Cloudflare says it has automatically blocked the largest distributed denial-of-service (DDoS) attack ever recorded, a 29.7 terabits per second (Tbps) barrage launched by the Aisuru botnet in the third quarter of 2025. The hyper‑volumetric assault, which lasted just over a minute and used a carpet bombing technique, was mitigated without downtime for the unnamed customer, according to the company’s latest DDoS threat report.
What Cloudflare Says Happened
In its Q3 2025 DDoS Threat Report, Cloudflare disclosed that its systems detected and mitigated a network‑layer attack that peaked at 29.7 Tbps and around 14.1 billion packets per second. The company did not name the target but said the incident occurred in Q3 and was handled entirely by its automated defenses.
Cloudflare describes the incident as a UDP carpet‑bombing attack that flooded an average of about 15,000 destination ports every second with randomized traffic in an effort to bypass traditional filters. Despite the unprecedented volume, the company reports that the assault lasted only about 69 seconds before subsiding, a pattern consistent with many modern DDoS bursts that are short but extremely intense.
Key facts on the 29.7 Tbps attack
| Metric | Detail |
| Peak bandwidth | 29.7 Tbps, the highest publicly reported DDoS volume to date |
| Peak packet rate | About 14.1 billion packets per second (Bpps) |
| Duration | Approximately 69 seconds |
| Attack method | UDP carpet‑bombing to ~15,000 destination ports per second |
| Target | Not publicly disclosed by Cloudflare |
| Mitigation | Fully automated by Cloudflare’s DDoS protection systems |
Aisuru Botnet Behind the Record Attack
Cloudflare attributes the attack to Aisuru, a large DDoS botnet‑for‑hire that has been active throughout 2025 and is linked to multiple multi‑terabit incidents. Security researchers estimate that Aisuru may control between one million and four million compromised devices, including routers and other internet‑connected hardware around the world.
Reports indicate that Aisuru’s operators and resellers offer parts of the botnet as a commercial service, enabling paying customers to launch powerful DDoS campaigns for fees ranging from a few hundred to a few thousand dollars. The botnet has been used against telecom carriers, gaming platforms, hosting providers, financial institutions and even core U.S. internet infrastructure, sometimes causing collateral congestion beyond the intended victim.
Aisuru botnet at a glance
| Attribute | Detail |
| Estimated size | Roughly 1–4 million infected devices |
| Business model | Sold in chunks as DDoS‑for‑hire service |
| Typical targets | Telecoms, gaming, hosting, finance, infrastructure |
| Notable recent events | 29.7 Tbps attack on Cloudflare customer; 15.72 Tbps against Azure; multi‑Tbps flood against Gcore |
| Geographic footprint | Global, with activity observed against U.S. and European networks |
Part of a Surge in Hyper‑Volumetric DDoS
Cloudflare stresses that the 29.7 Tbps incident is not an isolated case but part of a broader escalation in DDoS firepower during 2025. In Q3 alone, the company says it mitigated 1,304 hyper‑volumetric attacks from Aisuru—campaigns that exceed either 1 Tbps in bandwidth or 1 billion packets per second.
Since the start of 2025, Cloudflare reports neutralizing 2,867 Aisuru‑linked attacks, with hyper‑volumetric incidents rising 54% quarter‑on‑quarter and averaging around 14 per day. Overall, DDoS events exceeding 1 Tbps have more than doubled, increasing by about 227% compared with the previous quarter, while network‑layer attacks over 100 million packets per second grew by 189%.
Q3 2025 DDoS trends reported by Cloudflare
| Indicator | Q3 2025 figure / change |
| Aisuru attacks in 2025 | 2,867 total since January |
| Aisuru hyper‑volumetric attacks (Q3) | 1,304 incidents over 1 Tbps or 1 Bpps |
| Hyper‑volumetric attack growth | 54% quarter‑on‑quarter increase |
| Attacks > 1 Tbps | 227% quarter‑on‑quarter increase |
| Attacks > 100 million pps | 189% quarter‑on‑quarter increase |
| Previous Cloudflare record | 7.3 Tbps attack blocked in May 2025 |
Sectors Most at Risk from Aisuru and Similar Botnets
According to Cloudflare and independent security reports, Aisuru’s operators repeatedly focus on industries where uptime is critical and bandwidth is high, such as telecom networks, online gaming, cloud hosting and financial services. Attacks on these sectors can disrupt consumer connectivity, delay online transactions or temporarily knock popular services offline, even if core backbone networks remain stable.
Cloudflare’s latest threat data also highlights fast‑rising DDoS traffic aimed at emerging technology companies, including firms developing artificial intelligence tools, as well as organizations in the mining, metals and automotive supply chains. The company links some of the recent spikes in attacks on industrial and automotive targets to ongoing trade tensions between the European Union and China.
Sectors highlighted in recent reports
| Sector / target type | Observed impact or trend |
| Telecommunications | Repeated Aisuru targeting; risk of connectivity disruptions |
| Gaming platforms | High‑traffic services hit by multi‑Tbps floods |
| Hosting & cloud | Attacks against infrastructure providers like Gcore and cloud platforms |
| Financial services | Exposure through online banking and trading systems |
| AI and tech firms | 347% month‑on‑month DDoS traffic spike reported for AI sector |
| Mining, metals, auto | Increased targeting amid EU‑China trade frictions |
Why Short, Massive Attacks Are Hard to Handle
Security analysts note that many modern DDoS campaigns are extremely short but extremely large, leaving little time for manual response. Cloudflare’s data shows that most network‑layer attacks end within 10 minutes, yet clean‑up and service recovery can take much longer once routers, applications or upstream links have been overwhelmed.
The Aisuru botnet’s use of randomised packet attributes and wide‑spread targeting across thousands of ports demonstrates a shift away from simple, single‑target floods towards more distributed stress on networks. This carpet‑bombing style forces defenders to rely on automated, real‑time analysis at scale rather than static filters or purely on‑premise scrubbing appliances.
How hyper‑volumetric DDoS attacks behave
| Characteristic | Description |
| Duration | Often seconds to a few minutes, but with very high peaks |
| Technique | Randomised, multi‑port floods or protocol abuse |
| Operational challenge | Minimal time for human intervention during peak |
| Recovery | Can require extended checks and restarts after the flood |
How Organisations Can Strengthen Their Defences
For organisations that rely on internet‑facing services, the latest figures from Cloudflare underline the need for always‑on, automated DDoS protection rather than purely reactive measures. Building resilience typically involves using upstream scrubbing or content delivery networks, distributing services across multiple locations and ensuring capacity headroom to absorb sudden traffic spikes.
Experts also recommend having a tested incident‑response plan that includes clear escalation paths, predefined thresholds for mitigation and coordination with upstream providers. Regular monitoring, logging and anomaly detection can help security teams identify unusual patterns early, even when attacks last only a few seconds.
At the device level, reducing the pool of systems that attackers can hijack is another long‑term priority. Keeping routers, IoT equipment and edge devices updated, disabling unnecessary remote access and enforcing strong authentication can make it harder for botnets like Aisuru to keep growing.
Practical defensive steps for enterprises
| Area | Recommended focus |
| Network architecture | Use anycast, CDNs and upstream scrubbing where possible |
| Monitoring | Continuous traffic analysis and automated anomaly detection |
| Response planning | Documented runbooks and regular DDoS drills |
| Endpoint hygiene | Patch routers/IoT, close unused ports, harden remote access |
| Vendor coordination | Align with ISPs, cloud providers and security partners |
What This Record Attack Means Next
The 29.7 Tbps Aisuru attack sets a new visible ceiling on DDoS volume and suggests that well‑resourced botnets can now generate traffic far beyond what many legacy networks were designed to withstand. At the same time, Cloudflare’s ability to mitigate the incident automatically, without naming customer impact, shows how cloud‑scale defenses are evolving to meet these extremes.
However, with thousands of Aisuru‑linked attacks already recorded this year and quarter‑on‑quarter surges in multi‑terabit events, security specialists warn that similar incidents are likely to continue. For governments, regulators and infrastructure operators, the figures are likely to intensify debates over minimum resilience standards, cross‑border cooperation and the security of consumer devices that silently power these giant botnets.
