CloudFlare said Tuesday it automatically mitigates record-breaking volume distributed denial-of-service (DDOS) attacks, which peaked at 11.5 terabits per second (TBPS).
“Over the past few weeks, we have autonomously blocked hundreds of ultrasound DDOS attacks reaching their peak peaks of 5.1 BPPS and 11.5 TBP.
The entire attack lasted only about 35 seconds, but the company says “defense is working overtime.”
Volume Measurement DDOS attacks are designed to overwhelm targets with tsunamis of traffic, causing servers to slow or fail. These attacks usually result in network congestion, packet loss, and service disruption.
Such attacks are done by using malware, such as computers, IoT devices, or other machines, to send requests from botnets under threat actor control after infecting the device.
“The initial impact of a volume attack is to create congestion that can degrade the performance of network connections to the Internet, servers, and protocols and cause outages,” Akamai said in a descriptive note.
“However, attackers may use volume attacks as a more refined exploit cover, which is called “smoke screen” attacks. As security teams work diligently to mitigate volume attacks, attackers may launch additional attacks (multi-vectors).
The development will only take two months since CloudFlare said it reached its peak at 7.3 Tbps in mid-May 2025, blocking DDOS attacks targeting unnamed hosting providers.
In July 2025, the company said it would skyrocket in the second quarter of 2025, scaling a new high of 6,500 compared to the Q1 2025 high voltage DDOS attack, exceeding high voltage DDOS attacks (L3/4 DDOS attacks) or 1 TBPS.
This development occurred as Bitsight detailed the Rapperbot Kill chain. It targets network video recorders (NVRs) and other IoT devices with the aim of participating in botnets that can carry out DDOS attacks. The botnet infrastructure was removed last month as part of law enforcement operations.
In the attack documented by a cybersecurity company, it is said that threat actors exploited the security flaws in the NVR to gain initial access, installed a remote NFS file system and downloaded the next stage wrapper bot payload (“104.194.9[.]127”) and do it.
This is achieved by a web server’s path traversal flaw, leaking valid admin credentials and using it to push fake firmware updates that run a set of BASH commands that mount Share and run Rapperbot binaries based on system architecture.
“It’s no wonder that an attacker chose to use an NFS mount to run from that share. With this NVR firmware being so limited, installing an NFS is actually a very clever choice,” said security researcher Pedro Umberino. “Of course, this means that attackers had to thoroughly investigate this brand and model and design exploits that could work under these limited conditions.”
The malware then retrieves the DNS TXT records associated with a set of hardcoding domains (“iranistrash[.]Libre “and” pool.rentcheapcars[.]SBS “To get the actual list of actual command and control (C2) server IP addresses.
The C2 IP address is mapped to the C2 domain where fully qualified domain names (FQDNs) are generated using a simplified Domain Generation Algorithm (DGA) consisting of a combination of four domains, four subdomains, and two top-level domains (TLDs). FQDNS is resolved using a hard-coded DNS server.
Rapperbot will establish an encrypted connection to the C2 domain using a valid DNS TXT record description that has received the commands needed to launch the DDOS attack. Malware can also direct it to scan the open port’s internet to further transmit infections.
“Their methodology is simple: they make the Internet run by erratic edge devices (such as DVRs or routers), brute-force or exploiting them to run botnet malware,” Bitsite said. “The reality is that it’s just scanned and infected over and over again, and it doesn’t require persistence because vulnerable devices continue to be exposed there and are easier to spot than ever before.”
Source link
