On June 22, 2025, a new chapter was written in the history of cyberattacks: the security company Cloudflare successfully thwarted a 7.3 terabit-per-second (Tbps) distributed denial-of-service (DDoS) attack. This far surpassed previous records, unleashing 37.4 terabytes of data on the target in just 45 seconds. The attack, presumably targeting a hosting provider, originated from over 122,000 sources, primarily from networks in Brazil and Vietnam, spanning a total of 161 countries.
Fortunately, the target had invested in a rapid and distributed defense: the attack was automatically distributed and filtered by Cloudflare’s global anycast network, allowing them to fend off the attack without any major service outages.
What is a DDoS attack and how does It work?
In a distributed denial-of-service (DDoS) attack, criminals send a massive amount of data from thousands of “zombie devices” (a botnet) toward a single target. In a successful attack, the target server or network is overwhelmed by the massive volume of incoming data, causing it to slow down or crash. Unlike a traditional DoS attack, which comes from a single source, a DDoS attack originates from multiple, geographically dispersed machines (computers, IoT devices), making it very difficult to defend against.
Attackers often use the so-called UDP protocol (User Datagram Protocol) because it is one of the simplest ways to send a large amount of data very quickly. A key feature of UDP is that it does not establish a real connection between the two machines: the sending machine simply starts “pouring” data toward the target without first requesting permission or even checking if the other party can receive the data. It’s like someone continuously stuffing letters into your mailbox without waiting to see if you’ve read the previous one or if you’re even home.
Compared to traditional (TCP-based) data traffic—where the two parties first “shake hands” (known in technical terms as a “handshake”) to confirm they are ready to communicate—UDP doesn’t ask, doesn’t wait for a response, it just sends. This method makes the protocol ideal for overload attacks: the victim’s machine can be flooded with meaningless or fake data in moments, without having time to initiate any defensive response.
This mode of operation becomes particularly dangerous because it targets the very technologies that legitimately and frequently use UDP: for example, video calls, live streaming, online games, or internet telephony (VoIP). All these services are sensitive to disruptions in data traffic, so a maliciously generated flood of data can quickly cause lag, malfunction, or a complete shutdown.
There are several types of overload attacks. One group is the volumetric attack, where the goal is simply to flood the target with a volume of data it can no longer process—examples include DNS or NTP-based tricks where the attacker generates huge responses from small requests. Another type is the protocol-level attack, which exploits the basic rules of internet communication, for example, with so-called SYN requests that make it impossible to establish connections. Finally, there are also application-level attacks, which try to disrupt the operation of a website by bombarding it with too many browser-initiated requests.
The June 2025 attack combined several different techniques: the vast majority of the traffic was UDP-based, and previously mentioned services—such as NTP or Echo—also became targets. The attack also deployed networks of infected devices similar to the Mirai botnet, which launched the overload from thousands of sources simultaneously, targeting almost every level of the IT infrastructure.
Warning signs of a DDoS attack (these should raise suspicion) can include the following:
- Sudden surge in traffic: An unexpected spike in the number of requests or bandwidth from one or more IP addresses.
- Performance degradation or crashes: Websites and services respond slowly, repeatedly go down, or become unavailable.
- Unusual error messages: Mass connection attempts or regular service error messages.
- Frequent system crashes: Stability problems that occur without a lack of hardware or software updates.
Upon noticing such symptoms, it is important to react quickly, as an attack can cause serious damage to the affected infrastructure in just a few minutes.
Details and consequences of the record-breaking attack
The scale of the 2025 incident is truly unprecedented: 37.4 terabytes of data in 45 seconds represents a staggering volume. The defense against the attack was built on automation: Cloudflare’s Magic Transit service stopped the assault without any human intervention. As a result, the critical elements of the attacked hosting provider remained intact, and its service did not collapse.
However, the event once again highlighted that even the systems of the largest companies are not immune: previously, even smaller DDoS attacks have crippled major cloud providers like Twitter (X) and Microsoft. Executing these attacks is relatively cheap, difficult to trace, and anonymous, making them a popular tool for cybercriminals and hacker groups.
The distribution of the attackers was also global: the traffic originated from a total of 122,145 IP addresses in 161 countries and from 5,433 different networks. During the attack, various types of data packets were launched from multiple directions and at different times, deliberately distributed to make defense even more difficult. As mentioned, the lion’s share of the attack came from Brazil and Vietnam, but networks in Taiwan, China, and Indonesia also contributed significantly. Among the networks (Autonomous Systems, AS) that generated the most traffic, Telefonica Brazil (10.5%) and the Viettel Group (9.8%) lead the list.
Defense strategies and recommendations – Traffic filtering at the network edge
One of the most effective ways to fend off overload attacks is to block or mitigate the malicious traffic before it reaches the target system. This requires network architectures that pre-filter traffic at the network edge—that is, before it even reaches the data center.
Cloudflare’s Magic Transit service operates on this principle: it disperses attacking data packets across its globally distributed anycast network, preventing any single data center from being overwhelmed. This clearly shows how effective it can be when traffic is cleaned at the entry points—the DDoS wave never even reaches the internal network.
At Unicorn, we work with a similar mindset when designing multi-layered network protection for our enterprise clients. As a vendor-independent system integrator, we implement solutions that:
- Detect suspicious patterns in real time.
- Are capable of blocking overload traffic at the network boundary.
- Ensure secure data flow during normal operations.
For example, the Netscout Arbor Edge Defense system is specifically designed for network-level mitigation of DDoS attacks, while Palo Alto Networks firewall solutions offer sophisticated threat detection and prevention capabilities. By combining these, we create a proactive defense environment capable of preventing the paralysis of critical services, whether in on-premise, cloud-based, or hybrid infrastructures.
UDP traffic restriction and rate-limit rules
A significant portion of overload attacks are UDP-based. These data packets do not establish a two-way connection, allowing the attacker to send an unlimited number of requests to a server, often with meaningless or intentionally distorted content. Since there is no acknowledgment, the target receives the data flood completely one-sidedly.
One of the most important steps to effectively curb such attacks is to implement UDP rate-limit rules. These solutions can automatically limit how much UDP traffic a given IP address can generate per second. This way, sudden, unusual activity can be blocked within the first few seconds.
At Unicorn, we apply traffic regulation procedures in both Palo Alto Networks firewall solutions and Infoblox DNS management systems that can automatically recognize suspicious UDP traffic and slow it down or block it before it can overwhelm the system. These rules can be customized based on criteria such as source address, destination port, or time interval.
This way, the defense system doesn’t just react; it prevents the attacker from tying up network resources in the first place.
Real-time network traffic monitoring
DDoS attacks are often not immediately noticeable; initially, we might only experience minor slowdowns or outages. Therefore, it is essential to have real-time monitoring at every level of the network.
At Unicorn, we install systems that automatically monitor traffic changes and immediately issue an alert if they detect an unusual pattern.
The solution is not based solely on static rules: monitoring systems like checkmk and others can learn from normal operations and distinguish between a Monday morning load and an attack. This allows for a rapid response before the service goes down.
Network segmentation: Avoid a monolithic architecture
The more complex an IT system is, the greater the trouble if it is attacked at a single point. That is why it is important that different systems do not operate on a single, shared network.
In Unicorn projects, we often apply a segmented network design: we organize individual business services, internal systems, and remote access into separate logical zones. This way, if one part is under attack, work can continue uninterrupted on the others.
Device security and updates: Prevention is key
Attackers often exploit outdated or poorly protected devices, such as old network adapters, IP cameras, or IoT devices running on factory passwords. These can easily be turned into a botnet that could launch an attack against our network, even from within.
At Unicorn, we pay special attention to ensuring that there are no open doors in our clients’ infrastructure. Our systems support full asset discovery, keeping firmware up-to-date, and changing default credentials. By doing so, we eliminate the most common attack surfaces before an attack even occurs.
Together, these five defense strategies represent a complex and practical approach that can permanently reduce the impact of DDoS attacks and preserve the security of continuous business operations.
Conclusion
The record-breaking DDoS attack of June 2025 clearly shows that overload techniques are becoming increasingly sophisticated and can cause significant damage in a short amount of time. Defense does not depend on a single solution but on a set of interconnected technical and organizational measures that come into play before an attack even begins.
Pre-filtering, traffic regulation, real-time monitoring, network segmentation, and device security all contribute to an organization’s ability not just to react to threats, but to prevent critical outages. Based on experience, today, the question is no longer if an attack will come, but whether the existing layers of defense are capable of detecting, filtering, and managing it in time.