The 22.2 Tbps DDoS Attack

A Record-Breaking Strike That Redefined Cyber Warfare

Introduction

On September 22, 2025, Cloudflare announced that it had autonomously mitigated the largest Distributed Denial-of-Service (DDoS) attack ever recorded. The assault peaked at 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps), setting new world records in scale, speed, and impact.

This massive hyper-volumetric attack, lasting only 40 seconds, was nearly double the size of the previous record (11.5 Tbps) and exposed alarming weaknesses in the global internet’s ability to withstand next-generation cyber threats.

The AISURU Botnet: The Engine Behind the Attack

The attack was attributed to the AISURU botnet, a powerful swarm of more than 300,000 compromised devices.

Key Characteristics of AISURU:

• Built primarily from infected IoT devices and routers.

• Expanded massively after a Totolink firmware update server compromise in April 2025.

• Uses ChaCha20 encryption and HMAC-SHA256 for secure command-and-control.

• Controlled by three threat actors:

  • Snow (botnet developer)

  • Tom (exploit researcher)

  • Forky (monetization and sales)

This trio is known for ego-driven rivalries, embedding taunts into payloads, and rapidly escalating attack volumes.

Record-Breaking Specifications

Metric	New Record	Previous Record	Increase
Peak Bandwidth	22.2 Tbps	11.5 Tbps	+93%
Packet Rate	10.6 Bpps	5.1 Bpps	+108%
Duration	40 seconds	35 seconds	+14%
Source IPs	404,000+	300,000	+35%

Attack Methodology

1. UDP Carpet Bombing

• Targeted 31,000+ ports per second, peaking at 47,000.

• Distributed load across IPs and ports to evade detection thresholds.

2. Hit-and-Run Tactics

• Short-lived but overwhelming bursts.

• Designed to outpace manual response and maximize disruption.

3. Genuine IP Sources

• Traffic came from real infected devices, not spoofed IPs.

• Proved widespread, deep-rooted compromise of global networks.

Historical Escalation of Attacks

AISURU’s attack timeline in 2025 shows rapid growth:

• Jan 2025: 3.1 Tbps

• May 2025: 5.8 Tbps (targeted Brian Krebs’ website)

• Sep 2025 (early): 11.5 Tbps

• Sep 2025 (22nd): 22.2 Tbps

This reflects a tenfold increase in DDoS power over just five years, with most of that growth concentrated in 2025.

Cloudflare’s Autonomous Defense

Traditional defenses like manual scrubbing centres or rate limiting were useless at this scale. Cloudflare’s automated, AI-driven edge defense absorbed the attack in under a second.

Key Capabilities:

• Machine learning anomaly detection within seconds.

• Edge-based scrubbing close to the attack source.

• Global anycast network spanning 330+ cities across 125+ countries.

• Dynamic routing and load balancing to protect legitimate traffic.

Result: The victim’s services stayed online with zero disruption.

Real-World Scale of the Attack

To grasp the size of 22.2 Tbps:

• Equivalent to streaming 1 million 4K videos simultaneously.

• Every person on Earth refreshing a webpage 1.3 times per second.

• 37.4 TB of data transferred in 40 seconds.

• Equal to downloading 9.35 million songs in under a minute.

Industry and Infrastructure Implications

Network Stress Points

• Routers and Firewalls – overwhelmed by 10 Bpps packet processing.

• ISPs – risked transit saturation and cascading BGP instability.

• Peering Providers – faced connectivity degradation across borders.

Global DDoS Trends (2025)

• 41% increase in attack volumes (Gcore Q1–Q2 report).

• 70% of attacks using carpet bombing techniques.

• Average botnet size: 38,000 devices, though AISURU dwarfs this at 300,000+.

Defensive Recommendations

Immediate Actions for Organizations

1. Capacity Audit – Ensure defenses can withstand >25 Tbps.

2. Automation – Rely on AI/ML detection, not human intervention.

3. Carpet Bombing Awareness – Deploy defenses tuned for multi-vector floods.

4. Stress Testing – Simulate Tbps-scale attacks regularly.

Long-Term Strategies

• Anycast deployment for distributed resilience.

• BGP optimization to contain routing instabilities.

• Collaborative threat intelligence sharing between ISPs, governments, and vendors.

Conclusion

The 22.2 Tbps attack marks a watershed moment in cyber warfare. It proves that attackers, leveraging botnets like AISURU, can now generate traffic volumes once thought impossible.

Cloudflare’s autonomous mitigation shows that effective defense is achievable—but only through automation, distributed architectures, and proactive innovation.

As IoT adoption grows and botnets expand, attacks of 50 Tbps or even 100 Tbps are on the horizon. The global cybersecurity community must act now, upgrading defenses and rethinking infrastructure resilience before the next world-record DDoS comes crashing down.