DDoS Records Keep Falling: 22+ Tbps Attacks and How to Harden the Edge

Key takeaways

• Cloudflare has reported a fast climb in hyper-volumetric DDoS attacks, mitigating floods of 11.5 Tbps and then 22.2 Tbps (about 10.6 billion packets per second), with a record 31.4 Tbps cited in its late-2025/2026 threat reporting and HTTP floods topping 200 million requests per second.
• The pace is the story. Records that used to stand for years now fall in weeks, driven by industrialized, botnet-powered attacks that any internet-facing agency, hospital, or enterprise can land in front of.
• No single box absorbs a 20-plus-Tbps flood. Real defense is layered: upstream and cloud scrubbing, edge rate-limiting and ACLs, a hardened next-gen firewall posture, and identity-aware segmentation behind it.
• Cisco Secure Firewall, Secure DDoS Edge Protection, ISE segmentation, Umbrella DNS-layer security, and ThousandEyes/Splunk visibility give you defense in depth without claiming any product makes you immune.
• Uniqcli scopes the architecture, validates the bill of materials, handles TAA and contract-vehicle procurement, deploys the cutover, and can run monitoring and lifecycle so the defense stays current after go-live.

What happened: DDoS records are falling in weeks, not years

The numbers moved again. Cloudflare reports that it has been mitigating hyper-volumetric distributed denial-of-service attacks at a scale the industry has not seen before, blocking floods measured at 11.5 Tbps, then 22.2 Tbps at roughly 10.6 billion packets per second, with a record 31.4 Tbps cited in its late-2025 and 2026 threat reporting. On the application side, HTTP request floods have pushed past 200 million requests per second. These are not lab figures. They are live attacks that defenders absorbed in production.

The headline is not any one record. It is the cadence. Peaks that used to hold for a year or more are now beaten within weeks. That tells you the attacks are industrialized: large, rentable botnets, automated tooling, and abundant bandwidth that lets an attacker point a wall of traffic at a target with little effort. For background on the broader threat picture, the Cybersecurity and Infrastructure Security Agency advisories track active campaigns, and Cisco posts platform-specific guidance through its security advisories portal.

The point of a denial-of-service attack is simple. Make a service unreachable by drowning it in traffic or requests. When the volume crosses tens of terabits per second, the failure does not stay at the firewall. It can saturate the internet circuit itself, which means the link is congested before any on-premises device gets a vote.

Who is exposed and why it matters now

If a service answers on the public internet, it is reachable by this kind of attack. That covers patient portals and scheduling systems in healthcare, citizen-facing applications and benefits portals in state, local, and education environments, mission and logistics systems across federal and defense networks, and the e-commerce, VPN, and API endpoints that enterprises depend on. A volumetric flood does not need a software vulnerability or stolen credentials. It only needs your address and enough bandwidth, which is exactly what has become cheap and plentiful.

The operational cost lands fast. A saturated circuit takes down everything that shares it, not just the targeted application. Remote clinicians lose access to records. Constituents cannot reach services. Field users cannot reach the VPN. And denial-of-service is increasingly used as cover, a loud event that ties up the security team while a quieter intrusion runs elsewhere. We map that exposure for public-sector and regulated buyers on our security practice page and across the defense networking and managed operations work we deliver.

Why one box will not save you

There is a hard physics limit worth stating plainly. No single appliance on your premises absorbs a 22-Tbps flood, because the traffic overwhelms the circuit feeding the building long before it reaches the device. Buying a bigger firewall does not fix a congested pipe. This is why serious DDoS defense is layered, and why each layer has a different job at a different point in the path.

The model that holds up is defense in depth. Upstream, your transit providers and a cloud scrubbing service soak up and filter the bulk volumetric traffic far from your network. At your edge, routers and firewalls enforce rate limits, access control lists, and protocol hygiene to shed the junk that does arrive. Behind that, a hardened next-generation firewall handles stateful inspection and application-layer floods, while identity-aware segmentation contains the blast radius if something does get through. General best practice here is vendor-neutral, and frameworks like NIST SP 800-53 and the DISA STIGs describe the controls and hardened baselines that turn this from a slogan into a configuration.

Hardening the edge with Cisco

Cisco gives you most of these layers as a coordinated set rather than a drawer of unrelated tools. At the perimeter, Cisco Secure Firewall provides next-generation inspection, intrusion prevention, and rate controls, with FIPS-validated and STIG-compliant options for federal and DoD environments. For carrier-scale and provider edge deployments, Secure DDoS Edge Protection is designed to detect and mitigate attacks close to the source, before they concentrate downstream. The goal across both is to drop hostile traffic as early in the path as the architecture allows.

Behind the edge, segmentation limits how far a problem can spread. Cisco Identity Services Engine enforces identity-based access and software-defined segmentation so a flooded or compromised segment does not become a free path to everything else, an approach that maps directly to Zero Trust mandates. Cisco Umbrella adds DNS-layer security to blunt the command-and-control and resolution abuse that botnets rely on. None of this makes a network immune, and we will not claim it does. What it buys you is meaningful risk reduction: fewer ways in, smaller blast radius, and faster containment when something lands.

Capacity planning and visibility, not guesswork

You cannot defend a number you have never measured. Hardening the edge starts with honest capacity planning: what your circuits can actually carry, where the natural choke points sit, how much headroom your firewalls hold at full inspection, and which upstream or cloud scrubbing path absorbs an attack that exceeds your local capacity. The aim is a defense whose weakest link is a deliberate engineering choice, not a surprise discovered mid-incident.

Visibility is the other half. During a volumetric event, the first hard question is whether the problem is your network, your provider, or the wider internet. Cisco ThousandEyes shows the path between your users and your applications across networks you do not own, so you can localize an attack instead of guessing. Cisco Splunk correlates telemetry and flow data so the signal is not lost in noise, and feeds the analytics that separate a real flood from a traffic spike. We help teams stand up this kind of monitoring through our observability practice, and when you want a sized package rather than a parts list, you can start a government network quote and we will scope it against your real circuits and traffic.

How Uniqcli helps you scope, procure, deploy, and operate

Knowing the right architecture and standing it up under public-sector procurement rules are two different problems. As an authorized Cisco partner, Uniqcli closes that gap. We start with an assessment of your edge: circuit capacity, current firewall posture, segmentation gaps, and where DDoS resilience is thin. From there we design the layered defense, validate the bill of materials, and produce a quote you can actually buy from. Send drawings, an existing config, or a parts list through request a quote and we will turn it into a sourced, validated package.

Procurement is where public-sector projects often stall, so we handle TAA compliance, country-of-origin documentation, and CLIN structure as part of the work, and we source through the contract vehicles agencies already use, including GSA and NASA SEWP. Our procurement practice and deployment services cover staging, phased cutover, and turn-up so the change does not become its own outage. After go-live, managed operations and lifecycle services keep firewall rules, software, and SmartNet coverage current through Cisco Smart Net Total Care, because a DDoS posture that is not maintained slowly stops being a posture at all.

Cisco products involved

• Cisco Secure Firewall
• Cisco Secure DDoS Edge Protection
• Cisco Identity Services Engine (ISE)
• Cisco Umbrella
• Cisco ThousandEyes
• Cisco Splunk
• Cisco Smart Net Total Care

Bottom line: The records will keep falling, because the economics now favor the attacker: cheap bandwidth, rentable botnets, and automation that resets the bar every few weeks. You cannot stop the internet from generating 20-plus-Tbps floods, but you can decide how much of one reaches you and how fast you recover. That means a layered edge, upstream and cloud scrubbing, a hardened Cisco Secure Firewall posture, identity-aware segmentation, and monitoring that tells you what is happening in real time. None of it promises immunity. All of it reduces risk and shortens the outage. If you want that defense scoped against your actual circuits, sourced on the right contract vehicle, deployed cleanly, and kept current, start a government network quote and we will build the plan with you.