A sophisticated “low and slow” DDoS attack launched in mid-April 2026 delivered more than 2.45 billion malicious requests against a major user-generated content platform in just five hours and never once triggered a traditional rate limit.
Analyzed in detail by DataDome’s Galileo threat research team, the campaign is being described as one of the most technically fragmented and infrastructure-diverse DDoS operations ever recorded.
Most DDoS attacks rely on brute force: flood a target with massive volumes of traffic from a smaller pool of sources until systems buckle. This attack inverted that logic entirely.
Instead of concentrating fire, the botnet distributed 2.45 billion requests across more than 1.2 million unique IP addresses spanning 16,402 distinct Autonomous Systems (ASNs), a number so large that even major scraping campaigns, which typically operate across a few hundred ASNs, pale in comparison.
2.45B-Request DDoS Attack Bypasses
The peak attack velocity reached 205,344 requests per second (RPS), with a sustained average of roughly 136,000 RPS over the entire five-hour window.
Yet each source IP averaged only 1 request every 9 seconds, deliberately staying well below any reasonable per-IP rate-limit threshold, so no single node ever triggered a detection alert. This is the structural innovation that set the campaign apart: it was designed not to overwhelm, but to evade.
Traffic analysis by DataDome’s Galileo team revealed a deliberate wave-pattern structure, where the attacker cycled intensity in pulses rather than maintaining a flat rate.
The opening phase involved a probing burst to identify which request patterns survived mitigation, followed by a noisy rising baseline that kept sustained pressure on the target infrastructure.
The pauses between waves were tactical, not accidental. Each lull allowed aggregate rate-limit counters to reset while the attacker rotated IPs, swapped user agents, and returned request payloads.
This pulsed, adaptive cadence a hallmark of managed bot operations indicates that either a human operator or an automated orchestration layer was actively modifying the campaign in real time based on detection feedback, rather than running the attack on a fixed script.
Static rate-limiting systems based on fixed thresholds fundamentally fail against this architecture. The individual peaks are plainly anomalous, but the attacker’s real advantage lies in structure: with 1.2 million rotating sources and timed pauses, no single metric ever crosses a blocking threshold.
The ASN distribution of this botnet is unlike anything in typical DDoS research. Spanning over 16,000 unique autonomous systems, it required either extraordinary coordination or access to infrastructure purpose-built for evasion.
For context, the previous record for unique IPs in a single DDoS attack observed in 2025 involved approximately 2 million IPs across far fewer ASNs, but even that was considered extraordinary.
The top contributing ASNs reveal a deliberate mix. Privacy-focused, anonymization-friendly providers such as 1337 Services GmbH, Stiftung Erneuerbare Freiheit (“Foundation for Renewable Freedom”), and Church of Cyberology appeared prominently in networks well-known to threat researchers as the infrastructure of choice for actors who want to minimize a traceable footprint.
Alongside these sat household names: Cloudflare, Amazon Web Services, Google, and DigitalOcean, included deliberately as cover, since traffic from these providers blends into enormous volumes of legitimate cloud egress.
Critically, the distribution was almost perfectly flat: even the top-contributing ASN accounted for only 3% of total traffic. That flatness is itself an infrastructure signature; no single ASN block, even if identified and blocked immediately, would meaningfully reduce the attack volume.
DataDome’s analysis characterizes the threat actor as operating a highly distributed but moderately sophisticated botnet. The bots presented themselves as standard browsers, forging HTTP headers, cookies, URL parameters, and basic TLS fingerprints to mimic legitimate human traffic. However, the impersonation stack contained internal contradictions that proved to be its undoing.
TLS handshake characteristics were inconsistent with the claimed browser environments. Browser identification signals shifted within individual sessions in ways no real user would produce, a hallmark of automated tooling cycling through spoofed browser profiles while being unable to maintain a consistent identity across a session’s full duration.
Behavioral patterns showed request sequences that lacked any resemblance to natural human navigation, and IP geolocation signals frequently contradicted timezone and language headers, a pattern consistent with aggressive proxy rotation via anonymization infrastructure.
Notably, the actor showed no sign of advanced browser automation, JavaScript forgery, or mobile/residential proxy tradecraft, placing their sophistication firmly below expert-tier tooling, despite the massive scale of their infrastructure.
DataDome’s Galileo team stopped the campaign in real time using a multi-layered detection approach rather than any single signal. Server-side fingerprinting caught TLS and network-layer inconsistencies that survived application-layer spoofing. Behavioral analysis identified session sequence anomalies, IP frequency outliers, and internal contradictions within fabricated session environments.
Threat intelligence flagged IPs with negative reputation scores accumulated from prior malicious activity across DataDome’s global network, including those routing through anonymization-friendly ASNs.
The wave-pattern structure of the attack, designed specifically to exhaust aggregate rate-limit counters between pulses, was itself treated as a behavioral signal. Legitimate traffic at scale does not pulse in this manner.
Key Takeaways
This attack signals a broader evolution in DDoS tactics, moving away from brute-force attacks and toward evasion by design. Security teams defending high-traffic platforms should note three critical lessons:
- Distribution defeats IP blocking by design. With 16,402 ASNs and 1.2 million IPs in play, blocklists are structurally insufficient. Detection must operate at the behavioral and fingerprint level, reasoning about aggregate patterns rather than single-source volume.
- Evasion sophistication creates its own detectable signatures. Every additional layer of impersonation forged headers, spoofed TLS, and fabricated session data introduces more opportunities for internal inconsistency. A forged header that doesn’t match a TLS fingerprint that doesn’t match session geolocation is paradoxically more detectable than a simpler attack.
- Wave-pattern campaigns require temporal baselines. Static thresholds fail against attackers who dynamically tune volume. Effective detection systems need memory: the ability to identify patterns across time windows, not just within them.
As DDoS infrastructure continues to scale and fragment, Cloudflare reported blocking 20.5 million DDoS attacks in a single quarter of 2025 alone. The threat landscape is shifting toward coordinated, evasion-first operations that require behavioral intelligence rather than volumetric defenses.
FAQ
Q1: What is a “low and slow” DDoS attack?
A low-and-slow DDoS attack distributes malicious requests across thousands of IPs at individually low rates to evade per-IP rate limits while maintaining sustained pressure on the target.
Q2: Why did traditional rate limiting fail to detect this attack?
Because each of the 1.2 million source IPs averaged only one request every nine seconds, no individual IP ever crossed a standard per-source detection threshold.
Q3: What role did privacy-focused ASNs play in this campaign?
Privacy-oriented ASNs like 1337 Services GmbH and Church of Cyberology provided anonymization-friendly routing that minimized the attacker’s traceable infrastructure footprint.
Q4: How can organizations defend against wave-pattern DDoS attacks?
Effective defense requires behavioral analysis across time windows, server-side fingerprinting, and threat intelligence integration, not static rate limits or simple IP blocklists.
About the Author
