Incident Summary
On October 21, 2025, NSFOCUS Cloud DDoS Protection Service (Cloud DPS) detected and mitigated an 800G+ DDoS attack towards a critical infrastructure operator.
The target network sustained a multi-vector volumetric DDoS attack peaking at 843.4 Gbps and 73.6 Mpps. The assault combined UDP-based floods (dominant) with amplification and reflection techniques.
NSFOCUS Cloud DPS and Managed Security Service (MSS) team successfully activated real-time mitigation and dropped over 99.9% of malicious traffic. The clean traffic during the whole incident remains below 700 Mbps.
Fig. 1 DDoS attack peaking at 843.4 Gbps
Fig. 2 DDoS attack peaking at 73.6 Mpps
Attack Overview
1. Attack Type Distribution (Top 3 Vectors)
| Rank | Attack Type | Volume | % of Total |
|---|---|---|---|
| 1 | UDP Flood | ~609G | 70.7% |
| 2 | Manual Strategy | ~30G | 3.6% |
| 3 | Carpet Bombing Attack | ~2.9G | 0.34% |
Fig. 3 Attack Type Distribution
Key Insight 1: UDP Flood is very likely to reach high volume, which requires mitigation service provider to have dedicated bandwidth and sufficient mitigation gear to absorb the DDoS traffic.
2. Traffic Trend (bps) – Peak Mitigation
| Metric | Value |
|---|---|
| Inbound Traffic Peak | 843.4 Gbps |
| Attack Traffic Peak (Dropped) | 842.8 Gbps |
| Passed Traffic Peak | 710.9 Mbps (0.08% of inbound) |
| Dropped Ratio | 99.92% |
Key Insight 2: Managed Security Service (MSS) with mitigation effect SLA can be valuable, an experienced, responsive MSS team can do real-time policy tuning to maintain clean traffic at very low level (<0.08%), which is critical to keep the service alive.
3. Attack Timeline
| Time | Event |
|---|---|
| 12:00 | Baseline traffic normal (~100 Mbps) |
| 12:05 | First spike detected – UDP Flood initiation |
| 12:15 | Traffic ramped to 600+ Gbps |
| 13:00 | Peak: 843.4 Gbps / 73.6 Mpps |
| 14:00 | Attack intensity declined |
| 14:16 | Traffic returned to baseline |
Key Insight 3: Attackers now have adequate resources to peak the traffic in short time and capable of maintaining a peak traffic level of 600G-800G for 30 minutes or more. Modern mitigation service has to support always-on to ensure the minimum Time-to-Mitigate, while traditional service may take 30 mins just to initiate the mitigation.
4. Attack Source IP Geo Distribution
Fig. 4 Attack Source IP Geo Distribution
The US, Singapore and China were top 3 source countries while the Netherlands and Romania also composed a significant part due to their rich datacenter resources.
Key Insight 4: Mitigation service providers need to cover geographical hotspots include US, China, APAC and Europe. In-depth Threat Intelligence including botnet, command & control, IP gang from above regions is appreciated to bring optimum mitigation effect.
Conclusion & Recommendations
NSFOCUS Cloud DPS demonstrated carrier-grade resilience against a terabit-scale, multi-vector DDoS assault.
Key strengths:
- Sub-second detection and mitigation
- AI-driven proactive baseline learning
- Near-perfect mitigation accuracy (99.92% drop)
- Global scrubbing capacity covering hotspots
- Rich rule engine handling multiple concurrent vectors
