Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps).
“Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps,” the web infrastructure and security company said in a post on X. “The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.”
The entire attack lasted only about 35 seconds, with the company stating its “defenses have been working overtime.”
Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions.
Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected the devices, be it computers, IoT devices, and other machines, with malware.
“The initial impact of a volumetric attack is to create congestion that degrades the performance of network connections to the internet, servers, and protocols, potentially causing outages,” Akamai says in an explanatory note.
“However, attackers may also use volumetric attacks as a cover for more sophisticated exploits, which we refer to as ‘smoke screen’ attacks. As security teams work diligently to mitigate the volumetric attack, attackers may launch additional attacks (multi-vector) that allow them to surreptitiously penetrate network defenses to steal data, transfer funds, access high-value accounts, or cause further exploitation.”
The development comes a little over two months after Cloudflare said it blocked in mid-May 2025 a DDoS attack that hit a peak of 7.3 Tbps targeting an unnamed hosting provider.
In July 2025, the company also said hyper-volumetric DDoS attacks – L3/4 DDoS attacks exceeding 1 billion packets per second (Bpps) or 1 Tbps – skyrocketed in the second quarter of 2025, scaling a new high of 6,500 in comparison to 700 hyper-volumetric DDoS attacks in Q1 2025.
The development comes as Bitsight detailed the RapperBot kill chain, which targets network video recorders (NVRs) and other IoT devices for purposes of enlisting them into a botnet capable of carrying out DDoS attacks. The botnet infrastructure was taken down last month as part of a law enforcement operation.
In the attack documented by the cybersecurity company, the threat actors are said to have exploited security flaws in NVRs to gain initial access and download the next-stage RapperBot payload by mounting a remote NFS file system (“104.194.9[.]127”) and executing it.
RapperBot Kill Chain (credit – Bitsight)
This is accomplished by means of a path traversal flaw in the web server to leak the valid administrator credentials, and then use it to push a fake firmware update that runs a set of bash commands to mount the share and run the RapperBot binary based on the system architecture.
“No wonder the attackers choose to use NFS mount and execute from that share, this NVR firmware is extremely limited, so mounting NFS is actually a very clever choice,” security researcher Pedro Umbelino said. “Of course, this means the attackers had to thoroughly research this brand and model and design an exploit that could work under these limited conditions.”
The malware subsequently obtains the DNS TXT records associated with a set of hard-coded domains (“iranistrash[.]libre” and “pool.rentcheapcars[.]sbs” in order to get the actual list of actual command-and-control (C2) server IP addresses.
The C2 IP addresses, in turn, are mapped to a C2 domain whose fully qualified domain name (FQDN) is generated using a simplified domain generation algorithm (DGA) that consists of a combination of four domains, four subdomains, and two top-level domains (TLDs). The FQDNs are resolved using hard-coded DNS servers.
RapperBot ends up establishing an encrypted connection to the C2 domain with a valid DNS TXT record description, from where it received the commands necessary to launch DDoS attacks. The malware can also be commandeered to scan the internet for open ports to further propagate the infection.
“Their methodology is simple: scan the Internet for old edge devices (like DVRs and routers), brute-force or exploit and make them execute the botnet malware,” Bitsight said. “No persistence is actually needed, just scan and infect, again and again. Because the vulnerable devices continue to be exposed out there and they are easier to find than ever before.”
Update
In a follow-up post on X, Cloudflare said the 11.5 Tbps attack in fact came from a combination of several IoT and cloud providers, and the Google Cloud was just one of the many sources.
“Defending against this class of attack is an ongoing priority for us, and we’ve deployed numerous strong defenses to keep users safe, including robust DDoS detection and mitigation capabilities,” a Google spokesperson told The Hacker News. “Our abuse defenses detected the attack, and we followed proper protocol in customer notification and response. Initial reports suggesting that the majority of traffic came from Google Cloud are not accurate.”
(The story was updated after publication to include a response from Google.)
