Massive 2.45B-Request DDoS Attack Used 1.2 Million IPs to Evade

Over 2.45 billion malicious requests bombarded a large-scale user-generated content platform in just five hours, attributed to a recent Distributed Denial of Service (DDoS) campaign.

Rather than relying on brute-force methods, the attackers distributed traffic across 1.2 million unique IP addresses.

This structural shift exposed a fundamental weakness in traditional rate-limiting defenses.

By keeping individual IP request rates extremely low, the threat actors evaded standard detection systems while maintaining crippling pressure on the target.

Massive 2.45B-Request DDoS Attack

The raw campaign metrics highlight a highly coordinated operation designed to fly under the radar of traditional static thresholds.

The attack peaked at 205,344 requests per second (RPS) and maintained a sustained average of approximately 136,000 RPS.

To avoid triggering per-IP rate limits, each source averaged just one request every nine seconds.

This low-frequency cadence meant that no single node in the botnet appeared malicious in isolation. Traffic analysis revealed a distinct wave-pattern rather than a constant flood.

The human operators, or their automated orchestration layers, actively cycled the attack intensity to test which request patterns could survive mitigation.

The tactical pauses between these waves allowed aggregate rate-limit counters to reset.

During these brief lulls, the attackers rotated IPs, swapped user agents, and returned payloads to sustain their assault without triggering structural alarms.

The botnet’s infrastructure was highly fragmented, spanning 16,402 autonomous systems (ASNs), which represents an extraordinary level of coordination.

The distribution was remarkably flat, with the top contributing ASN accounting for only three percent of the total attack traffic.

This flat structure serves as an evasion signature, ensuring that blocking any single ASN would not meaningfully dent the campaign.

The threat actors deliberately mixed privacy-oriented infrastructure with legitimate cloud providers to mask their activity.

Anonymization-friendly ASNs, such as 1337 Services GmbH and the Church of Cyberology, were used alongside household names like Cloudflare, AWS, and Google.

By routing traffic through these major cloud providers, the malicious requests easily blended into the massive volumes of legitimate cloud egress traffic.

Detection and Mitigation Strategy

The campaign reflects an adversary capable of managing a massive, globally dispersed botnet. However, their evasion techniques were only moderately sophisticated.

While the attackers forged headers, cookies, and URL parameters, they lacked advanced browser automation or JavaScript forgery capabilities.

Their client-side browser identification signals constantly shifted within individual sessions, displaying a hallmark of automated tooling unable to maintain a consistent identity.

DataDome’s Galileo threat research team successfully identified and blocked the attack in real-time by combining multiple layers of behavioral detection.

Since static rate limiting fails against dynamically tuned volumes, defenders relied on server-side fingerprinting to catch network-layer inconsistencies.

Behavioral analysis identified anomalous session sequences, and threat intelligence flagged IPs with negative reputations.

This incident underscores that as DDoS tactics evolve toward distributed evasion, detection must operate on behavioral baselines across time and sources rather than evaluating requests in isolation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.