Security researchers at DataDome have documented one of the largest and most sophisticated distributed denial-of-service attacks observed to date: a “low and slow” DDoS campaign that unleashed 2.45 billion malicious requests against a major user-generated content platform over just five hours, leveraging over 1.2 million unique IP addresses to defeat traditional rate-limiting defenses.
The Attack at a Glance
The attack targeted a large-scale user-generated content platform — the specific target was not publicly named — with an assault that combined extreme scale with deliberate restraint. Rather than flooding the target with a firehose of traffic from a small pool of sources, the attackers distributed their requests across 1.2 million unique IP addresses spanning 16,402 distinct Autonomous Systems (ASNs).
The result was a per-source request rate of just one request every nine seconds from each IP address — comfortably below most per-IP rate-limiting thresholds. Yet the cumulative impact was devastating: a peak of 205,344 requests per second and a sustained average of approximately 136,000 requests per second throughout the five-hour assault.
The “Low and Slow” Strategy
Traditional volumetric DDoS attacks are relatively straightforward to defend against: a small number of source IPs generate enormous volumes of traffic, making them trivially easy to identify and block. Per-IP rate limiting, IP reputation blacklisting, and traffic volume anomaly detection are effective countermeasures.
The 2.45 billion-request attack represents a more sophisticated approach: distribute the same total volume of attack traffic across so many source IPs that no individual source ever triggers per-IP defenses, while still generating sufficient aggregate load to overwhelm the target’s capacity. This “low and slow” strategy at hyperscale is a direct counter to the most common DDoS mitigation architectures in production today.
Infrastructure Behind the Attack
The attack’s ability to source traffic from 1.2 million unique IP addresses across 16,402 ASNs suggests a sophisticated and large-scale botnet or a coordinated network of compromised residential and commercial devices. The geographic and network diversity of the source addresses would have defeated IP reputation-based defenses and made geographic blocking impractical without causing significant collateral damage to legitimate traffic.
- Total requests: 2.45 billion over 5 hours
- Peak request rate: 205,344 requests per second
- Average request rate: ~136,000 requests per second
- Unique source IPs: 1.2 million
- ASNs spanned: 16,402
- Per-source request rate: ~1 request per 9 seconds
Why Traditional Defenses Failed
The attack was specifically engineered to defeat the most commonly deployed DDoS mitigation controls:
- Per-IP rate limiting: Defeated by distributing traffic across 1.2 million sources, each generating only ~1 request per 9 seconds
- IP reputation blacklisting: Defeated by using fresh or residential IP addresses spread across thousands of networks
- Geographic blocking: Defeated by the global distribution of source ASNs, making any regional block too blunt an instrument
- Volume-based anomaly detection: The aggregate volume was clearly anomalous, but attribution to attack traffic vs. legitimate traffic was complicated by the source distribution
What Effective Defense Looks Like
DataDome’s analysis of the attack highlights the limitations of single-signal defenses and points toward the mitigation approaches that were ultimately effective:
- Behavioral analysis: Identifying attack traffic by analyzing request patterns, timing distributions, and behavioral signatures rather than per-IP volume alone
- Session-level fingerprinting: Detecting bot-generated traffic by examining browser fingerprints, TLS fingerprints, and HTTP/2 connection behavior, which differ between real users and automated clients
- Real-time threat intelligence: Incorporating live threat intel feeds to identify known botnet infrastructure even when individual IPs appear clean
- Machine learning-based anomaly detection: Models trained on large-scale traffic patterns can identify the statistical signature of distributed attacks even when no individual source is obviously malicious
The Growing Threat of Hyperscale Distributed Attacks
This attack reflects a broader trend in the DDoS landscape: attackers are investing in building or renting larger, more diverse botnets and developing more sophisticated distribution strategies specifically designed to evade defenses. The commoditization of large-scale botnet infrastructure — available for rent through DDoS-for-hire services — means that attack sophistication that was previously the exclusive domain of nation-state actors is now accessible to criminal groups and even individual threat actors.
For security and infrastructure teams, the message is clear: relying on per-IP rate limiting as a primary DDoS defense is no longer sufficient. Defense architectures must be built around behavioral signals, session-level analysis, and real-time threat intelligence to remain effective against the next generation of distributed attack campaigns.
Recommendations for Platform and Security Teams
- Move beyond per-IP rate limiting as a primary DDoS defense strategy
- Invest in behavioral and fingerprinting-based bot detection at the application layer
- Ensure DDoS mitigation solutions are tested against distributed, low-rate-per-source attack scenarios
- Work with CDN and DDoS mitigation providers that offer real-time threat intelligence integration
- Conduct tabletop exercises simulating hyperscale distributed attacks to identify gaps in current defenses