Massive “Low and Slow” DDoS Attack Hits Platform With 2.45 Billion in 5 Hours

Summary

Security researchers at DataDome's Galileo team detected a sophisticated "low and slow" DDoS campaign targeting a major user-generated content platform in mid-April 2026. The attack delivered 2.45 billion requests from 1.2 million unique IP addresses across 16,402 ASNs over five hours, peaking at 205,344 requests per second while evading traditional rate-limiting defenses through fragmented infrastructure and adaptive pacing. The attackers employed behavioral obfuscation tactics (forged HTTP headers, TLS fingerprints) and managed the campaign in real-time, requiring detection models based on temporal behavioral analysis rather than static volume thresholds.

Full text

Security Cyber AttacksMassive “Low and Slow” DDoS Attack Hits Platform With 2.45 Billion in 5 Hours DataDome researchers uncovered a massive low and slow DDoS attack that delivered 2.45 billion requests using 1.2 million IP addresses. byDeeba AhmedMay 6, 20262 minute read A new report from the Galileo threat research team at DataDome has detailed one of the most fragmented DDoS (Distributed Denial of Service) campaigns ever recorded. In mid-April, within just five hours, cybercriminals launched a stunning 2.45 billion malicious requests at a major user-generated content platform. This research, shared exclusively with Hackread.com, reflects a concerning change in how threat actors are now bypassing traditional security because instead of trying to breach defenses with brute force, the attackers used a sophisticated ‘low and slow’ approach. According to researchers, the campaign peaked at 205,344 requests per second (RPS), yet it managed to stay entirely under the radar of standard rate-limiting defences. Evading Defence via Infrastructure Fragmentation The scale of infrastructure used in this attack is mind-blowingly vast. The traffic was distributed across over 1.2 million unique IP addresses and spanned 16,402 distinct Autonomous Systems (ASNs). For comparison, even a large-scale scraping operation usually only involves a few hundred ASNs. Further investigation revealed a flat distribution of traffic, as researchers noted that no single network accounted for more than 3% of the total volume. “The raw numbers are striking: more than 2.4 billion requests in a five-hour window, originating from over 1.2 million unique IP addresses, peaking at 205,344 requests per second. This was not a series of isolated bursts above a quiet baseline; it was a continuous high-intensity flood with wave modulation layered on top. Even the attack’s relative lulls ran at tens of thousands of requests per second,” the blog post revealed. Top contributing ASNs included: HERN Labs AB: 2.27% Cloudflare, Inc.: 1.88% DigitalOcean, LLC: 1.69% 1337 Services GmbH: 2.69% Stiftung Erneuerbare Freiheit: 3,00% Mixing privacy-focused networks like 1337 Services and HERN Labs with popular names like Google, Amazon, and Cloudflare, hackers ensured their traffic was disguised by high-volume legitimate traffic, making simple IP blocking almost useless because no single block carries enough weight to stop the flood. A Managed Operation The attackers utilized a “pulsed cadence” to avoid triggering rate limits. Each source IP averaged roughly one request every nine seconds, staying well below standard per-IP thresholds. For your information, cadence is the specific timing, rhythm, and frequency of requests sent by the botnet. Jerome Segura, VP of Threat Research, suggested that the adaptive nature of the attack points to a managed operation. This means either a human operator or a highly tuned orchestration layer was watching for detection signals and adjusting the campaign in real-time. Although the hackers attempted to forge HTTP headers, cookies, and TLS fingerprints to appear as standard browsers, DataDome detected the campaign through behavioural analysis. Researchers noted that the bots exhibited inconsistent TLS handshakes and “unstable” browser identification signals that a real user would not produce. They conclude that security teams must move toward detection models that analyse patterns across time (behavioral analysis over time) to check traffic behaviour over minutes or hours rather than relying on static volume limits to prevent such threats. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityDataDomeDDOSIP Address Leave a Reply Cancel reply View Comments (0) Related Posts Read More Hacking News Cyber Attacks Hackers Leak Thousands of Idaho National Lab Employees’ PII Data SiegedSec is the group responsible for the data breach at the Idaho National Laboratory (INL). byWaqas News Android Scams and Fraud Security Over 1 million Android users downloaded fake WhatsApp app Scammers tricked over 1 million Android users into downloading a fake version of the popular messaging app WhatsApp pretending… byWaqas Read More Security Crypto Malware Lazarus Group uses KandyKorn macOS malware for crypto theft Another day, another malware operation by the infamous Lazarus group targeting blockchain engineers and crypto users. byDeeba Ahmed Hacking News Malware Security Hamas hacked smartphones of over 100 IDF soldiers IDF blames Palestinian hackers for spying on its soldiers with spyware infected World Cup and dating apps –… byWaqas

Indicators of Compromise

• mitre_attack — T1498.001

Entities