Lisa FroehlichDDoS attacks are often perceived as immediate disruptive actions. Servers become unavailable, websites crash, and services fail. But not every attack has this goal. A recent attack campaign shows that DDoS attacks are increasingly being used as a tool for preparation, analysis, and testing—quietly, persistently, and strategically.
A recent attack, which initially appeared unspectacular, showed a familiar pattern at first glance: a significant increase in HTTP requests against several web shops, spread over several hours. What was striking, however, was its duration. The central attack began at midnight and lasted for around ten hours with a steady, sustained volume of requests.
The peak value was more than 12 million requests per minute. After the initial peak, the volume settled at a consistently high level of around 8 million requests per minute. A total of just under 90 million requests were registered.
Such figures are undoubtedly significant, especially for websites that usually only record moderate access numbers. Nevertheless, this was not a classic “burst” attack with extreme peaks, but rather a controlled, stable load over a long period of time.
Target: small and specialized online shops
The affected domains mainly belonged to small and medium-sized e-commerce providers. These included specialized web shops with niche offerings rather than global platforms, well-known marketplaces, and high-revenue industry giants. This is precisely why the scale of the attack was remarkable: even a few hundred thousand requests per minute are unusual for this type of website, let alone millions.
Several dozen domains belonging to the same customer environment were targeted in parallel. The load was not distributed evenly, but clearly focused on individual domains, while others received only sporadic traffic. The most frequently attacked domain recorded a total of 75.7 million requests. At the same time, around 40 other domains belonging to the same customer were targeted with a significantly lower volume of around 150,000 requests per domain.
A powerful, global botnet
The origin of the traffic quickly revealed that this was not a simple IoT botnet. The IP addresses involved were distributed worldwide and originated largely from networks of well-known hosting, CDN, and telecommunications providers. Such large infrastructure with more than 85,000 unique IP addresses indicates considerable resources. Botnets like this do not arise spontaneously, though. They require either long-term preparation or the targeted use of paid infrastructure.
Tor traffic as a revealing factor
The proportion of requests from the Tor network was particularly interesting. During the peak period, around 1.3 million requests per minute were measured, with the total Tor-based volume amounting to around 6.6 million requests. Here, too, a consistent pattern emerged: one session per IP address.
This traffic was completely blocked, but provided valuable clues about possible reconnaissance or testing activities, especially in the later phase of the attack.
This pattern is unusual because Tor is hardly suitable for large-volume DDoS attacks due to limited exit node capacities. Its real added value lies in anonymization. The targeted use suggests that the attack was not aimed solely at overload, but may also have intended to explore, to test filter rules, observe reactions to anonymized traffic, or detect possible vulnerabilities at the application level.
Conspicuous session structures
Another detail reinforces this impression. In several cases, it was observed that individual IP addresses established only a single session, but sent tens of thousands of requests within it. Such behavior is atypical for normal users, but fits with automated analysis or testing processes.
In combination with Tor access, this paints a picture that goes beyond a pure DDoS attack: The attack not only generated load, but also apparently provided the attackers with insights into session handling, rate limiting, and the interaction of various protection mechanisms.
Learn more about a GDPR-compliant, cloudbased and patented DDoS Protection that delivers, what it promises.
Timing as a strategic element
The attack took place mainly at night, when legitimate data traffic is low. This time would be unfavorable for maximum economic damage. For testing, on the other hand, it is ideal. A low base load makes it easier to clearly observe reactions and draw conclusions about protective mechanisms.
Added to this is the temporal context: the attack took place shortly before a busy sales period. In this environment, it seems reasonable to assume that smaller, less exposed targets were deliberately used to test the infrastructure and attack tools before potentially more lucrative targets were addressed.
DDoS as a means of reconnaissance
Overall, this may have been less of a classic sabotage attack and more of a kind of dress rehearsal. The combination of:
- prolonged, moderate load;
- globally distributed infrastructure;
- targeted Tor traffic; and
- conspicuous session patterns
could indicate an attack with a focus on gathering information for observation and preparation purposes.
What companies should learn from this
This development has direct consequences for defense. Attacks that have been “successfully repelled” from a technical standpoint are not necessarily over. They may be part of a multi-stage campaign in which intelligence is gathered.
The handling of anonymized traffic is particularly relevant here. Tor access should not only be blocked, but also analyzed in terms of time and context. A sudden increase in such requests can be a signal for further activities, especially when combined with other attack patterns.
Conclusion
This attack shows how complex modern DDoS campaigns have become. It is no longer just about volume or bandwidth. Attacks can be quiet, controlled, and analytical. For companies, this means reevaluating the impact of DDoS attacks. Not every attack is immediately aimed at causing damage. Some want to understand. And that is precisely where the real danger lies.
If you want to review or specifically develop your protective mechanisms, you can draw on our experience from real attack scenarios. We support you in identifying risks at an early stage and effectively aligning defense strategies.