Damien’s Substack

Share this post

Damien’s Substack
Damien’s Substack
Cloudflare's Record-Breaking DDoS Mitigation: A Deep Dive into the 3.8 Tbps Attack
Copy link
Facebook
Email
Notes
More

Cloudflare's Record-Breaking DDoS Mitigation: A Deep Dive into the 3.8 Tbps Attack

An S -flood for the Ages...

Damien Lewke
Oct 08, 2024
5

Share this post

Damien’s Substack
Damien’s Substack
Cloudflare's Record-Breaking DDoS Mitigation: A Deep Dive into the 3.8 Tbps Attack
Copy link
Facebook
Email
Notes
More
1
Share

Introduction

DDoS attacks are far from a new phenomenon, but Cloudflare's recent encounter with a 3.8 Terrabytes per second (Tbps) DDoS attack—the largest ever recorded—demonstrates that attackers are scaling their methods to unprecedented levels. 

For context, large entities like Google or Facebook, handle hundreds of Gbps to a few Tbps of legitimate traffic across their global infrastructures during peak hours. For an entire country, typical consumption might range from hundreds of Gbps to low Tbps. This attack’s scale was MASSIVE.

This wasn’t just a technical feat; it was a lesson in how critical scalable and autonomous defenses have become. Let’s dissect the attack, examine Cloudflare’s mitigation strategy, and explore why the future of DDoS defense lies in multi-layered approaches that go beyond traditional methods.

Understanding DDoS Attacks

A Distributed Denial of Service (DDoS) attack seeks to disrupt services by overwhelming them with a deluge of traffic. These attacks can vary in scale and complexity but ultimately aim to deny legitimate users access to websites, networks, or services. In recent years, the rise of botnets—networks of compromised devices—has enabled cybercriminals to launch massive and highly coordinated DDoS attacks.

Historically, the largest attacks before Cloudflare involved tech giants like Microsoft, which faced a 3.47 Tbps attack in 2021, and AWS, which mitigated a 2.3 Tbps attack in 2020. Both were impressive in scale, but the 3.8 Tbps DDoS attack Cloudflare mitigated set a new record and showcased the next stage in the evolution of cyber threats.

The Flood: What Happened

This 3.8 Tbps attack was not an isolated event but part of a month-long campaign of hyper-volumetric Layer 3/4 DDoS attacks that began in early September 2024. The campaign targeted multiple industries, aiming to disrupt services and overwhelm infrastructure on a global scale.

Key Stats:

  • Over 100 attacks exceeded 2 billion packets per second (Bpps) and 3 Tbps in traffic.

  • The largest attack peaked at 3.8 Tbps and lasted for 65 seconds.

  • Another major attack hit 2.14 Billion packets per second (Bpps) and lasted 60 seconds.

The attack vectors primarily utilized UDP traffic on a fixed port, saturating bandwidth, and exhausting network resources. This onslaught didn’t discriminate, targeting multiple sectors including financial services, internet infrastructure providers, and telecommunications. Geographically, the attack traffic originated from countries such as Vietnam, Russia, Brazil, Spain, and the United States.

Cloudflare's Mitigation Strategies

Cloudflare’s response to the 3.8 Tbps attack exemplified a multi-layered defense strategy designed to handle such extreme levels of malicious traffic. Here’s a breakdown of their approach:

  1. Autonomous Detection and Mitigation: Cloudflare’s mitigation strategy was fully autonomous. Their systems were able to analyze real-time traffic and immediately detect anomalous behavior, blocking malicious traffic as it arrived. A critical piece of this infrastructure was their denial of service daemon (dosd), which dynamically generated signatures to identify and mitigate the attack vectors without requiring human intervention. (Editorial note, that’s pretty awesome).

  2. Anycast Network Deployment: Cloudflare’s Anycast network played a vital role in absorbing and dispersing attack traffic. Anycast is a capability that inherently spreads traffic across multiple globally distributed data centers, ensuring that no single node is overwhelmed. This strategy effectively prevents the kind of bottlenecks that could otherwise bring services to a halt.

    • Advantages of Anycast:

      • Distributed Traffic Handling: Anycast routes incoming requests to the nearest or best-performing node, dispersing traffic across the network.

      • Network Resilience: By increasing the surface area for handling traffic, Cloudflare ensured that even in the face of massive spikes, their services remained operational.

  3. Multi-Level Defense: Cloudflare’s defense strategy wasn’t limited to a single layer. They employed security measures at the server, data center, and global network levels. This multi-tiered approach created redundancies, ensuring that even if one part of their defense was compromised, the overall system would remain resilient.

The Role of Compromised Devices

At the heart of the attack was a botnet composed of compromised devices, many of which were unsecured internet of things (IoT) systems. High packet-rate attacks were launched from devices such as MikroTik routers, DVRs, and web servers, while high bitrate traffic originated from compromised ASUS home routers, likely due to vulnerabilities like CVE-2024-3080.

The use of these devices highlights the growing security risk posed by IoT devices. More on that in a future post! As more everyday devices become connected to the internet, attackers are increasingly able to compromise them and use them as part of large-scale botnets. When it comes to IoT devices, the math is simple:

More devices * internet connectivity = scale.

My Time at Palo Alto Networks

During my tenure as an enterprise sales engineer at Palo Alto Networks, I had the opportunity to work closely with various organizations to enhance their defenses against DDoS attacks using our Next-Generation Firewalls (NGFWs) and its operating system PAN-OS. PAN-OS played a key role in mitigating DDoS attacks, leveraging features like Zone Protection Profiles and DoS Protection policies to detect and thwart attack vectors at the network perimeter.

When it came to DDoS prevention, however, I learned that while NGFWs offer robust protection at the network perimeter, it isn’t a complete solution for large-scale attacks like those Cloudflare faced. Technologies like Anycast offer an additional layer of protection, allowing traffic to be dispersed across a global network. This multi-layered approach—combining on-premise firewalls with advanced network routing techniques—is essential in today’s evolving threat landscape.

That’s not to say that next-generation firewalls are deficient, or not a worthwhile investment, but rather that defending against large-scale attacks requires a comprehensive strategy and (if resources permit) a broader defense in depth.

Anycast vs. Traditional DDoS Mitigation Methods

When comparing Anycast to more traditional DDoS mitigation techniques, it becomes clear why Cloudflare was able to succeed where other strategies might fail.

  • Anycast works at the network level, automatically distributing incoming traffic to the closest or most efficient node, reducing the likelihood of any single server or data center being overwhelmed. This contrasts with on-premise solutions, which are often limited by physical hardware capacity.

  • Traditional scrubbing centers, while effective in certain cases, require traffic to be rerouted out-of-path, introducing additional latency and complicating mitigation efforts. Anycast eliminates the need for such rerouting, providing a faster and more seamless defense.

For organizations looking to protect against modern DDoS attacks, Anycast is invaluable, especially when paired with automated detection systems that can operate without human oversight, a combination of speed and scale.

Are you saying I need Anycast?

Not necessarily, several complementary technologies work alongside Anycast to provide comprehensive DDoS mitigation:

  • Content Delivery Networks (CDNs): CDNs distribute content globally, improving performance and resilience during attacks. Akamai and AWS are leaders in this space, both utilizing Anycast as part of their global infrastructure.

  • Load Balancers: While not identical to Anycast, load balancers distribute traffic across multiple servers, providing additional redundancy. However, load balancers typically operate at the application layer rather than at the network level like Anycast.

  • GeoDNS: This technology routes traffic based on a user’s geographic location, but unlike Anycast, GeoDNS operates at the DNS level rather than within the broader network infrastructure.

If Anycast seems like a good next step, several companies specialize in offering Anycast-based services:

  • Cloudflare: One of the most well-known providers of Anycast DNS and DDoS protection services.

  • NetActuate: Provides Anycast-as-a-service, allowing businesses to leverage the technology without building their own global infrastructure.

  • Akamai and AWS: Both use Anycast as part of their content delivery and cloud security solutions.

Lessons Learned and Industry Implications

Cloudflare’s success in mitigating this record-breaking attack provides several key insights for our industry:

  1. Scalable Infrastructure is Essential: Handling attacks of this scale requires a globally distributed network capable of absorbing massive traffic spikes.

  2. Autonomous Defense is Key: Cloudflare’s automated detection and response system minimized the impact of the attack, showcasing the importance of real-time mitigation systems.

  3. IoT Devices are a Growing Risk: The compromised routers and IoT devices used in this attack demonstrate the urgent need for better security practices in IoT ecosystems.

  4. Layered Defense Strategies Work: Combining network-layer defenses like Anycast with perimeter-based solutions like NGFWs ensures more comprehensive protection against today’s threats.

Conclusion

The 3.8 Tbps DDoS attack marked a new benchmark in cyber threats, demonstrating how attackers are leveraging massive botnets to launch unprecedentedly large-scale attacks. Cloudflare’s ability to autonomously mitigate the attack using Anycast and a multi-layered defense strategy proves that the future of DDoS protection lies in scalable, global solutions. What’s more, the significance of autonomy in attack detection and (when appropriate) prevention is growing.

For businesses large and small, the key takeaway is clear: building resilience into your security strategy and architecture works. 

It’s easier said than done, and resources can be limited. That’s why I’ve included a couple free resources of DDoS mitigation capabilities:

Cloudflare Free Plan

  • Cloudflare offers a free tier that provides basic DDoS protection, as well as CDN services and performance improvements for websites. Check out their options here: https://www.cloudflare.com/plans/#overview

Google Cloud Armor Free Tier

  • Google Cloud Armor provides basic DDoS protection through its free tier, with an advanced security policy for small-scale applications. Check it out here: https://cloud.google.com/armor 

I’ll wrap up this segment today by saying that the threat landscape is evolving both in the complexity of threats (exploits, AI-written phishing emails, etc) and scale (like this DDoS attack). It’s great to see Cloudflare’s progress and the role of automation in network defense.

Stay secure and stay curious, my friends!

Damien

Note: this post features my opinions only and is not an endorsement or deterrent of any of the firms listed in this blog.

5

Share this post

Damien’s Substack
Damien’s Substack
Cloudflare's Record-Breaking DDoS Mitigation: A Deep Dive into the 3.8 Tbps Attack
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2025 Damien Lewke
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More