Consider what happened on a single day in May 2025.

A botnet — a network of hijacked computers spread across 147 countries opened fire on a target somewhere on the internet. The attack peaked at 7.3 terabits per second. To put that in terms a human brain can absorb: that is the equivalent of streaming every movie on Netflix simultaneously, pointed like a firehose at a single server.

Cloudflare’s systems successfully blocked this record-breaking 7.3 Tbps DDoS attack fully autonomously without requiring any human intervention, without triggering any alerts, and without causing any incidents.

The target stayed online. Their users noticed nothing. The attack the largest ever publicly recorded lasted seconds and disappeared without a trace, absorbed by infrastructure most of the internet quietly runs on without realising it.

Here is how that is possible.

The Invisible Layer Under the Internet

Most people know what Cloudflare does the way they know what a fuse box does dimly, until the lights go out. But Cloudflare is not a background utility. It is, by most measures, the largest security network on the planet.

Cloudflare runs its mitigation logic on every edge node in its 330+ point-of-presence network spanning 120+ countries unlike traditional scrubbing-center solutions that reroute traffic to a handful of datacenters.

When you type a web address, your request travels through the internet to a server. For roughly 20% of all websites, that request passes through Cloudflare first before it reaches the actual server. Cloudflare acts as a reverse proxy: a server that sits in front of web servers and forwards client requests, implemented to increase security, performance, and reliability.

Attackers can only target the reverse proxy which has tighter security and more resources rather than the actual origin server where the website lives. The real server’s location stays hidden. Attackers fire at Cloudflare’s edge. Cloudflare absorbs it.

This architectural decision a global wall of edge servers standing between the internet’s traffic and the websites behind them is what makes everything else possible.

The Numbers From 2025 That Should Alarm You

The scale of what Cloudflare blocked in 2025 is not a cybersecurity statistic. It is a measure of how industrialised internet attacks have become.

In 2024, Cloudflare blocked a total of 21.3 million DDoS attacks for the full year. In the first half of 2025 alone, it had already mitigated 27.8 million attacks the entire year’s volume surpassed before July.

Q1 2025 alone saw 20.5 million attacks blocked a 358% year-over-year increase and 198% quarter-over-quarter.

By Q3 2025, Cloudflare’s autonomous defenses were blocking an average of 3,780 DDoS attacks per hour. Every hour. Every day.

The year ended with a December campaign dubbed “The Night Before Christmas” launched by the Aisuru-Kimwolf botnet featuring hyper-volumetric HTTP attacks exceeding 200 million requests per second, weeks after a record-breaking 31.4 Tbps attack.

Every one of those attacks was absorbed automatically, by software, with no human reviewing an alert.

Three Systems Running Every Second

The reason Cloudflare can absorb a 7.3 Tbps attack without a human touching a keyboard comes down to three interlocking systems working simultaneously on every request that passes through its network.

The Autonomous Edge the first decision layer. Cloudflare’s autonomous edge and centralised DDoS systems analyse traffic samples out of path asynchronously allowing attack detection without causing latency or impacting performance. Every packet that arrives at a Cloudflare edge node is inspected against a rolling set of dynamic rules: packet fields including source IP, destination port, protocol, and sequence number; HTTP request metadata including headers, user agent, query string, HTTP method, and TLS cipher version.

When attack characteristics are recognised, a mitigation rule is generated and deployed locally on that edge node within milliseconds. For volumetric attacks, the rule propagates across the network using eBPF programs called L4Drop that operate inside the kernel at wire speed.

The Web Application Firewall the second decision layer. Where the Autonomous Edge handles flood-level attacks, the WAF handles precision threats: blocking common web exploits like SQL injection and cross-site scripting attacks that do not try to overwhelm a server but to infiltrate it, extracting databases, hijacking sessions, or planting code.

The WAF examines what a request contains, while rate limiting examines how often a client hits certain endpoints. Together, they are extremely effective against brute-force attacks, scraping, and simple denial-of-service attempts.

Bot Management the third decision layer. Not all attacks come in floods. Many come as a patient, methodical impersonation of legitimate users bots cycling through login combinations, scraping pricing data, or fraudulently clicking on advertisements. Each request through Cloudflare receives a Bot Score an integer between 1 and 99 indicating Cloudflare’s certainty that the request comes from a bot rather than a human. Verified bots Googlebot, legitimate crawlers are flagged separately and treated differently from unverified automated traffic.

The score is generated by machine learning models trained on Cloudflare’s global traffic dataset the richest DDoS telemetry repository on the planet, by virtue of seeing 20% of all web traffic pass through the same system.

The Aisuru Problem When the Attacker Adapts

The Aisuru-Kimwolf botnet responsible for the December 2025 Christmas campaign represents the evolution of what Cloudflare is actually fighting. It is not a single attacker. It is a botnet-for-hire.

“Chunks” of Aisuru are offered by distributors as botnets-for-hire so anyone can potentially inflict chaos on entire nations by crippling backbone networks and saturating internet links, disrupting millions of users, at a cost of a few hundred to a few thousand US dollars.

The democratisation of attack infrastructure is the reason volume numbers doubled in 2025. The technical barrier to launching a sophisticated DDoS attack has dropped from “nation-state resource” to “small business budget.” What Cloudflare is absorbing is not just state-sponsored cyberwarfare and organised crime. One notable target in Q2 2025 was an independent Eastern European news outlet protected by Cloudflare, which reported being attacked following its coverage of a local Pride parade. A small publication. A domestic story. A DDoS attack, ordered by someone, delivered by rented infrastructure.

When an attacker shifts tactics mid-attack changing packet structure to evade a fingerprint the Autonomous Edge relearns and regenerates the mitigation rule. This is how Cloudflare contained the 31.4 Tbps Aisuru-Kimwolf attack automatically in late 2025.

What Cloudflare Cannot Do

The architecture is remarkable. The limitations are real.

Cloudflare protects what routes through Cloudflare. A server with its real IP address exposed through misconfiguration, a DNS record leak, or a user who published the origin IP somewhere can be attacked directly, bypassing the entire system. Cloudflare is a wall with a door. If the attacker finds the door’s address, the wall is irrelevant.

When surveying Cloudflare customers targeted by DDoS attacks, the majority said they did not know who attacked them. Attribution identifying who ordered and executed an attack remains one of the hardest unsolved problems in internet security. The technical defence has outpaced the forensic capability to hold attackers accountable.

And the arms race continues accelerating. The largest attack in 2023 was 71 Mbps. The largest in 2025 was 31.4 Tbps more than 440 times larger in under two years. Cloudflare’s capacity grows to match. The attackers’ budgets grow to probe the edges of that capacity.

The Architecture Behind the Ordinary

The next time a website loads instantly when it should be under attack. The next time your bank’s login page is available during a geopolitical crisis. The next time a news outlet stays online after publishing something that made someone powerful very angry.

There is, in most of those cases, a Cloudflare edge node somewhere in the path absorbing the noise, scoring the bots, inspecting the packets, and forwarding only the legitimate traffic onward.

It happens in milliseconds. It happens billions of times a day. And the person on the other side sees nothing but a page that loaded.

That invisibility is the entire product.

📌 Read Also:

AIWala News