On October 12, 2025, one of our customers — a major gaming platform — was hit by the largest DDoS attack we've mitigated to date. The attack peaked at 1.8 Tbps of volumetric traffic combined with a sophisticated Layer 7 component targeting their API infrastructure.
Here's what happened, how we handled it, and what we learned.
Timeline
14:32 UTC — Our telemetry systems detect an anomalous traffic spike at our Ashburn and Frankfurt PoPs. Initial volume: 200 Gbps and climbing rapidly.
14:32:08 UTC — Automatic mitigation engaged. Hardware filters deployed across all 32 PoPs within 80ms of detection. The attack is identified as a multi-vector campaign: UDP amplification (DNS, NTP, CLDAP) combined with TCP SYN floods and HTTP/2 rapid reset.
14:33 UTC — Attack volume reaches 800 Gbps. The botnet is distributed across 140,000+ unique source IPs spanning 95 countries. Our anycast routing is distributing the load across 28 active PoPs.
14:35 UTC — Peak volume: 1.8 Tbps. Our backbone is handling the load without congestion. Clean traffic to the customer is flowing normally with zero added latency.
14:38 UTC — The attacker shifts tactics, rotating source ports and payload patterns every 30 seconds in an attempt to evade our filters. Our behavioral analysis engine adapts in real-time, generating new filter rules that are deployed to hardware in under 100ms.
15:19 UTC — Attack subsides. Total duration: 47 minutes. Zero packets of legitimate traffic dropped. Customer's end users experienced no disruption.
Key observations
Multi-vector is the new normal. This attack combined three distinct volumetric vectors with an application-layer component. Each vector alone would have been manageable; the challenge was handling all four simultaneously while distinguishing legitimate traffic.
Botnet diversity matters. With 140,000+ source IPs across 95 countries, simple IP-based blocking would have been ineffective. Our behavioral fingerprinting — which analyzes packet timing, TTL distribution, TCP window sizes, and payload entropy — was critical for accurate classification.
Adaptation speed is everything. The attacker rotated patterns every 30 seconds. Our hardware pipeline's ability to deploy new filters in under 100ms meant we were always ahead of the rotation.
What we learned
Even at 1.8 Tbps, our infrastructure operated well within capacity. Our total network capacity of 200+ Tbps meant this attack consumed less than 1% of our global scrubbing capacity.
The more interesting challenge was the Layer 7 component — specifically the HTTP/2 rapid reset variant. We've since updated our behavioral models to better detect this pattern at the earliest stages, and we're publishing our detection signatures to the community.
For our customers
If you were on our platform during this event, you didn't notice — and that's the point. DDoS mitigation should be invisible. No diversion delays. No false positives. No phone calls to your NOC at 2 AM.
That's what inline, hardware-accelerated mitigation delivers.