In our latest Cyber Insight report, we analyze a politically motivated DDoS attack on a defense contractor. This was a Layer 7 attack, rather than a classic volumetric flood at the network level: it involved targeted pressure on the application layer. Each request must be evaluated by the WAF, involving rate limiting, session tracking, and fingerprinting. This consumes processing time on the defense side, not just bandwidth.
73 IP addresses, three million sessions – this is not an IoT botnet
Traditional volumetric DDoS attacks rely on broad distribution: thousands of compromised endpoints, such as routers, cameras and NAS systems, send requests simultaneously.
However, this attack was different. Its load was distributed across a small number of IP addresses, some of which were operating at an enormous session rate. One IP address alone generated 17 million requests. Just 73 IP addresses collectively opened over three million parallel sessions.
Such loads exceed the CPU power of an IoT device. This suggests rented cloud resources were the culprit: high computing power, a small number of IP addresses, and a maximum request rate per node.
Analysis of the ASN of the attacking IP addresses confirmed what we had already suspected: A large proportion of the traffic — over 50 million requests — can be traced back to cloud infrastructures. These include well-known hyperscalers and major CDN providers. This suggests that the attacker may have compromised cloud instances or booked them directly, perhaps via anonymous payment methods or stolen accounts.
It also raises the question: Who has access to these resources, and how?
Geopolitical Context: Who is capable of this, and why?
The attack occurred amid the ongoing conflict between Israel and Iran. This suggests that the perpetrator was politically motivated, even if a direct attribution is not possible.
However, the analysis is complicated by the fact that the Iranian government severely restricted internet access during the conflict. This means that the perpetrators must be either state-affiliated actors operating outside Iran, or proxy groups acting on behalf of the state and possessing the necessary infrastructure access. Both scenarios require a certain level of organizational maturity.
Cloud capacity is inexpensive, can be booked anonymously and offers significant technical power. Setting up a comparable IoT botnet would be much more complex and easier to block. Therefore, various scenarios are conceivable.
Learn more about an easy-to-implement and highly effective WAAP solution.
Everything from a single source, and available as a fully managed service upon request.
Attack Technique: Simple, but Scalable
At first, the user agents of the attacking clients appeared diverse, with different browser strings and versions. However, upon closer analysis, a clear pattern emerged. These were algorithmically generated strings in which only the browser identifier’s version number had been incremented. Therefore, this is not a genuine botnet diversity profile, but rather a simple script. While it is sufficient to bypass superficial user-agent filters, it does not withstand deeper behavioral analysis.
The dynamics of the attack’s progression were also interesting. After the initial peak of around nine million requests per minute, the volume gradually levelled off. The number of active IP addresses and open sessions varied greatly, ranging from under 50 to over 1,300 within short timeframes. This suggests that the attacker was actively managing resources. Botnet nodes were turned on and off, possibly to control costs or vary the attack signature.
Once it became clear after an hour that the target infrastructure was holding up, the attacker gradually reduced resources and eventually ceased the attack. Nowadays, DDoS attacks are also a cost-benefit calculation for the attacker.
What does this mean for defenders?
This attack highlights a significant change in the threat landscape. Cloud resources are not only democratizing innovation, but also attack capabilities. Now, anyone with the necessary budget and basic knowledge can launch an attack of this magnitude without their own hardware.
What is certain is that an attacker capable of orchestrating over 50 million requests from Western cloud segments has achieved operational maturity. Defending against such attacks requires more than simple rate limiting. Behavior-based analysis, ASN reputation data, and the ability to correlate sessions at Layer 7 are needed, rather than simply blocking individual IP addresses.
Those who consider DDoS protection solely at the network level are unprepared for attacks of this kind. The threat has shifted from bandwidth to application logic, and from IoT botnets to cloud-native attack infrastructures. The next attack of this magnitude won’t originate from a basement. It will originate from an ‘Availability Zone’ in Frankfurt, London, or New York.
Is your application layer ready to withstand cyberattacks of this magnitude? Work with one of our experts to review your critical web services and assets. Get in touch anytime to arrange a more in-depth discussion.
You might also like:
