Qrator Labs Mitigated Record L7 DDoS Attack from 5.76M-Device Botnet

In early September, Qrator Labs detected and mitigated one of the most significant L7 DDoS attacks seen this year, carried out by what is now the largest known botnet. The attack, aimed at a government organisation, used 5.76 million compromised Internet of Things (IoT) devices and other internet-connected systems.

The botnet was first observed in late March 2025, with 1.33 million IP addresses in an attack on an online betting service, then increased to 4.6 million by May, and had turned its focus to government infrastructure before reaching nearly six million in September 2025, meaning a 333% increase in just six months.

The September DDoS attack, as per Qrator Labs’ blog post shared with Hackread.com, was carried out in two phases. The first wave used 2.8 million devices, followed an hour later by another three million. Qrator’s telemetry showed the top sources of malicious traffic were located in different parts of the world, including:

• Brazil: 1.41 million devices
• Argentina: 162,000 devices
• United States: 647,000 devices
• India: 408,000 devices, up 202% since May
• Vietnam: 661,000 devices, up 83% since May

According to Andrey Leskin, CTO at Qrator Labs, the problem is not just the size of the botnet but its power. He noted that when directed at unprotected resources, a network of this scale can generate tens of millions of requests every second, enough to overwhelm servers almost instantly. Even providers specialising in DDoS protection can struggle if multiple clients are hit at once, making these attacks a risk across entire service ecosystems.

This development comes as other record-breaking attacks have been observed in the same period. Cloudflare recently reported mitigating the largest volumetric DDoS attack ever recorded, peaking at 11.5 terabits per second. Although that incident lasted only 35 seconds, the scale shows the growing power of internet traffic floods now being used by attackers.

While the September attack relied on a record 5.76 million devices to flood its target with requests, a separate incident reported by Cloudflare was measured differently. That attack peaked at 11.5 terabits per second, the largest volumetric flood on record.

In other words, one case shows the scale of devices hijacked into a botnet, while the other highlights the sheer bandwidth attackers can generate. Both trends point to DDoS threats growing more severe in different ways.