Massive “Low and Slow” DDoS Attack Hits Platform With 2.45 Billion in 5 Hours

The "low and slow" DDoS technique marks a strategic shift from brute‑force traffic spikes to sustained, low‑volume floods that blend into legitimate flows. By dispersing requests across more than a million IPs and thousands of autonomous systems, attackers achieve a scale previously seen only in massive scraping operations, yet each source stays under per‑IP thresholds. This fragmentation defeats classic rate‑limiting and IP‑blocking tools, forcing defenders to rethink how they define abnormal traffic.

Behavioral analytics have become the frontline defense against such campaigns. DataDome’s detection relied on subtle inconsistencies in TLS handshakes, cookie patterns, and browser fingerprints—signals that static volume metrics miss. Monitoring traffic over minutes or hours, rather than per‑second spikes, enables security teams to spot the rhythmic "pulsed cadence" that characterizes low‑and‑slow attacks. Emerging solutions incorporate machine‑learning models that profile normal user behavior and flag deviations, providing early warning before service degradation becomes noticeable.

For enterprises, especially platforms hosting user‑generated content, the implications are profound. Prolonged low‑intensity floods can erode performance, increase latency, and inflate cloud bandwidth costs, all while remaining invisible to conventional alerts. Organizations should integrate multi‑layered defenses: combine rate limiting with time‑window analytics, enforce strict TLS verification, and partner with CDN providers that offer granular bot‑management capabilities. As threat actors adopt AI‑driven orchestration to fine‑tune attack cadence in real time, continuous investment in adaptive, behavior‑based security will be essential to maintain availability and trust.