Executive Summary

Cybersecurity vendor NSFOCUS has released a report detailing its successful defense against a massive Distributed Denial-of-Service (DDoS) attack that targeted an unnamed critical infrastructure operator. The attack, which occurred on October 21, 2025, reached a peak volume of 843.4 Gbps and a rate of 73.6 million packets per second (Mpps). The multi-vector assault was sustained at over 600 Gbps for more than 30 minutes, demonstrating the attackers' significant resources. The primary attack vector was a UDP flood. The NSFOCUS Cloud DDoS Protection Service (Cloud DPS) was able to mitigate the attack in real-time, dropping more than 99.9% of the malicious traffic and ensuring the continuity of the operator's services.

Threat Overview

The incident showcases the escalating scale and sophistication of DDoS attacks targeting critical infrastructure. The attack was not a simple, single-vector flood but a complex, multi-vector assault designed to overwhelm the target's network capacity and security appliances. The key characteristics of the attack include:

• Massive Volume: A peak of 843.4 Gbps, well beyond the capacity of most organizations' on-premises defenses.
• High Packet Rate: 73.6 Mpps, designed to exhaust the processing power of firewalls and routers.
• Sustained Duration: The ability to maintain traffic between 600-800 Gbps for over 30 minutes indicates a large and powerful botnet.
• Multi-Vector Approach: While dominated by a UDP flood, the attack also included other techniques like amplification and reflection.
• Global Distribution: Attack traffic originated from sources worldwide, with the highest concentrations from the United States, Singapore, and China, likely from compromised servers in data centers.

Technical Analysis

The attack utilized several TTPs from the MITRE ATT&CK framework:

• Impact (T1498 - Network Denial of Service): This was the overall goal of the attack—to make the critical infrastructure operator's services unavailable.
• Impact (T1498.001 - Direct Network Flood): The dominant component was a UDP flood, which accounted for 70.7% (609 Gbps) of the traffic. This involves sending a massive number of UDP packets to the target's IP addresses, consuming all available bandwidth.
• Impact (T1498.002 - Reflection Amplification): The report mentions amplification and reflection, where attackers spoof the target's IP address and send requests to public servers (like DNS or NTP). These servers then send a much larger response to the victim, amplifying the attack's volume.

NSFOCUS's mitigation involved redirecting the operator's traffic through its cloud scrubbing centers, where it could analyze the traffic, distinguish malicious packets from legitimate ones, and only forward the 'clean' traffic to the operator. This kept the legitimate traffic flow below 700 Mbps, preventing any service disruption.

Impact Assessment

Had the attack been successful, the impact on the critical infrastructure operator could have been severe. A successful DDoS attack can lead to:

• Service Outage: Complete unavailability of essential services for the duration of the attack.
• Financial Loss: Direct revenue loss from downtime and the high cost of emergency mitigation.
• Reputational Damage: Loss of trust from customers and the public, especially for a critical infrastructure provider.
• Collateral Damage: A powerful DDoS attack can also saturate upstream internet service provider (ISP) links, causing connectivity issues for other customers.

This incident demonstrates the necessity for critical infrastructure operators to have pre-provisioned, cloud-based DDoS mitigation services capable of absorbing such massive volumes of traffic.

Cyber Observables for Detection

Detection & Response

• Traffic Volume Monitoring: The primary detection method for volumetric DDoS is monitoring inbound traffic volume at the network edge. Use tools that analyze NetFlow, sFlow, or IPFIX data to baseline normal traffic levels and alert on significant deviations. This is the core of D3FEND Network Traffic Analysis (D3-NTA).
• On-Demand Mitigation: For most organizations, mitigating an 800+ Gbps attack requires a cloud-based DDoS protection service. The response plan should include a pre-defined process for redirecting traffic to the scrubbing service via BGP announcements or DNS changes.
• Real-Time Policy Tuning: As demonstrated by NSFOCUS, mitigation is not a 'set and forget' process. Security teams must work with their mitigation provider to tune filtering policies in real-time to adapt to the changing vectors of the attack and ensure no legitimate traffic is dropped.

Mitigation

1. Cloud-Based DDoS Protection: The primary mitigation for large-scale volumetric attacks is to contract with a specialized DDoS mitigation provider like NSFOCUS, Akamai, or Cloudflare. These services have the global capacity and infrastructure to absorb and filter attacks of this magnitude.
2. Hybrid DDoS Defense: A best-practice approach combines an on-premises DDoS mitigation appliance for smaller, state-exhaustion attacks with a cloud-based service for large volumetric attacks. The on-prem device can handle low-and-slow attacks, automatically triggering a 'swing' to the cloud provider when a certain volume threshold is breached.
3. ISP Collaboration: Maintain a strong relationship with your upstream ISP. They can assist in blackholing traffic during an attack and may offer their own DDoS protection services.
4. Network Hardening: While not a defense against massive volumetric floods, hardening network devices and disabling unused services can help protect against state-exhaustion and application-layer DDoS attacks that often accompany them.