Over the last month, the UltraDDoS Protect network has faced an onslaught of super mega attacks peaking at 600-800 Gbps and two internet tsunami attacks, peaking at over 3.7 and 2.4 Tbps respectively. On Tuesday, July 29th, DigiCert’s UltraDDoS Protect service successfully mitigated an internet tsunami, a massive DDoS attack that reached 2.4 Terabits per second (Tbps) of bandwidth and 553 million packets per second (Mpps) of impact. This, at the time, was the largest attack that has been recorded to date on the UltraDDoS Protect Network.
Figure 1: 2.4 Tbps attack mitigated on the UltraDDoS Protect network
On Thursday, August 21st, that record was shattered when the UltraDDoS Protect service withstood a 3.721 Tbps and 336 Mpps attack, 54% higher than the attack 3 weeks earlier. The peak traffic during this attack lasted over two minutes, much longer than the previous attack, and used completely different attack vectors. The target was a United States based customer in a different market than the customer from the previous attack, so it was not a continuation of the same campaign. Despite the sharp increase in attack size, the diverse attack vectors, and the different target, the UltraDDoS Protect service successfully mitigated the attack with no reported impact to our customer base.
Figure 2: 3.721 Tbps attack mitigated on the UltraDDoS Protect network
Tbps+ DDoS attacks – internet tsunamis
Tsunamis have been in the news lately because of the 8.8-Magnitude earthquake that struck just off the coast of Russia in late July, that sent waves cascading throughout the Pacific Ocean. The tsunami impacted Japan and locations as far off as Hawaii and the US west coast, triggering alerts and actions across many coastal nations to prepare for the worst-case scenario. The actual waves caused by this event were more moderate than originally feared and appropriate protections were in place, so the damage caused was thankfully minimal. Despite it not being as severe as was predicted, the event has made coastal cities re-evaluate their defenses against tsunamis so that they are even more prepared for the next one.
Internet tsunamis are Tbps or larger DDoS attacks that mirror many of the characteristics of ocean tsunamis. An internet tsunami can come at any time with little to no warning, impact any business that connects to the internet, may be followed by continued attacks after the initial burst, and do damage that may take a prolonged time to fix if the right protections aren’t in place. The one major difference between the two is that ocean tsunamis take time to make it across oceans before striking. This can provide time to brace for the impact. Internet tsunamis, on the other hand, generally ramp up immediately giving victims no time to react. To learn more about the botnets and tactics behind these large attacks, I recommend this blog by my colleague Bryant Rump covering the Aisuru botnet and an internet tsunami that it was used for.
Companies have a finite amount of bandwidth over which they connect to the internet, and many have protections from DDoS that can handle some DDoS attacks. Coastal regions and cities have protections against storm surges and extremely high tides, but most cannot handle a tsunami on their own. Similarly, extremely few businesses are equipped to handle a Tbps+ attack on their own without partnering with a provider that can.
Examining the 2.4 Tbps DDoS attack from July 29, 2025
The 2.4 Tbps internet tsunami DDoS attack that hit the UltraDDoS Protect network was directed towards an always-on customer based in the EMEA region. It was a carpet bomb DDoS attack where traffic was directed to many destination IP addresses within the customer network. Nearly 800 unique IPv4 addresses were targeted. This means that the attacker was indiscriminate as to what was affected within the victim’s IP address space. Multi-Tbps DDoS attacks tend to be indiscriminate in nature anyways because they often cause collateral damage well beyond the intended target.
The main characteristics of this attack included:
- The attack sources were widely distributed with the United States, Mexico, Canada, Japan, Israel and Taiwan being the highest contributing countries.
- All traffic was destined to port 443 which is the default for most web traffic so it could not be simply filtered at the network border.
- Extremely short time duration (< 1 minute) for the attack peak of 2.387Tbps/552.6Mpps.
- Approximately 3Gbps per destination IP (~800 target IP addresses).
- Multiple smaller follow-on attacks after the initial surge.
Figure 3: 2.4 Tbps internet tsunami attack traffic source distribution
Examining the 3.7 Tbps DDoS attack from August 21, 2025
The 3.7 Tbps internet tsunami DDoS attack was directed towards a different always-on customer of UltraDDoS Protect service. This customer is based in the US and is in a completely different industry than the previous attack target customer, so it is very unlikely that the attacks were connected in any way. The attack was similar to the previous attack in that it was a carpet-bombing attack targeting many destinations within the victim’s network although it was more focused with only 270 IP addresses targeted versus 800 for the previous attack. This means that each unique IP received a lot more traffic. The vector for this attack was different than what was seen previously with much of the traffic consisting of larger UDP packets. This led to lower packet per second (336 Mpps versus 552.6 Mpps) but much higher bits per second (3.7 Tbps versus 2.4 Tbps). This diversity of attack characteristics demonstrates why a broad defense strategy that considers many possible attack scenarios is required.
The main characteristics of this attack included:
- Attack sources were widely distributed but with a different mix of top source countries when compared to the previous attack demonstrating a diversity in the botnet that was used for this attack.
- Larger packet sizes and fragmented UDP packets were very prominent.
- Source and destination ports were widely distributed.
- Longer duration for multi-Tbps traffic peaks – approximately 3 minutes across 2 waves
- Sustained mega-attack level before and after tsunami level peaks. The attack was over 800 Gbps for over 10 minutes.
Figure 4: 3.7 Tbps internet tsunami attack traffic source distribution
Mitigating an internet tsunami
Mitigating an attack of this magnitude is done in stages. The first stage is to withstand the initial surge in traffic to keep it from getting to the customer’s resources. These are your time 0 defenses and require that the customer be always routing their traffic through the DDoS protection network. An effective DDoS protection network requires a lot of available bandwidth – we have over 15 Tbps of dedicated DDoS bandwidth – strong networking controls and filtering capabilities at all borders of the network. The DDoS service must be able to absorb the sudden influx of traffic and shunt most of it away from the customer until more aggressive countermeasures can be applied. The second stage can take effect shortly after the attack starts – our SLA is under 30 seconds – where automation applies more aggressive DDoS countermeasures to the customer’s traffic to discern attack traffic from legitimate traffic. The third stage is to have an experienced analyst review what is being passed and dropped, communicate and collaborate with the customer to ensure the mitigation is completely effective, and it not, make the necessary adjustments.
The surge that occurred with the 2.4 Tbps attack lasted less than 1 minute before dropping down too much smaller bandwidth levels, so the actual tsunami DDoS attack only passed through the first stage of protection. We withstood the traffic on behalf of the customer, so they had extremely minimal initial impact and no lasting impact from the gigantic attack. This was possible because they were deployed always-on through the UltraDDoS Protect network. If they had been deployed for on-demand protection, the initial tsunami wave would have hit the customer directly at first and even after diverting traffic to our DDoS service, the impact would have already been made. This is one of the reasons that always-on is the best practice for DDoS Protection.
The 3.7 Tbps attack lasted longer and went through all three stages of protection. The initial surge was withstood and blocked through a combination of always-on defenses including the UltraDDoS Protect Cloud Firewall capability. The attack was detected in seconds, and attack traffic was shunted to our intelligent DDoS mitigation infrastructure for surgical mitigation. The SOC immediately began reviewing the automated actions that were taken and sent the customer updates in real time. Thanks to the strong combination of preparedness, technology, automation, and human oversight, the attack was successfully mitigated with no impact to the UltraDDoS Protect customer base.
Continuous Improvement in DDoS Defense
While handling these internet tsunamis, we also continued to mitigate smaller attacks for other customers at the same time. On the day that we had the 2.4 Tbps attack, the SOC team had another customer experience a large mega attack of over 700 Gbps. The architecture and capacity of our network and the expertise of our team is what makes this possible to effectively handle days like these. It’s what we do.
We believe in continuous improvement in the services we provide so every situation, especially more extreme cases like these, provides us opportunities to improve. The SOC, network engineering, engineering and product teams meet regularly to go through what went well and what things we could improve upon, and we make the necessary changes to our architecture, process and customer service. In this way, the UltraDDoS Protect service will continue to evolve as the threat landscape changes. We are committed to delivering optimal DDoS protection to our customers through a combination of the best technology, automation, integration, and expertise so that when the next internet tsunami strikes, we will be there to stop it.
