How DataDome Protected a Leading E-Learning Platform from a Massive DDoS Attack

In this article, we cover the details of a massive DDoS attack on a leading US e-learning platform. Due to the volume of the requests, DataDome’s anti-DDoS mechanism was triggered. This mechanism enables us to efficiently protect websites, mobile applications, and APIs against sudden traffic spikes.

Key Metrics

From 19:30 UTC on Mar 7 to 4:20 UTC on Mar 8, 2024, the e-learning platform’s home page was targeted by a massive DDoS attack. Around 380 million requests were handled by our bot detection engine before the anti-DDoS mode was triggered. Anti-DDoS handled the rest: over 1.7 billion requests.

DDoS Attack Overview

The graph below (Figure 1) represents the bot traffic handled over the course of the attack by our anti-DDoS mechanism.

Figure 1: Number of bots blocked by our anti-DDoS mechanism during the attack.

As we can see, the volume of requests remained mostly steady throughout the duration of the attack, though there is a clear rise towards the peak (809k requests per minute) before it drops off.

Attack Indicators of Compromise (IoCs)

The attacker used different mobile browser user agents:

• Mozilla/5.0 (Linux; Android 10; TECNO BC2 Build/QP1A.190711.020) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.110 Mobile Safari/537.36
• Mozilla/5.0 (Linux; Android 6.0; CPH1609) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.126 Mobile Safari/537.36 OPR/72.2.3767.68393
• Mozilla/5.0 (Linux; Android 8.0.0; SM-A520F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Mobile Safari/537.36
• Mozilla/5.0 (Linux; Android 12; RMX2161) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Mobile Safari/537.36

The attacker targeted the home page, which is common in DDoS attacks because most websites tend to protect it less. Additionally:

• The attacker used a unique language signature: es-AR,es;q=0.8,en-US;q=0.5,en;q=0.3.
• All bots had the same accept header: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8.
• All bots had the same accept-encoding header: gzip, deflate, br.

The bot was based on an HTTP client (not a real/headless browser) and didn’t execute JS or properly support cookies.

How was the attack blocked?

The attack was blocked using a variety of suspicious signals:

• Lack of JS execution: The attacker did not send any of the expected JS payloads.
• Lack of DataDome session cookie: There was no DataDome cookie support, which we would expect real users to have.
• Proxy detection: Many of the IPs involved in the attack came from known proxy IPs.
• Abnormal IP address behavior: There were far too many requests per IP address.
• Outlier detection: Our anti-DDoS mechanism detected a shift in the distribution of several metrics at the website level (number of distinct IPs without cookies, for example) and generated dynamic blocking patterns.

Conclusion

DDoS attacks are the bane of most businesses that operate online; they are usually highly publicized and have instant negative impacts on revenue, brand reputation, and customer experience. DataDome’s powerful multi-layered ML detection engine looks at as many signals as possible, from fingerprints to reputation, to detect even the most sophisticated bots. Keeping up with bots’ evolving fingerprints, such as proxy usage, is key to fighting today’s main threats—and DataDome can handle it.

When our system detects a DDoS attack in progress, our anti-DDoS mechanisms enable protection to scale perfectly, no matter the number of requests the attacker sends. To get a better look at how DataDome stops DDoS attacks, schedule a demo today.