Cyber Incident Victim: Wynncraft
Date:
Oct 2022
Location:
United States of America
Summary
A large Minecraft server experienced a record-breaking 2.5 Tbps multi-vector DDoS attack involving UDP and TCP floods, lasting approximately two minutes and attempting to disrupt access for hundreds of thousands of players. Mitigated by Cloudflare, this marked the highest bitrate attack the company had ever recorded, reflecting broader trends of increasing multi-terabit assaults and resurgence in Mirai botnet activity impacting the gaming sector. The incident coincided with rising network-layer DDoS attacks globally, including a significant surge in BitTorrent protocol abuse where attackers spoof victim IPs to generate overwhelming traffic from file-sharing networks. While most attacks remain short-lived and under 500 Mbps, this event exemplified the growing scale and sophistication of threats targeting online infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around October 12, 2022, Wynncraft, one of the largest Minecraft servers, experienced a distributed denial-of-service (DDoS) attack mitigated by Cloudflare. The attack reached a record bitrate of 2.5 terabits per second (Tbps), making it the largest such attack Cloudflare had ever recorded and handled at that time. The incident lasted approximately two minutes and employed a multi-vector approach combining UDP and TCP flood packets. These techniques aimed to overwhelm the server’s infrastructure, disrupting access for hundreds of thousands of players attempting to connect to the Minecraft server. Cloudflare’s intervention successfully neutralized the attack, preventing extended downtime. The attack’s scale exceeded a 2017 nation-state-backed campaign disclosed by Google in 2020, though it remained below the all-time peak of 3.47 Tbps observed in November 2021.
The incident occurred amid a broader escalation in DDoS activity documented in Cloudflare’s Q3 2022 report. Multi-terabit attacks like the one against Wynncraft became more frequent during this period, though they represented only 0.1% of all mitigated attacks. The gaming industry emerged as a primary target for network-layer (L3/4) DDoS attacks, which nearly doubled year-over-year with a 97% increase in volume. This surge correlated with a 405% quarter-over-quarter resurgence in Mirai botnet activity, contributing to inflated attack volumes. Concurrently, HTTP-based DDoS attacks rose by 111% compared to the previous year, with Taiwan and Japan experiencing the most significant regional spikes. A separate trend involved the exploitation of BitTorrent protocols, where attackers spoofed victim IP addresses to generate unrequested traffic floods—a method that increased by over 1,200% quarter-over-quarter. Most attacks (97.3%) remained below 500 Mbps, typically lasting under 20 minutes, though prolonged incidents exceeding one hour saw an 8.6% increase. The Wynncraft attack exemplified the disruptive potential of short-duration, high-volume assaults on critical online services.