Record DDoS pummels site with once-unimaginable 7.3Tbps of junk traffic

https://arstechnica.com/security/2025/06/record-ddos-pummels-site-with-once-unimaginable-7-3tbps-of-junk-traffic/

45•Brajeshwar•3h ago

Comments

smokel•2h ago

> A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack.

How is that more complicated than a for-loop?

ukuina•2h ago

Because it's a distributed for loop?

lolinder•48m ago

Not necessarily. It could be one for loop running on tens of thousands of compromised IoT devices, with the only thing distributed being the command that starts the loops.

blitq•2h ago

It’s not :)

monster_truck•1h ago

You can't just spray every port blindly if you are maximally trying to disrupt, there is nuance to it.

lolinder•51m ago

Right. So why does the fact that they targeted 34,500 ports show it was a well-engineered attack? By itself it's just evidence that they know how to iterate over ports. Coupled with the data size (7.3Tbps) we know they had an enormous botnet. None of this points to a well-engineered attack, it just means that lousy IoT has made botnets incredibly cheap.

A well-engineered attack would not draw headlines for its scale because it would take down its target without breaking any records.

motorest•34m ago

> A well-engineered attack would not draw headlines for its scale because it would take down its target without breaking any records.

You don't hear much about DDoS that are either comparable in size or bring down targets. How do you explain why this one made the news in spite of not having met your arbitrary and personal bar?

lolinder•26m ago

Like I said: it broke records for data throughput. It doesn't hurt that Cloudflare has an interest in publicizing the size of the DDoS attacks it fights off.

> in spite of not having met your arbitrary and personal bar?

I'm not sure what you mean by this. I didn't establish any sort of bar for what sorts of DDoS should get headlines, I'm just agreeing with OP that that line in the article doesn't make any sense. There may be other reasons to believe this attack was well-engineered but the article doesn't get into them.

rob_c•12m ago

> How do you explain why this one made the news in spite of not having met your arbitrary and personal bar?

It's that a serious question or bait?

Either way, are you so broken as to not understand what was just typed?

balanc•2h ago

Doesn’t Cloudflare have every incentive to inflate the bandwidth of the attack they have successfully mitigated?

And yes I know that there are Cloudflare employees here so spare me with your pinky swears.

x2tyfi•2h ago

Couldn’t this logic apply to basically every internal metric across every company?

udev4096•2h ago

Clownflare is more incentivized to make it look like they are the only ones who can defend against such an attack so they could gather more users for backdooring the majority of internet traffic. I wonder if it would be possible to create a peer-to-peer and decentralized DDoS mitigation service for anyone. All you gotta do is donate some of your bandwidth

eviks•2h ago

How does it counter the incentives of all other companies to make it look like they're not the only one???

mlyle•1h ago

Cloudflare has the biggest scale and is arguably best positioned to soak up massive attacks. Therefore CF may have a unique incentive to make it sound like attacks are larger and there are more really big ones.

eviks•1h ago

> is arguably best positioned

Lying about the scale of thwarted attacks by others is the counter argument

perching_aix•13m ago

Speaking of incentives, what might be the incentives of those referring to them as Clownflare? I sure have to wonder what their biases are, and how fairly they represent the company.

move-on-by•1h ago

A couple months ago Brain Krebs, who uses Google’s Project Shield, wrote of a very similar attack. 6.3 terabits, all UDP, less then a minute.

https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with...

ksec•2h ago

If I dont want my user to have Cloudflare captcha or for example captcha dont work on my Safari 18.5 running on OpenCore Patcher MacBook 2015. What other options have I got?

nemathod•2h ago

GRE-Tunnel

VladVladikoff•2h ago

I’m confused what this would accomplish? Do GRE tunnels drop UDP packets or something?

firebird84•1h ago

You make a contract with a company that does layer 3 ddos protection, you advertise a route including their AS on a subset of your prefixes and they route to you over a GRE tunnel.

VladVladikoff•2h ago

Most websites don’t need DDOS protection. Many websites which use Cloudflare to block basic bot vulnerability scanning. You could block this type of traffic with other methods; ja3/ja4, Ip to ASN & ASN filtering, etc.

esseph•28m ago

Your first line is wrong.

While it may not impact your site, it does impact your hosting provider. As their costs go up, your costs go up. Anything on the Internet at this point needs DDoS / scraping protection. If may not drop your service, but your ISP or upstreams may blackhole your route.

The "old web" (current web) was largely based on an open exchange of information.

The "new web", post AI bot scraping, is taking its place. Websites are getting paywalls. Advertising revenue is plummeting. Hosting providers are getting decimated by the massive shift in bandwidth demand and impact to systems scraped by the bots.

zzzeek•1h ago

dont piss off any nation-states that would want to take your site down, should help

petee•51m ago

Fwiw, i have a site with nearly zero content or users; randomly it got ddos'd one day, and never happened again. I think the reasons for a ddos can be wide ranging, from just testing, to nation state, to someone is unhappy with your font choice

inetknght•36m ago

> to someone is unhappy with your font choice

Everyone hates when I set my app's fonts to courier size 8.

datameta•5m ago

Everyone is wrong or they're fans of courier new specifically

esseph•25m ago

An 11 year old with a discord account and a stolen credit card can now rent massive capabilities that can take (smaller, limited peered) entire countries offline for brief periods these days.

Badak178.blog

How OCD came to haunt American life

CudaText – Cross-platform code editor written in Object Pascal

MCP is eating the world–and it's here to stay

The Great Indian Family Offices Fatigue

Show HN: Calcy.net – A Vibe Coded Calculator Site

Men, Where Have You Gone? Please Come Back

Pope Leo XIV on AI, ethics, and corporate governance

Developers are using AI Wrong

Introducing the Ultra Plan

Research: The Transformative Power of Sabbaticals

WQ42: Grounding LLMs in Wikidata Facts via Tool Calling

Language Workbenches: The Killer-App for Domain Specific Languages? (2005)

Buy It Now, Track Me Later: Attacking User Privacy via Wi-Fi AP Online Auctions

Notepad Calculator

Smallest Self-Powered Bipedal Robot Sets New Speed Record

MIT's Window-Sized Device Pulls Drinking Water from Thin Air, Even in the Desert

Earth's Largest Camera Takes 3B-Pixel Images of the Night Sky

The Future of Stalwart: Webmail, Roadmap, and Beyond

Show HN: LinkMage – Instantly analyze any URL with AI

Case of Hype-Cycle-Itis

Tell HN: Beware confidentiality agreements that act as lifetime non competes

Writing with AI: The Power of the Smarmy First Draft

Telecoms Tell Employees to Stop Looking for Evidence of Salt Typhoon Intrusion

AI-assisted coding for teams that can't get away with vibes

Glass bottles found to contain more microplastics than plastic bottles

Ask HN: What is your recommendation for a wireless keyboard and mouse?

Alibaba Staffer's Resignation Letter

How to Become a Backyard Naturalist with Just Your Smartphone