DataDome

How DataDome Stopped a 2.45B-Request DDoS Attack Against a High-Traffic Content Platform

2.45 billion malicious requests blocked
1.2 million unique IPs involved
No disruption for legitimate users
Table of contents
DDoS Bot management
Jerome Segura, VP of Threat Research
Last update: 5 May, 2026
|
min

In mid-April 2026, a DDoS attack targeting a large-scale user-generated content platform made more than 2.45 billion requests in just five hours but never triggered traditional rate limits.

Instead of overwhelming systems with brute force, the attack distributed traffic across more than 1.2 million unique IPs, exposing a structural weakness in how most defenses are designed.

Systems like these are a prime target for DDoS attacks: their scale means availability is business-critical, their data richness makes them attractive to scrapers and aggregators, and their reliance on user-generated content creates multiple exploitable surfaces that a distributed attack can hit simultaneously. Disrupting one can cascade across all, giving attackers the opportunity to extort payment, disrupt operations at scale, or use the outage as cover for other malicious activity.

DataDome blocked the attack in real-time. The Galileo threat research team then analyzed what turned out to be one of the most technically sophisticated, infrastructure-diverse DDoS operations they had ever observed.

Key metrics of the DDoS attack

2 2 7 4 0
2
. 4 1 6 8
.
4 6 2 9 6
4
5 5 6 8 7
5
3 7 2 5
b 4 5 3 1
b
i 5 1 1 7
i
l 4 8 2 2
l
l 9 9 5 9
l
i 7 8 9 3
i
o 8 9 3 5
o
n 3 0 6 5
n
malicious requests
1 1 8 1 5
1
. 1 1 9 9
.
2 4 8 0 1
2
9 6 3 6
m 5 2 5 0
m
i 6 7 3 3
i
l 4 4 3 2
l
l 6 5 9 4
l
i 3 2 0 1
i
o 9 9 1 2
o
n 9 3 0 6
n
unique IPs involved
2 5 7 9 0
2
0 6 4 2 0
0
5 9 0 9 4
5
, 8 0 4 8
,
3 5 8 6 0
3
4 2 1 1 8
4
4 2 2 3 3
4
3 8 6 8
R 9 4 4 5
R
P 9 9 6 9
P
S 7 0 9 5
S
at peak velocity

Key findings

  • In mid-April, a DDoS campaign of over 2.45 billion malicious requests was launched against a large-scale user-generated content platform over a 5-hour window, peaking at 205,344 RPS with a sustained average of roughly 136,000 RPS.
  • The botnet spanned 1.2 million unique IPs across 16,402 autonomous systems, one of the most sophisticated DDoS infrastructures DataDome has observed. 
  • Each source averaged roughly one request every nine seconds, staying well below any reasonable per-IP rate limit, meaning no single IP triggered detection. 
  • The adaptive cadence of the attack reflects a managed operation, where a human operator or orchestration layer actively tuned the campaign in response to detection signals.
  • DataDome’s multi-layered detection, combining server-side fingerprinting, behavioral analysis, and threat intelligence, identified and helped mitigate the campaign across all attack segments.

Attack timeline and scale

The raw numbers are striking: more than 2.4 billion requests in a five-hour window, originating from over 1.2 million unique IP addresses, peaking at 205,344 requests per second. This was not a series of isolated bursts above a quiet baseline; it was a continuous high-intensity flood with wave modulation layered on top. Even the attack’s relative lulls ran at tens of thousands of requests per second.

Traffic analysis revealed a wave-pattern DDoS, in which the operator cycles intensity rather than committing to a constant rate. The opening stretch shows an initial probing burst followed by a rising, noisy baseline, the operator testing which request patterns survive mitigation while sub-peaks keep pressure on the target.

The pauses between waves serve a tactical purpose. They let aggregate rate-limit counters reset while the operator rotates IPs, swaps user agents, and retunes payloads. This pulsed, adaptive cadence is a hallmark of managed bot operations, where a human operator or an automated orchestration layer actively tunes the campaign in response to detection signals rather than running it open-loop. In effect, the attack was designed to stay below detection thresholds while maintaining sustained pressure at scale. 

Attack traffic observed by DataDome across the 5-hour window

Attack traffic observed by DataDome’s bot protection across the 5-hour window

Defenses built on static thresholds struggle against this shape, not because the individual peaks are subtle (they are plainly anomalous), but because the attacker’s real advantage is structural. A rotating distribution of 1.2 million sources means no single IP ever trips a per-source limit, and the pauses between waves give infrastructure-level counters time to reset.

Catching a campaign like this requires detection that operates on behavioral baselines and treats the source, not the aggregate, as the unit of analysis. The signature lives in the pattern across time and across sources, not in the peak itself.

Infrastructure: designed to defy blocking

With over 16,000 unique autonomous systems in play, this botnet represents one of the most fragmented infrastructure profiles in recent DataDome research. For context, a typical large-scale scraping campaign might operate across a few hundred ASNs. Reaching five figures requires either extraordinary coordination or access to infrastructure designed from the ground up for this purpose.

 

Geographic distribution of the DDoS attack

 

The top contributing ASNs tell their own story: 

AS Share
Stiftung Erneuerbare Freiheit 3.00%
1337 Services GmbH 2.69%
HERN Labs AB 2.27%
Cloudflare, Inc. 1.88%
DigitalOcean, LLC 1.69%
Amazon.com, Inc. 1.44%
QuickPacket, LLC 1.37%
Church of Cyberology 1.21%
Google LLC 1.19%

 

Note how flat the distribution is: even the top contributor accounts for only 3% of traffic. That flatness is itself an infrastructure signature, since no single ASN block will meaningfully dent the attack.

The mix is also deliberate. Names like 1337 Services GmbH and Church of Cyberology are not mainstream hosting providers; they are privacy-oriented, anonymization-friendly ASNs known to researchers as the infrastructure of choice for actors seeking to minimize a traceable footprint. Stiftung Erneuerbare Freiheit (“Foundation for Renewable Freedom”) follows the same pattern. 

Alongside these sit household names like Cloudflare, AWS, Google, and DigitalOcean, present as deliberate cover, since traffic from these ASNs blends into enormous volumes of legitimate cloud egress.

Adversary profile

The campaign reflects a highly distributed but moderately sophisticated attacker profile. 

This actor operates a massive, globally dispersed botnet with over 1.2M distinct IPs spread across more than 16,000 autonomous systems, generating nearly 2.5B requests in just five hours.

Stealth is low: each IP averaged roughly one request every 9 seconds, a loud, high-frequency pattern that trades individual-node invisibility for raw throughput.

On the evasion side, the actor invested moderate effort into looking legitimate, forging headers, cookies, and URL parameters on top of basic TLS and server-fingerprint obfuscation, but showed no sign of advanced browser automation, fingerprint inconsistency, or JS forgery, capping their sophistication well below expert-tier tooling.

Adaptability reaches into deep rotation of session geolocation alongside browser and session-environment churn plus IP-frequency variation, suggesting a decent rotation engine but without reactive or mobile/residential proxy tradecraft.

 

Attacker sophistication profile

 

Network: The source IPs carry negative reputation scores accumulated from prior malicious activity across DataDome’s global network. Traffic is routed through infrastructure known for anonymization, with geolocation signals (IP origin, timezone, language) that frequently contradict one another, a pattern consistent with aggressive proxy rotation.

Server-side: The bots present themselves as standard browsers, but their actual fingerprints tell a different story. TLS handshake characteristics are inconsistent with the claimed browser environment, and HTTP headers and request parameters show signs of deliberate crafting rather than organic generation. The overall server-side fingerprint deviates significantly from what legitimate human traffic produces.

Client-side: Browser identification signals shift within individual sessions in ways no real user would produce. This instability is a hallmark of automated tooling cycling through spoofed browser profiles, unable to maintain a consistent identity across the full duration of a session.

Behavioral: The traffic exhibits request sequences that bear little resemblance to natural navigation patterns. Request volumes at the IP level reach extremes inconsistent with human browsing, and session-level context contains internal contradictions: synthetic artifacts of an automation layer generating session state rather than experiencing it.

How DataDome detected and stopped the DDoS attack

DataDome’s detection did not rely on any single signal. Server-side fingerprinting caught TLS and network-layer inconsistencies that survived application-layer spoofing. Behavioral analysis identified session sequence anomalies, IP frequency outliers, and internal contradictions within fabricated session environments. Threat intelligence (bad IP reputation ranked third among signals) flagged IPs accumulating behavioral anomalies in DataDome’s global network, including those operating from anonymization-friendly ASNs.

The wave-pattern structure of the attack, designed to exhaust aggregate rate-limit counters between pulses, was itself a behavioral signal. Legitimate traffic at this scale does not pulse.

Key takeaways for defenders

Distribution, not just scale, is what made this attack significant: 16,402 ASNs and 1.2 million IPs mean IP blocking is insufficient by design. When individual sources are pacing themselves below per-IP rate limits, detection must operate at the behavioral and fingerprint level, reasoning about aggregate patterns rather than single-source volume.

Evasion sophistication creates its own signatures: The more layers an attacker adds to their impersonation stack, the more opportunities for internal inconsistency. A forged header that doesn’t match a TLS fingerprint that doesn’t match a session geolocation is more detectable, not less, than a simpler attack.

Wave-pattern campaigns require temporal baselines: Static rate limiting fails against attackers who tune volume dynamically. Detection systems need memory: the ability to identify patterns across time windows, not just within them.

Bottom line: As DDoS tactics evolve, this attack highlights a shift from brute force to evasion by design, using distribution and timing to bypass traditional defenses at scale. Attacks using this model are not limited to a single platform type and can be replicated across high-traffic environments. Effective detection requires identifying coordinated patterns across sources and time, rather than evaluating requests in isolation.

If your platform faces similar DDoS attacks, book a demo to see how DataDome can protect your websites, apps, and APIs without adding friction for legitimate users.

DataDome’s Galileo threat research team continuously analyzes attack campaigns across our global customer base. This post is based on observed attack data and threat marker analysis from DataDome’s detection infrastructure.

DataDome
Jerome Segura
VP of Threat Research
Jérôme Segura is a well-respected security researcher with a keen focus on malware analysis and the constantly evolving threat landscape, including a deep understanding of malvertising. With years of experience in the cybersecurity field, he has a proven track record of identifying emerging attack vectors. His expertise lies in uncovering the mechanisms behind online attacks and translating complex findings into practical knowledge, providing actionable intelligence to help protect individuals and organizations from malicious actors. His work often involves dissecting complex cyberattacks and sharing his findings to contribute to a safer digital landscape.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo