How DataDome Instantly Blocked a 28M-Request Flash DDoS Attack For a $3B E-Commerce Leader

20 million bot requests blocked in milliseconds

No revenue loss, disruption, or downtime

No performance degradation or infrastructure strain

DDoS

On March 25, 2025, a global e-commerce platform that handled nearly $3 billion in transactions in 2024 was the target of a high-velocity Flash DDoS attack. Over the course of 1 minute and 50 seconds, attackers launched 27,959,684 bot requests aimed at overwhelming the site’s main web endpoint.

Flash DDoS attacks are designed to inundate infrastructure in seconds. Unlike traditional DDoS attacks that build over time, Flash DDoS strikes with near-instantaneous intensity—making speed of detection and mitigation critical. Because they spike within seconds, only defense systems that analyze and act in real time, like DataDome’s DDoS Protect, can effectively stop them.

Key metrics of the Flash DDoS attacks

1 4 9 6 9

2 6 5 8 0

, 1 7 0 6

3 5 0 9 8

4 2 4 2 4

6 4 0 2 8

IP addresses, 2,035 user agents used in the attack.

2 7 9 7 6

7 3 5 2 8

, 3 5 0 3

9 2 9 8 5

5 6 7 2 3

9 6 6 1 6

, 4 5 0 2

6 5 2 3 2

8 3 9 2 3

4 5 5 6 4

total requests generated by the attacker, distributed across 143 countries.

2 5 3 5 9

7 0 4 9

m 7 4 2 3

i 3 8 5 9

l 5 1 5 5

l 8 7 8 4

i 3 9 7 1

o 6 5 1 6

n 9 4 3 0

requests per second maximum velocity at peak.

Overview of Flash DDoS attacks

The graph below (Figure 1) represents the bot traffic handled throughout the 1-minute 50-second attack by our detection engine in 30-second intervals, reaching a peak of 2,000,000 requests per second in the middle of the attack. Without proper defenses, this could have taken down the platform’s website, leading to lost revenue, degraded user trust, and negative press.

Flash DDoS Attack 2M RPS

Figure 1: Requests per second in Flash DDoS attack blocked by DDoS Protect

Distribution of the attacks

The attack was launched from 12,346 IPs, spanning hundreds of user agents and a wide range of networks. Requests were highly distributed across regions and infrastructure sources, with the most requests coming from Indonesia, the United States, Brazil, India, and Russia (Figure 2). This kind of distribution is a hallmark of sophisticated botnets that leverage proxy IPs, residential IPs, and cloud infrastructure to disguise malicious intent and bypass rate limits.

Flash DDoS Attack Distribution

Figure 2: Geographical distribution of request origination based on analyzed fingerprints

How were the attacks detected & blocked?

The volume and nature of traffic from the attacking IP range were clear indicators of a bot-driven DDoS event. DataDome’s platform immediately recognized the threat and responded in milliseconds. DDoS Protect blocked 95% of the attack at the edge, while Bot Protect neutralized the remaining 5% at the application layer—resulting in 100% of malicious traffic being blocked before it could impact site performance.

Together, these layers detect and stop even the most evasive traffic—including the 20% of threats your CDN misses—in under 2 milliseconds.

Thanks to DataDome’s multi-layered AI detection approach, the system analyzed a mix of fingerprints, behavioral signals, and network reputation to detect the malicious traffic. Even if some indicators had been obfuscated or changed mid-attack, other signals ensured accurate detection without false positives.

100% of the attack was blocked
No disruption to the application layer
No impact on legitimate users

Protect your enterprise against downtime with DataDome

Flash DDoS attacks can cost businesses up to $6,000 per minute in downtime. And with modern attackers using botnets and evasive tactics, legacy defenses are no longer enough.

DataDome’s DDoS Protect responds in milliseconds to mitigate cyberfraud threats and Layer 7 DDoS attacks before they escalate—keeping your site online, your revenue intact, and your customers happy.

Want to see how it works? Schedule a demo.