In January, our analysts observed an unusual attack pattern at a major European e-commerce provider. It was not a classic DDoS attack with massive traffic volumes. Instead, over several weeks, there was a subtle, recurring increase in load that noticeably slowed down the web shop on Mondays. 

This case is exemplary of a new generation of attacks in which infected end devices with legitimate browsers are used to deliberately exhaust server resources. There was no sudden peak and no alarm in the backbone. Rather, it was a quiet, systematic slowing down of a productive platform. 

A pattern that didn’t fit the business 

On normal days, the number of unique IP addresses remained stable at under 2,000, but on several Mondays, this figure regularly doubled to between 4,000 and 6,000.  

At first, this seemed like a harmless fluctuation in traffic. However, a review of business activities revealed a clear picture: there were no campaigns, no newsletters, no special offers, and no increased social media activity. 

In short, there was no legitimate reason for this recurring increase. 

What was particularly striking was the regularity. The effect occurred exclusively on Mondays, week after week, and disappeared completely on all other days. This temporal pattern alone was unusual enough to trigger a deeper analysis. 

Low traffic, big impact 

At first glance, the technical metrics seemed unremarkable. Neither the bandwidth nor the requests per second stood out.  

Only upon closer inspection did the actual problem become apparent. 

The load was distributed across a large number of sources, each of which was only minimally active. There were several characteristic features:  

• Only one to two requests per IP. 

• Many connections remained open for an unusually long time. 

• Hardly any simultaneous peaks, but rather a steady continuous load. 

• Hardly any fluctuations in the classic volume metrics. 

As such, this did not result in a classic attack, but rather a creeping consumption of resources. The CPU, memory, and connection handling of the origin servers were increasingly running at their limits. 

The measurable result was response times of less than 200 milliseconds, which rose to several seconds on the Mondays affected. For a web shop, this meant slow pages, abandoned shopping carts, and declining conversion rates, without any clear trigger. 

When protection systems see nothing 

What was particularly critical was that the existing bot management system classified the traffic as almost entirely legitimate. There were no conspicuous user agents, unusual request sequences, or suspicious protocol errors. The origin of the requests also appeared harmless. 

Most of the traffic came from Germany from typical end-customer networks of large consumer providers. Neither geo-blocking, ASN blocking, nor IP reputation filters provided any useful clues. 

Everything pointed to the fact that these were not classic server bots, but real, compromised end devices with full-fledged browsers. Each individual device behaved almost inconspicuously. It was only the sheer volume that made the attack effective. 

Low-and-slow with real clients 

The pattern matched a classic low-and-slow attack. There were many sources, low activity per source, technically clean protocol behavior, and a clear focus on open connections rather than bandwidth. 

Such attacks are particularly dangerous because they hide in the statistical noise of normal user activity. They do not trigger classic thresholds and almost completely bypass signature-based detection. 

Added to this was the strange time restriction to a single day of the week. It was not possible to clearly determine why the attack took place exclusively on Mondays. Possible reasons include: 

• Automated test runs of a botnet. 

• Training phases prior to larger campaigns. 

• Targeted stress tests of the infrastructure. 

• Preparatory reconnaissance. 

A simple test with a big impact 

After all classic analysis and filter mechanisms had been exhausted, only one option remained: the activation of a global CAPTCHA defense. 

The customer was initially hesitant. Their concern about a negative user experience was justified. Nevertheless, the measure was activated in a controlled test. 

The effect was evident within seconds: 

• A significant reduction in the load on the origin servers. 

• Normalization of response times. 

• Over 99 percent of suspicious requests were blocked. 

The web shop was running stably again, with no significant impact on real users. It was now clear that, despite coming from legitimate clients, these were automated processes. 

What this attack teaches us 

This incident highlights several key developments in modern attacks: 

1. It is not volume that matters, but precision. 

2. Real devices are increasingly becoming attack platforms. 

3. Classic bot management is not sufficient for clean traffic. 

4. Human-machine checks remain an effective tool. 

Low-and-slow attacks show how easily modern infrastructures can be slowed down below classic alarm thresholds without setting off any triggers. 

Modern defense instead of reactive emergency solutions 

In the security architecture used, CAPTCHA was the last available lever. Such attacks can be defended against much more elegantly on modern web application protection platforms. 

Instead of explicit CAPTCHAs, behavior-based methods are used, including JavaScript challenges in the background, headless browser detection, browser fingerprinting, and the correlation of sessions over longer periods of time. These mechanisms remain invisible to real users, but compromised clients fail reliably. 

New reality in the bot age 

Anyone who only pays attention to volume, signatures, and classic bots today overlooks precisely this type of attack. Modern defense requires a combination of behavioral analysis, human verification, and fine-grained traffic control. 

For IT decision-makers, this means one thing above all else: anomalies in the number of unique IPs are not a marginal phenomenon, but often the earliest warning sign of a silent but effective attack. 

If your web applications are also suffering from unexplained load peaks, increasing latencies, or suspicious access patterns, we would be happy to assist you in analyzing and securing your infrastructure. 

Contact us—before a silent anomaly turns into a real failure! 

Contact us now >>

DDoS attacks are often perceived as immediate disruptive actions. Servers become unavailable, websites crash, and services fail. But not every attack has this goal. A recent attack campaign shows that DDoS attacks are increasingly being used as a tool for preparation, analysis, and testing—quietly, persistently, and strategically. 

A recent attack, which initially appeared unspectacular, showed a familiar pattern at first glance: a significant increase in HTTP requests against several web shops, spread over several hours. What was striking, however, was its duration. The central attack began at midnight and lasted for around ten hours with a steady, sustained volume of requests.  

The peak value was more than 12 million requests per minute. After the initial peak, the volume settled at a consistently high level of around 8 million requests per minute. A total of just under 90 million requests were registered. 

Such figures are undoubtedly significant, especially for websites that usually only record moderate access numbers. Nevertheless, this was not a classic “burst” attack with extreme peaks, but rather a controlled, stable load over a long period of time. 

Target: small and specialized online shops 

The affected domains mainly belonged to small and medium-sized e-commerce providers. These included specialized web shops with niche offerings rather than global platforms, well-known marketplaces, and high-revenue industry giants. This is precisely why the scale of the attack was remarkable: even a few hundred thousand requests per minute are unusual for this type of website, let alone millions. 

Several dozen domains belonging to the same customer environment were targeted in parallel. The load was not distributed evenly, but clearly focused on individual domains, while others received only sporadic traffic. The most frequently attacked domain recorded a total of 75.7 million requests. At the same time, around 40 other domains belonging to the same customer were targeted with a significantly lower volume of around 150,000 requests per domain.  

A powerful, global botnet 

The origin of the traffic quickly revealed that this was not a simple IoT botnet. The IP addresses involved were distributed worldwide and originated largely from networks of well-known hosting, CDN, and telecommunications providers. Such large infrastructure with more than 85,000 unique IP addresses indicates considerable resources. Botnets like this do not arise spontaneously, though. They require either long-term preparation or the targeted use of paid infrastructure. 

Tor traffic as a revealing factor 

The proportion of requests from the Tor network was particularly interesting. During the peak period, around 1.3 million requests per minute were measured, with the total Tor-based volume amounting to around 6.6 million requests. Here, too, a consistent pattern emerged: one session per IP address. 

This traffic was completely blocked, but provided valuable clues about possible reconnaissance or testing activities, especially in the later phase of the attack. 

This pattern is unusual because Tor is hardly suitable for large-volume DDoS attacks due to limited exit node capacities. Its real added value lies in anonymization. The targeted use suggests that the attack was not aimed solely at overload, but may also have intended to explore, to test filter rules, observe reactions to anonymized traffic, or detect possible vulnerabilities at the application level.  

Conspicuous session structures 

Another detail reinforces this impression. In several cases, it was observed that individual IP addresses established only a single session, but sent tens of thousands of requests within it. Such behavior is atypical for normal users, but fits with automated analysis or testing processes. 

In combination with Tor access, this paints a picture that goes beyond a pure DDoS attack: The attack not only generated load, but also apparently provided the attackers with insights into session handling, rate limiting, and the interaction of various protection mechanisms. 

Timing as a strategic element 

The attack took place mainly at night, when legitimate data traffic is low. This time would be unfavorable for maximum economic damage. For testing, on the other hand, it is ideal. A low base load makes it easier to clearly observe reactions and draw conclusions about protective mechanisms. 

Added to this is the temporal context: the attack took place shortly before a busy sales period. In this environment, it seems reasonable to assume that smaller, less exposed targets were deliberately used to test the infrastructure and attack tools before potentially more lucrative targets were addressed. 

DDoS as a means of reconnaissance 

Overall, this may have been less of a classic sabotage attack and more of a kind of dress rehearsal. The combination of: 

• prolonged, moderate load;  
• globally distributed infrastructure;  
• targeted Tor traffic; and 
• conspicuous session patterns 

could indicate an attack with a focus on gathering information for observation and preparation purposes. 

What companies should learn from this 

This development has direct consequences for defense. Attacks that have been “successfully repelled” from a technical standpoint are not necessarily over. They may be part of a multi-stage campaign in which intelligence is gathered. 

The handling of anonymized traffic is particularly relevant here. Tor access should not only be blocked, but also analyzed in terms of time and context. A sudden increase in such requests can be a signal for further activities, especially when combined with other attack patterns. 

Conclusion 

This attack shows how complex modern DDoS campaigns have become. It is no longer just about volume or bandwidth. Attacks can be quiet, controlled, and analytical. For companies, this means reevaluating the impact of DDoS attacks. Not every attack is immediately aimed at causing damage. Some want to understand. And that is precisely where the real danger lies. 

If you want to review or specifically develop your protective mechanisms, you can draw on our experience from real attack scenarios. We support you in identifying risks at an early stage and effectively aligning defense strategies.

Contact us now >> 

Combining advanced cybersecurity solutions with local expertise for stronger protection and faster deployment.

Link11, a global IT provider of advanced cybersecurity solutions, announced a strategic partnership today with Panera, a well-established Israeli distributor and integrator of cybersecurity technologies. This collaboration aims to expand Link11’s market presence in Israel, strengthen customer relationships, and improve technical capabilities. 

Panera brings extensive market experience, technical expertise, and trusted relationships with key partners and customers. Panera has a strong local presence and a deep understanding of Israel’s cybersecurity landscape. The partnership delivers significant value for both organizations and customers seeking advanced network security, web application and API protection solutions.  

Together, Link11 and Panera are building a robust foundation for innovation, service quality, and long-term cyber resilience: 
 

• Technical expertise: Panera provides highly skilled technical resources that create ideal conditions for exceptional customer support. Its system engineers are fully trained to present, deploy, and support Link11’s solutions locally. This ensures seamless project delivery and a superior customer experience. 

• Local Presence and Market Insight: Panera’s extensive experience and in-depth knowledge of the Israeli cybersecurity market enable close alignment with local customer needs. This proximity enables Panera to provide solutions that address the unique challenges faced by Israeli organizations. 

• Collaborative Potential: Joint activities, such as events, workshops, and co-marketing initiatives, strengthen visibility and engagement within Israel’s dynamic cybersecurity ecosystem.  

“This partnership marks an important milestone for Link11,” said David Eliyahu, Link11’s International Channel Manager. “I’m looking forward to working closely with Panera to accelerate our partnership, especially regarding joint customer engagements and go-to-market execution in Israel. Together, we’ll create meaningful value, strengthen customer relationships, and drive innovation across the market.” 

As part of the collaboration, Link11 will provide Panera’s system engineers with dedicated technical training and enablement, ensuring they are fully proficient in representing and deploying Link11 solutions. The two companies are also developing a joint G2M plan that includes local events, partner campaigns, and initiatives with other technology vendors.  

“We are proud to join forces with Link11,” said Peri Naor, Panera’s CTO. “Our shared vision of innovation, trust, and technical excellence will empower organizations across Israel to strengthen their cybersecurity through cutting-edge technology and robust local support.” 

This partnership is a significant step in Link11’s growth strategy. It strengthens the company’s partner ecosystem and lays the foundation for long-term success, scalability, and greater visibility in one of the world’s leading cybersecurity markets.