A European provider of distributed denial-of-service (DDoS) mitigation services was itself the target of an immense attack on September 10, 2025, which peaked at a rate of 1.5 billion packets per second (Bpps)1. This event, one of the largest publicly disclosed packet-rate floods, originated from a botnet composed of thousands of compromised Internet of Things (IoT) devices and MikroTik routers spread across more than 11,000 unique networks globally1. The attack was detected and mitigated in real-time by the network monitoring firm FastNetMon, which utilized the customer’s own scrubbing facilities to deploy Access Control Lists (ACLs) and filter the malicious traffic1. This incident underscores a dangerous and persistent trend of weaponizing consumer-grade hardware to launch attacks of unprecedented scale, challenging even the defenders tasked with stopping them.
The 1.5 Bpps assault follows closely on the heels of another record-breaking event, a volumetric attack peaking at 11.5 terabits per second (Tbps) and 5.1 Bpps that was recently blocked by Cloudflare1. These events are not isolated but are indicative of a massive surge in DDoS activity throughout 2025. Data from Cloudflare’s first-quarter report reveals an astonishing 20.5 million DDoS attacks were blocked in that period alone; for context, this figure nearly matches the 21.3 million attacks they mitigated in the entire previous calendar year of 2024, representing a 358% year-over-year increase2. This explosive growth confirms a rapidly escalating threat landscape where the frequency and scale of attacks are reaching new heights.
The Anatomy of a High-Packet-Rate Attack
This specific attack was characterized as a UDP flood, a type of volumetric attack that aims to consume all available bandwidth of a target1. The critical metric in this case was not raw bandwidth consumption, measured in terabits per second (Tbps), but the sheer number of packets a network device is forced to process every second. Each packet requires processing resources—CPU cycles and memory—to be examined, routed, or dropped. A flood of 1.5 billion packets per second can overwhelm the processing capacity of routers, switches, and firewalls long before internet bandwidth is saturated, making it a potent method for causing service disruption. The use of a globally dispersed botnet comprising vulnerable IoT devices and routers makes tracing the origin difficult and mitigation more complex, as the malicious traffic originates from countless legitimate networks.
The Evolving DDoS Threat Landscape
While massive volumetric attacks like the 1.5 Bpps UDP flood capture headlines, a significant strategic shift is occurring towards more sophisticated application-layer (Layer 7) attacks3. These attacks, which include HTTP/S floods, Slowloris, and RUDY (R-U-Dead-Yet?), are often more cost-effective for threat actors and can be harder to detect because they mimic legitimate user traffic. Instead of targeting network bandwidth, L7 attacks aim to exhaust a server’s CPU and RAM resources by making computationally expensive requests. Techniques like the HTTP/2 Rapid Reset exploit demonstrate how attackers continuously innovate to bypass traditional threshold-based detection systems3. This means defenders must now prepare for a dual threat: immense volumetric floods and stealthy, efficient application-layer attacks.
Mitigation Strategies and the Provider Ecosystem
The successful real-time mitigation of this attack highlights the effectiveness of modern DDoS defense strategies. Key technical controls include blacklists for blocking known malicious IPs, whitelists for permitting only trusted traffic, and geo-blocking to filter traffic from specific regions4. For large-scale attacks, traffic is typically routed through scrubbing centers—specialized facilities with the capacity to analyze incoming traffic, filter out malicious packets, and forward only clean traffic to the intended destination. The market for these services is led by established providers like Akamai (Prolexic), Cloudflare, Imperva Incapsula, CenturyLink, and Verisign, with other significant players including F5 Networks, DOSarrest, and Arbor Networks4. These firms offer a range of service models, from “always-on” protection to “on-demand” scrubbing.
Historical Context and the Rising Cost of Attacks
The progression of DDoS scale has been exponential over the past decade. The 2016 Mirai botnet attacks were a watershed moment, generating floods of 620 Gbps against security expert Brian Krebs and 1.1 Tbps against OVH5. By 2020, attacks against AWS and Google peaked at 2.3 Tbps and 2.5 Tbps, respectively5. The attacks observed in 2025 represent the latest evolution in this arms race. The financial impact of these outages is severe, with estimates suggesting that internet-reliant companies can lose over $100,000 per hour during an attack, not including the long-term brand damage and loss of customer trust6. Motivations for launching such attacks are varied, ranging from extortion and hacktivism to creating a smokescreen for more insidious data theft operations.
Relevance and Remediation Steps
For security professionals, this event is a stark reminder of the critical need for robust DDoS protection. Relying solely on an organization’s own internet pipe and on-premise hardware is insufficient against modern multi-vector attacks. A defense-in-depth approach is necessary. Proactive measures should include implementing ISP-level filtering to stop outgoing attacks from compromised devices within a network, a point emphasized by FastNetMon’s Pavel Odintsov1. Organizations should also evaluate their DDoS mitigation providers based on criteria such as proven capacity, experience, innovation, and service level agreements (SLAs)4. Tabletop exercises that simulate a sustained DDoS attack can help prepare incident response teams for the unique challenges of these events, which often involve coordinating with internal network teams and external mitigation providers under extreme pressure.
The 1.5 Bpps attack against a DDoS mitigation provider is a significant event in the cybersecurity field. It demonstrates that no organization is immune to targeting and that the tools and techniques available to threat actors continue to grow in potency. The combination of a soaring number of attacks and their increasing complexity demands continuous vigilance, investment in layered defenses, and a commitment to understanding the evolving tactics of adversaries. As the line between network and application-layer attacks blurs, a comprehensive and adaptive security posture becomes not just advisable but essential for maintaining business continuity.
