A recent investigation by the Galileo threat research team at DataDome has uncovered a highly fragmented Distributed Denial of Service (DDoS) campaign that is alarming in its scale and sophistication. In mid-April, within a mere five hours, cybercriminals unleashed a staggering 2.45 billion malicious requests targeting a prominent user-generated content platform.
This exclusive research shared with cybersecurity analysts indicates a notable shift in tactics among threat actors, who are increasingly adept at circumventing conventional security measures. Rather than attempting to breach defenses through brute force, the attackers employed a refined “low and slow” strategy. Researchers identified that the attack peaked at an impressive 205,344 requests per second (RPS) while remaining largely undetected by standard rate-limiting defenses.
Bypassing Security Through Infrastructure Fragmentation
The sheer magnitude of the infrastructure involved in this assault is remarkable. The malicious traffic was dispersed across over 1.2 million unique IP addresses, covering 16,402 distinct Autonomous Systems (ASNs). In contrast, typical large-scale scraping attacks often involve only a few hundred ASNs. Further analysis revealed a remarkably flat traffic distribution, with no single network contributing more than 3% of the overall activity.
DataDome’s report articulated that these numbers are not only striking but indicative of a continuous high-intensity flood of requests, rather than isolated surges. The attackers employed wave modulation to maintain relentless pressure on the targeted system, and even the quieter intervals during the assault recorded tens of thousands of requests per second.
Noteworthy ASNs contributing to the traffic included HERN Labs AB with 2.27%, Cloudflare, Inc. at 1.88%, and DigitalOcean, LLC at 1.69%. This mix of privacy-focused networks and widely recognized platforms like Google and Amazon enabled the attackers to mask their activities amidst legitimate high-volume traffic. Traditional IP blocking approaches proved ineffective, as the volume from individual sources did not appear significant enough to warrant action.
A Strategic DDoS Operation
The attackers meticulously orchestrated their approach, employing a “pulsed cadence” to avoid detection from rate-limiting thresholds. Each source IP machine averaged one request approximately every nine seconds, significantly below typical per-IP limits. The concept of cadence refers to the specific timing patterns and frequencies of requests orchestrated by the botnet.
Jerome Segura, Vice President of Threat Research at DataDome, suggested that the operational coordination indicates that this was not a random attack but rather one carefully managed by either human operators or an advanced orchestration layer. This setup allowed the attackers to respond dynamically to detection signals and modify their behavior in real time.
Even as the hackers attempted to manipulate HTTP headers, cookies, and TLS fingerprints to mimic standard web browsers, DataDome was able to detect the compromising behavior through advanced behavioral analysis techniques. Researchers observed irregularities in TLS handshakes and inconsistent browser identification signals, both of which would not align with legitimate user behavior.
The findings of this operation underscore the need for security teams to evolve their detection methodologies. There is a pressing need to focus on behavioral analytical models that evaluate traffic patterns over extended periods, rather than relying solely on static volume thresholds. Such adaptive strategies are crucial for preempting sophisticated DDoS attacks of this scale, highlighting an urgent call to action for businesses to fortify their cybersecurity posture.