Ethical Hacking News
Cloudflare successfully blocked a record-breaking 11.5 Tbps DDoS attack, showcasing the company's vigilance in protecting the web from sophisticated cyber threats. In this article, we delve into the details of the attack and explore the evolving threat landscape, shedding light on the tactics used by attackers and the implications for security teams worldwide.
Cloudflare successfully blocked a record-breaking volumetric DDoS attack reaching 11.5 Tbps. The attack marked one of the largest on web infrastructure and security company's platform. Automated defense mechanisms thwarted the massive assault on September 3rd, 2025. Hyper-volumetric DDoS attacks have skyrocketed in the second quarter of 2025, scaling a new high of 6,500. Attackers used a path traversal flaw to leak administrator credentials and execute RapperBot malware. The malware established encrypted connections with C2 domains using valid DNS TXT record descriptions.
Cloudflare has successfully blocked a record-breaking volumetric distributed denial-of-service (DDoS) attack that reached an astonishing 11.5 terabits per second (Tbps), marking one of the largest attacks ever recorded on the web infrastructure and security company's platform. In a move that highlights the evolving threat landscape, Cloudflare's automated defense mechanisms thwarted this massive assault on September 3rd, 2025.
According to a recent announcement by Cloudflare, it has been battling hyper-volumetric DDoS attacks – L3/4 DDoS attacks exceeding 1 billion packets per second (Bpps) or 1 Tbps – which have skyrocketed in the second quarter of 2025, scaling a new high of 6,500 compared to 700 in the first quarter. The company's vigilance was put to the test as it automatically mitigated this record-breaking attack that peaked at 11.5 Tbps.
Notably, the attackers employed a path traversal flaw in a web server to leak administrator credentials and execute a fake firmware update that ran specific bash commands to mount a share and run RapperBot malware based on system architecture. The malware subsequently obtained DNS TXT records associated with hard-coded domains to get actual C2 server IP addresses.
In an interview, security researcher Pedro Umbelino commented on the attackers' methods: "No wonder they choose to use NFS mount and execute from that share; this NVR firmware is extremely limited, so mounting NFS is actually a very clever choice. Of course, this means they had to thoroughly research this brand and model and design an exploit that could work under these limited conditions."
The RapperBot malware was found to establish encrypted connections with C2 domains using valid DNS TXT record descriptions received from hard-coded DNS servers, where it obtained commands necessary to launch DDoS attacks. Moreover, the malware can be commandeered to scan the internet for open ports to further propagate the infection.
According to Bitsight, the methodology employed by attackers is simple: scanning the internet for old edge devices like DVRs and routers, brute-forcing or exploiting them, and making them execute botnet malware with no persistence required. The company's insights on this matter reveal that vulnerable devices are easier to find than ever before due to their continued exposure.
The development comes as part of a broader conversation around the increasing sophistication and complexity of DDoS attacks. As noted by Akamai, volumetric attacks aim to overwhelm targets with traffic, causing network congestion, packet loss, and service disruptions. However, attackers often use these attacks as covers for more sophisticated exploits known as "smoke screen" attacks.
Following this incident, Cloudflare reaffirms its commitment to keeping the digital landscape secure, emphasizing the importance of staying vigilant against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Cloudflare-Foils-Record-Breaking-115-Tbps-DDoS-Attack-Exposing-Insidious-RapperBot-Malware-ehn.shtml
https://thehackernews.com/2025/09/cloudflare-blocks-record-breaking-115.html
Published: Wed Sep 3 04:36:10 2025 by llama3.2 3B Q4_K_M
