blog posts show a stepped escalation of attack sizes during 2025: Cloudflare documented a 7.3 Tbps mitigation in mid‑May (described as the largest at the time) [3], reported an 11.5 Tbps UDP flood mitigation in early September [4], and in its Q3 summary attributed a 29.7 Tbps, 14.1 Bpps UDP “carpet‑bombing” event to the AISURU botnet that it said was automatically mitigated [5] [1]. Tech outlets including TechRadar, SecurityWeek and others reported these same figures and linked the December 29.7 Tbps claim to Cloudflare’s Q3 DDoS Threat Report [2] [4].
2. The numbers: what the sources actually report
Cloudflare’s Q1 report flagged peaks in Q1 around 6.5 Tbps and 4.8 Bpps and said Cloudflare blocked +20 million attacks in Q1 [5]. Subsequent Cloudflare posts and press coverage raised successive peaks: a 7.3 Tbps attack Cloudflare described as the largest in mid‑May [3], an 11.5 Tbps UDP flood in September [4], and coverage citing a 29.7 Tbps, 14.1 Bpps peak tied to AISURU in Q3 reporting and later summaries [1] [2]. Reporters emphasize short burst durations (seconds to a minute) and that Cloudflare’s systems “autonomously” blocked many such events [5] [3].
3. Who is AISURU and why it matters
News and Cloudflare’s reporting identify AISURU as a high‑volume botnet blamed for many of the hyper‑volumetric events in 2025; Cloudflare estimated its size in the millions of devices and traced recent large attacks to it [1] [2]. Security outlets describe AISURU as capable of both massive packet and bandwidth floods that outscale legacy mitigation gear, making cloud‑scale defenses necessary [1] [4].
4. Conflicting figures and the record narrative
Multiple, different “largest” labels appear across the coverage. Cloudflare’s own timeline shows successive new peaks (6.5 Tbps → 7.3 Tbps → 11.5 Tbps → 29.7 Tbps) and press coverage repeats those peaks [5] [3] [4] [1]. Independent outlets also reported intermediate records (e.g., 22.2 Tbps or 22.2 Tbps claims appear in some reporting), showing that different data points and timing can produce competing “largest” headlines [6]. The practical takeaway in the sources is that attack magnitudes grew rapidly and multiple record-breaking mitigations were publicized [5] [1].
5. How mitigation claims are framed and what’s not said
Cloudflare emphasizes autonomous blocking and cloud‑scale capacity, and reporters repeat those claims [5] [4]. Sources describe attack vectors (UDP floods, massive packet rates, multi‑vector campaigns) and short attack durations (seconds to a minute) [2] [5]. Available sources do not mention external independent validation by a third party that re‑measures peaks or confirms attribution beyond Cloudflare’s telemetry; some outlets rely on Cloudflare’s blog and posts for the metrics [1] [4].
6. Broader context: surge in volume and frequency
Cloudflare’s Q1 and Q2 reporting shows enormous year‑over‑year increases in observed attacks — millions per quarter and millions more hyper‑volumetric events than in prior periods — with Q2 saying the first half of 2025 had already exceeded all of 2024 in total blocked attacks [5] [7]. Reports note sectors targeted, attack origin trends (certain autonomous systems), and the operational strain such attacks impose on defenders [5] [7].
7. What to watch next and why the debate matters
If Cloudflare’s reported 29.7 Tbps mitigation is accepted, it represents a dramatic jump in attacker capacity and underscores that botnets leveraging IoT and cloud resources can scale to unprecedented bandwidths [1] [2]. Journalistic scrutiny will hinge on independent verification, more granular telemetry release, and attack context (target, duration, multi‑vector nature) — items not fully detailed in the available reporting [1] [4].
Limitations: This analysis uses only the provided reporting (Cloudflare blog posts and media coverage cited above). Available sources do not mention independent third‑party validation of the 29.7 Tbps figure beyond Cloudflare’s disclosures [1] [5].