Massive DDoS Campaign Demonstrates How Distributed Attacks Evade Traditional Rate Limits
A new large-scale Distributed Denial-of-Service (DDoS) campaign demonstrates how modern botnet operations are evolving beyond traditional volumetric attack models.
According to DataDome, attackers generated more than 2.45 billion malicious requests over approximately five hours using more than 1.2 million unique IP addresses. Instead of relying on high-volume traffic from a limited number of sources, the campaign distributed low-frequency requests across an enormous infrastructure footprint.
What Happened
The attack targeted a major user-generated content platform and peaked at approximately:
- 205,000+ requests per second (RPS)
- average sustained traffic of around 136,000 RPS
- activity spanning over 16,400 autonomous systems (ASNs)
The core evasion technique was extremely low request frequency per individual node. Each IP generated roughly one request every nine seconds on average.
This allowed the operation to:
- avoid triggering traditional per-IP rate limits
- blend malicious traffic into legitimate cloud traffic
- maintain pressure without obvious spikes from individual sources
The attackers also rotated:
- user agents
- cookies
- request headers
- traffic intensity patterns
Why It Matters
This campaign highlights the limitations of traditional DDoS defenses based primarily on:
- static rate thresholds
- IP blocking
- ASN reputation
- volume-only analysis
In highly distributed attacks, no single source appears aggressive enough to trigger automated blocking.
This shifts the focus from:
- “How much traffic is coming in?”
to:
- “How does the traffic behave over time?”
Potential Impact
This type of DDoS campaign may lead to:
- degraded performance
- latency spikes
- service disruption
- backend resource exhaustion
- difficulties separating legitimate and malicious traffic
Potentially affected environments include:
- SaaS platforms
- customer portals
- e-commerce environments
- public APIs
- cloud-native applications
How the Attack Was Detected
According to DataDome, mitigation relied on a combination of:
- behavioral analysis
- server-side fingerprinting
- session anomaly detection
- reputation intelligence
- client-side inconsistency analysis
Researchers noted that the attackers lacked fully realistic browser automation, which exposed behavioral inconsistencies during session analysis.
DIAMATIX Perspective
This incident demonstrates how DDoS campaigns are evolving beyond traditional volumetric flooding.
Instead of concentrated traffic bursts, defenders are now facing:
- distributed low-frequency traffic
- cloud blending
- adaptive pacing
- behavioral evasion techniques
Static rate limiting alone is no longer sufficient for modern internet-facing environments.
CISO Analysis
From an operational resilience perspective, this is an important shift.
The key questions are no longer only:
- Do we have DDoS protection?
But also:
- Can we distinguish distributed malicious behavior from legitimate cloud traffic?
- Do we maintain behavioral baselines for normal user activity?
- How quickly can we respond to gradually escalating attacks?
Detection increasingly depends on behavioral and session-level visibility rather than pure traffic volume.
What this means for your environment
- This type of attack relies on massively distributed low-frequency traffic that does not appear malicious at the individual IP level
- Detection depends on behavioral visibility and session analysis, not only traditional rate limiting
- Response requires adaptive mitigation and real-time monitoring, especially for public cloud and SaaS environments
👉 Would your environment detect this type of distributed low-rate DDoS activity?
👉 Do you have visibility into traffic behavior anomalies, not just traffic volume?
👉 Request a quick assessment of your DDoS detection and response readiness- Contact DIAMATIX
Sources
- DataDome Threat Research – Galileo Team Analysis
- DataDome Security Blog
- Industry DDoS Threat Intelligence Reports (May 2026)
This article is based on publicly available information and threat intelligence as of May 2026.
