• Home
  • cyber
  • DataDome: Massive “Low and Slow” DDoS Attack Hits Platform With 2.45 Billion in 5 Hours
cyber Cyber Attack

DataDome: Massive “Low and Slow” DDoS Attack Hits Platform With 2.45 Billion in 5 Hours

Apr 15, 2026 2 min read
DataDome: Massive “Low and Slow” DDoS Attack Hits Platform With 2.45 Billion in 5 Hours

Massive "Low and Slow" DDoS Attack Bypasses Traditional Defenses in Record-Breaking Campaign

In mid-April, cybercriminals executed one of the most fragmented and sophisticated DDoS attacks ever documented, targeting a major user-generated content platform with 2.45 billion malicious requests over just five hours. Researchers from DataDome’s Galileo threat team uncovered the campaign, which peaked at 205,344 requests per second (RPS) while evading standard rate-limiting defenses through a "low and slow" approach.

Unlike brute-force attacks, this campaign relied on infrastructure fragmentation, distributing traffic across 1.2 million unique IP addresses and 16,402 distinct Autonomous Systems (ASNs) far exceeding typical large-scale scraping operations. No single network contributed more than 3% of the total volume, making IP-based blocking ineffective. Key ASNs involved included HERN Labs AB (2.27%), Cloudflare (1.88%), DigitalOcean (1.69%), 1337 Services GmbH (2.69%), and Stiftung Erneuerbare Freiheit (3.0%), blending malicious traffic with legitimate sources like Google and Amazon.

The attackers employed a "pulsed cadence" strategy, averaging just one request per IP every nine seconds to avoid detection. Behavioral analysis revealed inconsistencies in TLS handshakes and browser fingerprints, suggesting a managed operation either human-controlled or orchestrated by an adaptive botnet. Despite attempts to mimic real users, the bots exhibited patterns that static volume-based defenses failed to catch.

The incident underscores the need for behavioral analysis over time rather than reliance on traditional rate-limiting, as threat actors increasingly exploit fragmented infrastructure to bypass security measures.

Source: https://hackread.com/low-and-slow-ddos-attack-hits-2-45-billion-5-hours/

DataDome cybersecurity rating report: https://www.rankiteo.com/company/datadome

"id": "DAT1778055829",
"linkid": "datadome",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'type': 'User-generated content platform'}],
 'attack_vector': 'Distributed Denial of Service (DDoS)',
 'date_detected': '2024-04',
 'description': 'In mid-April, cybercriminals executed one of the most '
                'fragmented and sophisticated DDoS attacks ever documented, '
                'targeting a major user-generated content platform with 2.45 '
                'billion malicious requests over just five hours. The campaign '
                'peaked at 205,344 requests per second (RPS) while evading '
                "standard rate-limiting defenses through a 'low and slow' "
                'approach. The attack relied on infrastructure fragmentation, '
                'distributing traffic across 1.2 million unique IP addresses '
                'and 16,402 distinct Autonomous Systems (ASNs). The attackers '
                "employed a 'pulsed cadence' strategy, averaging just one "
                'request per IP every nine seconds to avoid detection. '
                'Behavioral analysis revealed inconsistencies in TLS '
                'handshakes and browser fingerprints, suggesting a managed '
                'operation.',
 'impact': {'operational_impact': '2.45 billion malicious requests over five '
                                  'hours, peaking at 205,344 RPS',
            'systems_affected': 'User-generated content platform'},
 'lessons_learned': 'The incident underscores the need for behavioral analysis '
                    'over time rather than reliance on traditional '
                    'rate-limiting, as threat actors increasingly exploit '
                    'fragmented infrastructure to bypass security measures.',
 'post_incident_analysis': {'root_causes': 'Fragmented infrastructure (1.2M '
                                           "unique IPs, 16,402 ASNs) and 'low "
                                           "and slow' attack strategy to evade "
                                           'rate-limiting defenses'},
 'recommendations': "Implement behavioral analysis to detect 'low and slow' "
                    'DDoS attacks and avoid reliance on static rate-limiting '
                    'defenses.',
 'references': [{'source': 'DataDome’s Galileo threat team'}],
 'response': {'enhanced_monitoring': 'Behavioral analysis over time',
              'third_party_assistance': 'DataDome’s Galileo threat team'},
 'title': "Massive 'Low and Slow' DDoS Attack Bypasses Traditional Defenses in "
          'Record-Breaking Campaign',
 'type': 'DDoS',
 'vulnerability_exploited': "Evasion of rate-limiting defenses via 'low and "
                            "slow' fragmentation"}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.