Largest DDoS Attack to Date

It was a recently unimaginable 7.3 Tbps:

The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It speeds up communications by not formally establishing a connection before data is transferred. Unlike the more common Transmission Control Protocol, UDP doesn’t wait for a connection between two computers to be established through a handshake and doesn’t check whether data is properly received by the other party. Instead, it immediately sends data from one machine to another.

UDP flood attacks send extremely high volumes of packets to random or specific ports on the target IP. Such floods can saturate the target’s Internet link or overwhelm internal resources with more packets than they can handle.

Since UDP doesn’t require a handshake, attackers can use it to flood a targeted server with torrents of traffic without first obtaining the server’s permission to begin the transmission. UDP floods typically send large numbers of datagrams to multiple ports on the target system. The target system, in turn, must send an equal number of data packets back to indicate the ports aren’t reachable. Eventually, the target system buckles under the strain, resulting in legitimate traffic being denied.

Tags: ,

Posted on June 23, 2025 at 7:04 AM9 Comments

Comments

Clive Robinson June 23, 2025 10:35 AM

@ ALL,

A simple observation,

“As bandwidth goes up and latency goes down, the data rate for a DDoS will go up to compensate.”

So 7.3 Tbps today double that by Xmas 2026…

There are a couple of solutions to DDoS,

1, Charge per packet.
2, Restrict of bandwidth

Neither of which are going to be popular with users who now have,

“The Vegas Buffet mentality towards Internet service provision.

Though one thing they left out when they said,

“Unlike the more common Transmission Control Protocol, UDP doesn’t wait for a connection between two computers to be established through a handshake and doesn’t check whether data is properly received by the other party. Instead, it immediately sends data from one machine to another.”

UDP is easy to spoof, because due to the way it’s designed the return IP address and port don’t have to be valid.

If people look back in history in the past instead of an IP Address a Network Address was used, thus forcing a reply to every IP address in the Network Address, and this can be a significant “force multiplier”.

In theory that should not work any more but there are other tricks that still work…

Peter A. June 23, 2025 11:16 AM

@Clive Robinson:

I am not sure what you really mean regarding your two solutions.

Charging per packet won’t work unless strong authentication and attribution – worldwide – is implemented for every Internet connection or even user. That’s next to impossible in the current architecture – or should we go back to X.25 times or similar… paying the National Post Office for both time of connection and amount of packets transferred.

Even if we do, what do you mean to achieve?

Charging per packet? outgoing or incoming? Since the perpetrators of DDoS attacks do not use their own resources, paid by them, but stolen ones, they won’t be affected, everybody else would be charged for outgoing traffic. And the victim could be bankrupt in minutes, if not seconds, if incoming traffic is charged for. DDoSers could be even more motivated to wreak havoc – in addition to disrupting or bankrupting their target (and getting paid for it, possibly), they might be encouraged to do pure evil by making everyone and the dog pay a little extra for no gain to the perps.

Limiting bandwidth on output – I can’t see how it would help. Upload rates are already very limited for most consumer connections, and DDoSers can just spread their load thinner – as long as there’s plenty of devices to infect and recruit into botnets. On input? Input is already limited by contracts and physical links, and the whole purpose of DDoS is to saturate this limit.

Sorry, maybe I am completely missing something in your reasoning.

lurker June 23, 2025 2:05 PM

“A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack.”

Oh really? Carpet bombing is usually about sheer volume, not precision.

“The target system, in turn, must send an equal number of data packets back to indicate the ports aren’t reachable.”

Surely dropping unwanted packets must be more economical and secure. Besides, they already said UDP doesn’t need replies.

Some of the comments noted that this read like a slow news story. Oh, and why isn’t “past its Use by Date” QoD non-routable?

Nameless June 23, 2025 2:31 PM

I agree with @lurker:

“Surely dropping unwanted packets must be more economical and secure. Besides, they already said UDP doesn’t need replies.”

That was my first thought upon reading: “must send an equal number of data packets back to indicate the ports aren’t reachable.”

I realize the internet (both TCP and UDP, and ICMP replies) was all designed in an age when it wasn’t imagined anyone would ever possibly use any technology for malicious purposes (eye roll), so courtesy replies used to be common, expected, the norm, etc… but we’ve gone past that for many decades now and from a security standpoint nobody should ever be required to send back a reply to a packet it doesn’t recognize or expect in some way. It doesn’t even matter if it “breaks a protocol” of some kind… if you don’t recognize it as valid and need it in some way, drop it. Period. That’s the only possible responsible secure thing to do.

Unfortunately a lot of antiquated infrastructure exists out there still isn’t operating from a security standpoint even after all these decades.

Clive Robinson June 23, 2025 8:17 PM

@ Peter A.,

With regards,

“I am not sure what you really mean regarding your two solutions.”

As I noted neither solution is going to happen, even though they are “foundation level fixes”.

Also there is not really a third or other option above (such as fix the IP and above protocols). Because at the end of the day unless you nail the fundamentals, there will always be holes big enough to drive a herd of rampaging elephants through…

So the realistic answer is,

“Like it or not ‘Distributed Denial of Service'(DDoS) attacks are going to remain ‘a fact of life’, with the data rates doubling about every year and a half.”

Untill people actually decide they really want it fixed, and are prepared to do what is necessary… Which unfortunately will involve killing the current fundamental underpinning the entire Internet economic model (as you’ve surmised)…

You might or might not know the likes of Google have made suggestions for protocol changes in the past… But they have not happened for two basic reasons,

1, They actually won’t stop the problem just shift the goal posts.
2, Because there is always an ulterior “business advantage” reason tucked behind it somewhere[1].

Perhaps I should have put sarcasm tags around it, but in all honesty it’s a way bigger issue as @Nameless points out with,

“I realize the internet (both TCP and UDP, and ICMP replies) was all designed in an age when it wasn’t imagined anyone would ever possibly use any technology for malicious purposes (eye roll), so courtesy replies used to be common, expected, the norm, etc… but we’ve gone past that for many decades now and from a security standpoint nobody should ever be required to send back a reply to a packet it doesn’t recognize or expect in some way.”

Or do anything else that does not serve a beneficially / profitable “economic” purpose.

Amazon etc have this as a fundamental, you cannot look at their sites without them “data raping, pillaging, and plundering” you as “standard”.

The “solution to nuisance calls” has always been,

1, Circuit switched thus traceable and rate limited.
2, Make originator pay by bandwidth and usage.

Thus DDoS was at best entirely impractical and way to expensive.

The US of course “knew better” and had “toll free calling” in “social hours” so people got hit by unwanted sales / electioneering calls etc.

Something other countries did not suffer from untill they too had either “toll free” or “low toll” calls. It’s a quite basic form of economics, and something the neo-cons hate because they see it as a tax on their self entitled rights.

But finally consider the thoughts of our host @Bruce’s friend Cory Doctorow and the process he called “Enshittification” back at the end of 2022. Whilst he was talking about “Internet Platforms” like the Google Search Engine, and everything Microsoft gets it’s grubby paws on it’s actually way more foundational. Because it applies to not just the entirety of the Internet from below The Physical Layer(0), all the way up to and realistically beyond even the inter governmental Treaty Level(13)[2]. It appears to be a fundamental failing of a small percentage of the Human Race that see,

“Individual Rights v. Social Responsibility”

In their very self entitled way of,

“Every one else owes them everything as is their due by ‘devine right’…”

My advice on meeting such people would be “if it was not unlawful”, “Make sure your aim is a little to your right of their right ear”. Because with that four inches you would be doing the majority of the world a favour…

Just saying 😉

[1] Think a variation of the Microsoft “Embrace, Extend, and Extinguish”(EEE) reason. We’ve seen it with HTML5, JavaScript, and similar and it never ends well security and privacy wise.

[2] It was once called the “ISO-OSI Seven Layer Model” of networking. However it was sufficiently abstract that it fairly quickly became clear there was a lot above and below it. Fun fact because of the way the Physical Layer is usually specified, it’s actually a “Turtles all the way down” model. That is IP can sit on top of X25 that can sit on top of ATM that in turn can sit on top of IP, Ethernet, or both, etc. Even a form of “Token Ring” in space (see Cambridge Ring from the 1980’s). But it can also work the other way, when you consider you can layer a very much more secure almost surveillance proof network on top of our current IP network.

Clive Robinson June 24, 2025 6:12 AM

@ ALL,

In my above I note that DDoS is something eternal unless the foundations are changed.

But a question arises of,

“Can you do a ‘partial fix’?”

To which the answer is “maybe” and depends on the behaviour of the attacker.

As long term readers know, various commenters have noted they get griefed from Chinese networks, where they don’t have or want users.

Therefore they simply “drop or block” all requests from Chinese assigned IP address blocks/ranges.

It just so happens in looking for broader info on this “China Syndrome”, this poped into view,

https://blog.xkeeper.net/uncategorized/tcrf-has-been-getting-ddosed/

Let’s just say it will save me some typing 😉

Not really anonymous June 24, 2025 12:24 PM

You can’t just drop packets from China (nor based on any other rule) locally. You need to get the traffic blocked upstream or your link will still be unusable.

Clive Robinson June 24, 2025 4:22 PM

@ Not really anonymous, ALL,

With regards,

“You need to get the traffic blocked upstream or your link will still be unusable.”

Yes, but… how do you do that, and without it becoming,

1, A new attack vector to do DoS
2, A new censorship tool
3, A new Surveillance tool
4, A new attack on end users

And quite a few other new variant issues on currently known attack types?

The problem with DoS and especially DDoS attacks is that without fixing the fundamental issues of the IP network protocols, any non-local defense automatically becomes a new DoS or DDoS attack it’s self.

In the past people have suggested using PKI and CA Certs as a way to atleast authenticate the blocking request…

But the now ludicrously short life of CA Certs tells you there is an underlying security issue with them…

We also know that CA Certs can be inadvertantly divulged, stolen, and even forged in several ways as they have been in the past.

The PKI is not actually verifiable security but a “nod and a wink” twitching of the curtain, as are all “Off-Line Authentication” systems.

And all “On-Line Authentication” systems are vulnerable to any kind of DoS or DDoS attack…

So a case of “move the goal posts and make the goal mouth much bigger”.

But before we do anything that is “not local” to the “target of the attack” we need to be sure it can not be weaponised in some way…

As I point out from time to time,

“Technology is agnostic to use”

Which raises a significant issue…

Because it is a third party “Observer Issue”.

That is the observer is supposedly independent not a participant, viewing through their own current point of view at past events, that acts as the arbiter of any use of a technology bring “Good or Bad” in contemporary human terms (look up the “rose tinted glasses” idiom).

It’s one of those “Do you throw the switch?”[1] Philosophical / Moral questions that look good hypothetically, but in reality are all “politics” with either a small or large “P”.

[1] The “Do you throw the switch?” Questions are real world examples of the theoretical philosophical “Trolley Dilemma” questions. In essence such things are almost always “uncodifiable” because what ever you do is wrong or right based on some future observers opinion / point of view. And there is an old English saying that covers it,

“Damned if you do, damned if you don’t.”

Most examples discussed are almost always theoretical hence discussed as the “Trolley Dilemma”,

https://www.thoughtco.com/would-you-kill-one-person-to-save-five-4045377

Usually you can tell they are theoretical because the “War Games Response” from the “Joshua” war games AI/computer,

“A strange game. The only winning move is not to play.”

Is not offered. Also people rarely include the full statement that ends with the tell-tale question of,

“How about a nice game of chess?”

Showing the Joshua AI preference for games that can be “codified in ways that do not allow for “futility” as an outcome.

A subject that gets discussed about “tic-tac-toe” between Jennifer and Prof Falken earlier in the film.

See a transcript at,

https://m.imdb.com/title/tt0086567/characters/nm0939795

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.