CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Massive 1.5 Bpps DDoS attack targets European DDoS mitigation provider

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A European DDoS mitigation service provider was targeted in a large-scale distributed denial-of-service (DDoS) attack reaching 1.5 billion packets per second (Bpps). The attack originated from thousands of compromised IoT devices and MikroTik routers, affecting over 11,000 unique networks worldwide. FastNetMon, the DDoS mitigation service, successfully detected and mitigated the attack in real-time. The attack underscores the growing threat of large-scale DDoS attacks and the need for proactive measures at the ISP level to prevent such incidents. The attack aimed to exhaust the target's processing capabilities, causing potential service outages.

Timeline

  1. 11.09.2025 01:09 1 articles · 21d ago

    Massive 1.5 Bpps DDoS attack targets European DDoS mitigation provider

    A European DDoS mitigation service provider was targeted in a large-scale DDoS attack reaching 1.5 billion packets per second. The attack originated from thousands of compromised IoT devices and MikroTik routers, affecting over 11,000 unique networks worldwide. FastNetMon successfully detected and mitigated the attack in real-time. The attack underscores the growing threat of large-scale DDoS attacks and the need for proactive measures at the ISP level to prevent such incidents.

    Show sources
    Open in new tab

Information Snippets

  • The attack reached 1.5 billion packets per second (Bpps), one of the largest packet-rate floods publicly disclosed.

    First reported: 11.09.2025 01:09
    1 source, 1 article
    Show sources

  • The attack originated from compromised customer-premises equipment (CPE), including IoT devices and routers, across more than 11,000 unique networks worldwide.

    First reported: 11.09.2025 01:09
    1 source, 1 article
    Show sources

  • The attack primarily consisted of a UDP flood.

    First reported: 11.09.2025 01:09
    1 source, 1 article
    Show sources

  • FastNetMon successfully mitigated the attack using the customer's DDoS scrubbing facility and deploying access control lists (ACLs) on edge routers.

    First reported: 11.09.2025 01:09
    1 source, 1 article
    Show sources

  • The attack was detected and mitigated in real-time.

    First reported: 11.09.2025 01:09
    1 source, 1 article
    Show sources

  • The targeted provider specializes in filtering out malicious traffic during DDoS attacks through packet inspection, rate limiting, CAPTCHA, and anomaly detection.

    First reported: 11.09.2025 01:09
    1 source, 1 article
    Show sources

  • The attack comes days after Cloudflare reported blocking the largest recorded volumetric DDoS attack, peaking at 11.5 terabits per second (Tbps) and 5.1 billion packets per second (Bpps).

    First reported: 11.09.2025 01:09
    1 source, 1 article
    Show sources

  • FastNetMon's founder, Pavel Odintsov, emphasized the need for ISP-level intervention to prevent the weaponization of compromised consumer hardware.

    First reported: 11.09.2025 01:09
    1 source, 1 article
    Show sources

Similar Happenings

ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS Attacks

The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website.

Open in new tab

Cloudflare mitigates multiple record-breaking DDoS attacks, including 22.2 Tbps

Cloudflare has mitigated a new record-breaking DDoS attack peaking at 22.2 Tbps and 10.6 Bpps, which lasted 40 seconds. This attack is part of a series of hyper-volumetric DDoS attacks that have been increasing in frequency and intensity. Cloudflare's defenses have autonomously blocked hundreds of such attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps, 11.5 Tbps, and now 22.2 Tbps. The attack was conducted using botnets that infected various devices with malware. Volumetric DDoS attacks can be used as a cover for more sophisticated exploits, known as 'smoke screen' attacks. The attack was aimed at a single IP address of an unnamed European network infrastructure company. The attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. The attack was described as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47,000 ports. The attack was conducted using the AISURU botnet, which has been around for more than a year. The botnet is powered by hacked IoT devices such as routers and DVRs that have been compromised through the exploitation of known and zero-day vulnerabilities. The attack was actually sourced from a combination of several IoT and cloud providers, not just Google Cloud. The attack's complexity and impact on users are highlighted as critical factors, not just its magnitude. The attack occurred in mid-May right after Cloudflare's publication of its quarterly DDoS threat report. The attacks reached 6.5Tbps and delivered 4.8 billion packets per second (pps). Cloudflare has seen a significant increase in DDoS attacks, with a 198% quarter-over-quarter increase and a 358% year-over-year jump in 2024. The company mitigated 21.3 million DDoS attacks targeting its customers and 6.6 million attacks targeting its own infrastructure in 2024. The attacks included SYN flood attacks, Mirai-generated DDoS attacks, and SSDP amplification attacks. Network-layer attacks saw a 509% year-over-year increase in 2025.

Open in new tab

VPS Infrastructure Abused for Stealthy SaaS Account Compromises

Threat actors are exploiting commercial virtual private server (VPS) infrastructure to quickly and discreetly set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments. VPSs are favored due to their low cost, rapid deployment, and minimal open-source intelligence footprints. The abuse of VPS infrastructure has increased in SaaS-targeted campaigns, enabling attackers to bypass geolocation-based defenses and evade IP reputation checks. The SystemBC proxy botnet operators maintain an average of 1,500 bots daily, exploiting vulnerable commercial VPS infrastructure. This network has been active since at least 2019 and is used by various threat actors, including ransomware gangs, to deliver payloads. The use of VPS infrastructure allows attackers to mimic local traffic, blend into legitimate behavior, and rapidly deploy attack infrastructure, making detection and tracking more challenging. The SystemBC network is built for volume with little concern for stealth, and it powers other criminal proxy networks. It has over 80 command-and-control (C2) servers and fuels other proxy network services, including REM Proxy and a Vietnamese-based proxy network called VN5Socks or Shopsocks5. Nearly 80% of the SystemBC network consists of compromised VPS systems from multiple large commercial providers, with infected VPS systems having multiple easy-to-exploit vulnerabilities, with an average of 20 unpatched security issues and at least one critical-severity vulnerability. REM Proxy is a sizeable network, which also markets a pool of 20,000 Mikrotik routers and a variety of open proxies it finds freely available online. The SystemBC botnet comprises over 80 C2 servers and a daily average of 1,500 victims, of which nearly 80% are compromised virtual private server (VPS) systems from several large commercial providers. Close to 40% of the compromises have "extremely long average" infection lifespans, lasting over 31 days. The vast majority of the victimized servers have been found to be susceptible to several known security flaws. Each victim has 20 unpatched CVEs and at least one critical CVE on average, with one of the identified VPS servers in the U.S. city of Atlanta vulnerable to more than 160 unpatched CVEs. The IP address 104.250.164[.]214 hosts the artifacts and appears to be the source of attacks to recruit potential victims. SystemBC is used to brute-force WordPress site credentials, which are likely sold to brokers for malicious code injection. SystemBC has exhibited sustained activity and operational resilience across multiple years, establishing itself as a persistent vector within the cyber threat landscape.

Open in new tab