A distributed denial-of-service attack targeted a major user-generated content platform, generating an astonishing 2.45 billion malicious requests in just 5 hours.
Security provider DataDome successfully intercepted the assault in real time, ensuring legitimate users experienced no disruption. Threat researchers analyzing the incident discovered that the operation relied on 1.2 million unique Internet Protocol addresses.
Instead of using traditional brute-force methods, the attackers distributed their traffic across this massive network. This approach exposed fundamental vulnerabilities in conventional security defenses that rely primarily on static thresholds to identify malicious activity.
Massive DDoS Attack Generates 2.45 Billion Requests
The sheer scale of the operation peaked at over two hundred thousand requests per second while maintaining a sustained average of roughly one hundred thirty-six thousand requests per second.
Rather than executing a constant barrage, the threat actors employed a wave pattern that cycled intensity to evade detection. Each compromised device averaged roughly one request every nine seconds.
This deliberate pacing meant no individual source ever triggered standard rate limits, allowing the broader operation to stay below typical detection thresholds. The calculated pauses between waves gave aggregate security counters time to reset.
During these lulls, the attackers actively rotated addresses, swapped user agents, and returned their payloads. This adaptive cadence suggests a managed operation where a human operator actively monitored detection signals and adjusted tactics on the fly.
To execute an attack of this magnitude, the threat actors leveraged an incredibly fragmented infrastructure spanning over sixteen thousand autonomous systems. Reaching this level of distribution requires extraordinary coordination and purpose-built resources.
The traffic distribution was notably flat, with the highest-contributing network accounting for only 3% of the total volume. The attackers deliberately blended their traffic by routing through mainstream cloud providers like Cloudflare, Amazon, and Google, alongside obscure networks favored for anonymization.
Providers such as 1337 Services GmbH and Church of Cyberology were utilized to minimize a traceable footprint.
By mixing traffic from standard hosting environments with privacy-oriented networks, the malicious operators created a complex web that made standard blocking completely ineffective, as reported by DataDome.
The adversary profile indicates a highly distributed but moderately sophisticated attacker who prioritized raw throughput over individual node stealth. Catching an operation of this complexity requires analyzing behavioral baselines rather than just aggregate traffic spikes.
Defenders identified the attack by combining server-side fingerprinting, threat intelligence, and deep behavioral analysis. They uncovered inconsistencies between the claimed browser environments and the actual network layer characteristics.
Furthermore, the automated tools used in the attack exhibited shifting identification signals within individual sessions, which is a clear hallmark of synthetic traffic.
By focusing on session sequence anomalies and evaluating the internal contradictions within the fabricated environments, security systems successfully mitigated the threat across all segments without impacting genuine users.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
