Distributed Denial of Service (DDoS)<\/a> campaign targeted a large-scale user-generated content platform, unleashing over 2.45 billion malicious requests in just five hours.<\/p>\n Rather than relying on\u00a0brute-force<\/a><\/span> methods<\/a>, the attackers distributed traffic across 1.2 million unique IP addresses.<\/p>\n This structural shift exposed a fundamental weakness in traditional rate-limiting defenses.<\/p>\n By keeping individual IP request rates extremely low, the threat actors evaded standard detection systems while maintaining crippling pressure on the target.<\/p>\n The raw campaign metrics highlight a highly coordinated operation designed to fly under the radar of traditional static thresholds.<\/p>\n The attack peaked at 205,344 requests per second (RPS) and maintained a sustained average of approximately 136,000 RPS.<\/p>\n To avoid triggering per-IP rate limits, each source averaged just one request every nine seconds.<\/p>\n This low-frequency cadence meant that no single node in the botnet appeared malicious in isolation. Traffic analysis revealed a distinct wave-pattern rather than a constant flood.<\/p>\n The human operators, or their automated orchestration layers, actively cycled the attack intensity to test which request patterns could survive mitigation.<\/p>\n The tactical pauses between these waves allowed aggregate rate-limit counters to reset.<\/p>\n During these brief lulls, the attackers rotated IPs, swapped user agents, and returned payloads to sustain their assault without triggering structural alarms.<\/p>\n The botnet\u2019s infrastructure was highly fragmented, spanning 16,402 autonomous systems (ASNs)<\/a>, which represents an extraordinary level of coordination.<\/p>\n The distribution was remarkably flat, with the top contributing ASN accounting for only three percent of the total attack traffic.<\/p>\n This flat structure serves as an evasion signature, ensuring that blocking any single ASN would not meaningfully dent the campaign.<\/p>\n The threat actors deliberately mixed privacy-oriented infrastructure with legitimate cloud providers to mask their activity.<\/p>\n Anonymization-friendly ASNs, such as 1337 Services GmbH and the Church of Cyberology, were used alongside household names like Cloudflare, AWS<\/a>, and Google.<\/p>\n By routing traffic through these major cloud providers, the malicious requests easily blended into the massive volumes of legitimate cloud egress traffic.<\/p>\n The campaign reflects an adversary capable of managing a massive, globally dispersed botnet. However, their evasion techniques were only moderately sophisticated.<\/p>\n While the attackers forged headers, cookies, and URL parameters, they lacked advanced browser automation or JavaScript forgery capabilities.<\/p>\n Their client-side browser identification signals constantly shifted within individual sessions, displaying a hallmark of automated tooling unable to maintain a consistent identity.<\/p>\n DataDome\u2019s Galileo threat research team successfully identified<\/a> and blocked the attack in real-time by combining multiple layers of behavioral detection.<\/p>\n Since static rate limiting fails against dynamically tuned volumes, defenders relied on server-side fingerprinting to catch network-layer inconsistencies.<\/p>\n Behavioral analysis identified anomalous session sequences, and threat intelligence flagged IPs with negative reputations.<\/p>\n This incident underscores that as DDoS tactics evolve toward distributed evasion, detection must operate on behavioral baselines across time and sources rather than evaluating requests in isolation.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Massive 2.45B-Request DDoS Attack Used 1.2 Million IPs to Evade Rate Limits<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMassive 2.45B-Request DDoS Attack<\/strong><\/h2>\n
![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhpt0VuT3DfpZfSYFmoNyEPvi66mxPfd2V-6ksQ8VvuigvMO0-i4HiWQB8D50R36GAKh5xiZ9zW7EDAAfoqBvbBYk_MW1wc1i05_5PdCDZ74HyuR9VwtlVTCxMyb0J5-5y3pkO1jhcMbhycziNx80cIQEC01zA_SKyQesdVtVrdZnWsRQwdaOBpU_h7GLE\/s1600\/Screenshot%25202026-05-06%2520200322%2520%25281%2529.webp?ssl=1\")
Detection and Mitigation Strategy<\/strong><\/h2>\n