Lesson from the Cloudflare outage: Don’t jump to conclusions about external threats    

COMMENTARY: A widespread Cloudflare service interruption Nov. 18 took down hundreds of websites for a few hours, causing significant disruption. Given today’s threats, initial speculation turned toward a successful, massive Distributed Denial-of-Service (DDoS) attack, possibly orchestrated by the notorious Aisuru strain of the Mirai botnet.

While this theory was logically compelling because of recent attacks by Aisuru on Microsoft Azure, official reports yesterday quickly confirmed that the incident was not the result of a botnet cyberattack, but rather an internal technical issue.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The suspicion that the outage was a reprisal attack was founded on Cloudflare’s extraordinary recent success in mitigating hyper-volumetric attacks. Cloudflare serves as a critical defender against modern botnets, and in the months leading up to the November 2025 outage, the company had successfully intercepted some of the largest DDoS assaults ever recorded, and these results became very public.

Cloudflare had recently stopped multi-terabit-per-second attacks launched by variants of the Mirai botnet, which targets compromised Internet-of-Things (IoT) devices. Attacks recently blocked included staggering assaults measured at 5.6 terabits-per-sec (Tbps) and 7.3 Tbps. The speed and scale of these attacks were dramatic; one major attack, although lasting only about 80 seconds, was driven by more than 13,000 compromised IoT devices.

DDoS attacks overall are rising dramatically, and Cloudflare has been mitigating a record number of these attacks throughout 2025. One of those high-profile incidents occurred in September 2025, when Cloudflare mitigated a 22.2 Tbps DDoS attack that reached 10.6 billion packets per second (Bpps).

The same Aisuru botnet family involved in that attack resurfaced this week in a tactic Aisuru used yesterday in its 15.7 Tbps attack on Microsoft Azure, reaching nearly 3.64 billion packets per second (Bpps), reinforcing the persistent, adaptive nature of today’s threat actors.

These figures highlight the intense ongoing conflict between Cloudflare’s automated defense systems and sophisticated botnet operators. Cloudflare's architecture was designed to distribute malicious traffic across its global network, neutralizing threats instantly and independently.

The continuous, successful thwarting of such immense Mirai-class assaults offers a clear motive for revenge, making the hypothesis of a successful reprisal attack a logical immediate conclusion when a widespread outage occurs.

Despite the compelling circumstantial evidence suggesting a cyberattack, official confirmation from Cloudflare quickly shifted the focus away from external threats. The company determined that the widespread disruption was caused by an internal issue.

Multiple media reports have confirmed that the incident was not the result of a DDoS, a cyberattack, or a reprisal attempt by Mirai or any other malicious actor. Instead, the evidence points toward an operational or maintenance-related outage. Many reports attributed the failure to a "latent bug" or similar technical problem residing within Cloudflare’s infrastructure.

When these outages and other security incidents become public, it’s important to remember that attribution remains extremely difficult, especially in the early hours. The security community wants answers immediately, yet it often takes days, weeks, or even months before all the evidence emerges and the digital dust settles.

This also points out that even the most advanced security platforms, while capable of stopping multi-terabit attacks, remain susceptible to complex technical flaws or configuration mistakes within their own vast operational networks.

Ted Miracco, chief executive officer, Approov Limited

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.