Cloudflare on Tuesday mentioned it routinely mitigated a record-setting volumetric distributed denial-of-service (DDoS) assault that peaked at 11.5 terabits per second (Tbps).
“Over the previous few weeks, we have autonomously blocked a whole lot of hyper-volumetric DDoS assaults, with the most important reaching peaks of 5.1 Bpps and 11.5 Tbps,” the online infrastructure and security firm mentioned in a put up on X. “The 11.5 Tbps assault was a UDP flood that primarily got here from Google Cloud.”
The complete assault lasted solely about 35 seconds, with the corporate stating its “defenses have been working time beyond regulation.”
Volumetric DDoS assaults are designed to overwhelm a goal with a tsunami of visitors, inflicting the server to decelerate and even fail. These assaults usually lead to community congestion, packet loss, and repair disruptions.
Such assaults are sometimes performed by sending the requests from botnets which might be already below the management of the menace actors after having contaminated the gadgets, be it computer systems, IoT gadgets, and different machines, with malware.
“The preliminary affect of a volumetric assault is to create congestion that degrades the efficiency of community connections to the web, servers, and protocols, probably inflicting outages,” Akamai says in an explanatory word.
“Nevertheless, attackers may use volumetric assaults as a canopy for extra subtle exploits, which we discuss with as ‘smoke display’ assaults. As security groups work diligently to mitigate the volumetric assault, attackers could launch extra assaults (multi-vector) that permit them to surreptitiously penetrate community defenses to steal information, switch funds, entry high-value accounts, or trigger additional exploitation.”
The event comes somewhat over two months after Cloudflare mentioned it blocked in mid-Could 2025 a DDoS assault that hit a peak of seven.3 Tbps concentrating on an unnamed internet hosting supplier.
In July 2025, the corporate additionally mentioned hyper-volumetric DDoS assaults – L3/4 DDoS assaults exceeding 1 billion packets per second (Bpps) or 1 Tbps – skyrocketed within the second quarter of 2025, scaling a brand new excessive of 6,500 compared to 700 hyper-volumetric DDoS assaults in Q1 2025.
The event comes as Bitsight detailed the RapperBot kill chain, which targets community video recorders (NVRs) and different IoT gadgets for functions of enlisting them right into a botnet able to finishing up DDoS assaults. The botnet infrastructure was taken down final month as a part of a legislation enforcement operation.
Within the assault documented by the cybersecurity firm, the menace actors are mentioned to have exploited security flaws in NVRs to realize preliminary entry and obtain the next-stage RapperBot payload by mounting a distant NFS file system (“104.194.9[.]127”) and executing it.
That is achieved by way of a path traversal flaw within the internet server to leak the legitimate administrator credentials, after which use it to push a faux firmware replace that runs a set of bash instructions to mount the share and run the RapperBot binary based mostly on the system structure.
“No surprise the attackers select to make use of NFS mount and execute from that share, this NVR firmware is extraordinarily restricted, so mounting NFS is definitely a really intelligent alternative,” security researcher Pedro Umbelino mentioned. “After all, this implies the attackers needed to totally analysis this model and mannequin and design an exploit that might work below these restricted circumstances.”
The malware subsequently obtains the DNS TXT information related to a set of hard-coded domains (“iranistrash[.]libre” and “pool.rentcheapcars[.]sbs” in an effort to get the precise record of precise command-and-control (C2) server IP addresses.
The C2 IP addresses, in flip, are mapped to a C2 area whose absolutely certified area title (FQDN) is generated utilizing a simplified area technology algorithm (DGA) that consists of a mixture of 4 domains, 4 subdomains, and two top-level domains (TLDs). The FQDNs are resolved utilizing hard-coded DNS servers.
RapperBot finally ends up establishing an encrypted connection to the C2 area with a legitimate DNS TXT document description, from the place it acquired the instructions essential to launch DDoS assaults. The malware can be commandeered to scan the web for open ports to additional propagate the an infection.
“Their methodology is easy: scan the Web for previous edge gadgets (like DVRs and routers), brute-force or exploit and make them execute the botnet malware,” Bitsight mentioned. “No persistence is definitely wanted, simply scan and infect, time and again. As a result of the susceptible gadgets proceed to be uncovered on the market and they’re simpler to search out than ever earlier than.”
