Record-Breaking DDoS Attack Peaks at 31.4 Tbps
Cloudflare has disclosed details of what is now the largest publicly reported DDoS attack in history, an incident that peaked at an unprecedented 31.4 terabits per second (Tbps).
Attack Overview
| Metric | Value |
|---|---|
| Peak Bandwidth | 31.4 Tbps |
| Attack Type | Network Layer (L3/L4) |
| Duration | Short, intense bursts |
| Attribution | Aisuru Botnet |
| Campaign Name | "The Night Before Christmas" |
| Date | December 19, 2025 |
The Aisuru Botnet
The attack was attributed to the Aisuru botnet, a relatively new but rapidly growing threat infrastructure that has demonstrated significant capabilities:
- Composition: Primarily compromised IoT devices and unpatched servers
- Geographic Distribution: Global, with concentrations in Asia and South America
- Attack Vectors: UDP amplification, SYN floods, and application-layer attacks
- Command & Control: Decentralized architecture making takedown difficult
"The Night Before Christmas" Campaign
The campaign began on December 19, 2025, and consisted of multiple short but extremely intense network-layer attacks:
Attack Timeline:
19 Dec 2025 03:14 UTC - Initial probe (2.1 Tbps)
19 Dec 2025 03:47 UTC - Escalation (14.8 Tbps)
19 Dec 2025 04:02 UTC - Peak attack (31.4 Tbps)
19 Dec 2025 04:11 UTC - Sustained attack (28.2 Tbps)
19 Dec 2025 04:23 UTC - Attack subsidedPrevious Records
This attack significantly exceeds previous records:
| Date | Peak | Attacker |
|---|---|---|
| Dec 2025 | 31.4 Tbps | Aisuru |
| Oct 2025 | 22 Tbps | Unknown |
| Sep 2024 | 5.6 Tbps | Mirai variant |
| Feb 2023 | 3.47 Tbps | Various |
Technical Analysis
The attack leveraged multiple amplification vectors simultaneously:
UDP Amplification Factors
| Protocol | Amplification |
|---|---|
| Memcached | 51,000x |
| NTP | 556x |
| DNS | 28-54x |
| SSDP | 30x |
Mitigation Strategies
Cloudflare's autonomous DDoS protection systems detected and mitigated the attack without human intervention:
- Traffic Analysis: ML-based detection identified anomalous patterns
- Rate Limiting: Automatic threshold adjustment
- Anycast Distribution: Attack traffic distributed across global network
- Filtering: Malicious packets dropped at edge
Implications for Organizations
This record-breaking attack demonstrates several concerning trends:
- Scale Escalation: DDoS attacks continue to grow exponentially
- IoT Vulnerability: Botnet size limited only by insecure devices
- Short Bursts: Intense, short attacks can overwhelm defenses
- Automation: Attacks are increasingly automated and sophisticated
Defensive Recommendations
Immediate Actions
# Check if your IPs are in known botnet lists
curl -s "https://check.torproject.org/torbulkexitlist" | grep YOUR_IP
# Monitor for unusual outbound traffic (potential bot infection)
netstat -an | grep ESTABLISHED | wc -lInfrastructure Hardening
- DDoS Protection Service: Use cloud-based mitigation (Cloudflare, Akamai, AWS Shield)
- Rate Limiting: Implement at network and application layers
- Anycast: Distribute services across multiple geographic regions
- Monitoring: Real-time traffic analysis and alerting
IoT Security
- Change default credentials on all devices
- Disable UPnP where not required
- Segment IoT devices on separate VLANs
- Apply firmware updates regularly
References
- FastNetMon - Aisuru Botnet Sets DDoS Record
- SecurityWeek - Record-Breaking DDoS Attack
- Cloudflare Blog - DDoS Threat Report
Last updated: January 28, 2026