Over the last month, a leading e-commerce marketplace with over 90 million users was targeted by two Flash DDoS attacks. These attacks lasted 2 minutes on average and had a combined total of over 60 million bot requests.
A Flash DDoS attack is an ultra-short, high-intensity distributed denial-of-service (DDoS) attack designed to overwhelm online services in mere moments. Unlike traditional DDoS attacks, which often sustain high traffic over longer periods, Flash DDoS attacks strike suddenly, peaking within seconds and disappearing almost as quickly as they begin. Only DDoS defense systems, like DataDome, that operate in milliseconds are prepared to detect and mitigate these Flash DDoS attacks due to the sheer speed at which the requests flood in.
Due to the volume of bot requests and their low quality—reaching 640,000 requests per second at peak—DDoS Protect was triggered. DataDome’s DDoS Protect protects businesses’ websites, mobile applications, and APIs against sudden bot-driven traffic spikes. Our multi-layered machine learning engine analyzes a vast range of signals—fingerprints, behavioral patterns, and network reputation—to detect and block even the most sophisticated attack traffic in real time. Unlike basic bot mitigation tools, our systems adapt instantly, keeping up with new and evolving threats.
DDoS Protect reacted in less than 2 milliseconds to the rising traffic volume. The attack was blocked at the edge before it could cause any harm or disruption to our customer or their millions of users.
Key metrics of the Flash DDoS attacks
For 2 minutes total—on January 13, 2025, from 2H04 to 2H06 UTC—the e-commerce giant was targeted by the first attack that included 32,543,807 requests from bots. The scale of the attack could have taken down their servers (and their website) if not for the protection provided by DataDome.
IP addresses, 523 user agents, and 879 autonomous systems used in the attack.
overall total requests generated by the attacker, distributed across 107 countries.
requests per second maximum velocity at peak.
For 2 minutes—on February 9, from 11H09 to 11H11 UTC—the e-commerce giant was targeted again by 33,628,148 requests from bots.
IP addresses were used in the attack.
overall total requests generated by the attacker.
requests per second maximum velocity at peak.
Overview of Flash DDoS attacks
The graph below (Figure 1) represents the bot traffic handled throughout the first 2-minute attack by our detection engine in 30-second intervals—reaching a peak of 620,000 requests per second in the middle of the attack.
Figure 1: Number of requests per second blocked by DDoS Protect during the 1st flash attack
The graph below (Figure 2) represents the bot traffic handled throughout the second 2-minute attack by our detection engine in 30-second intervals—reaching a peak of 640,000 requests per second in the middle of the attack.
Figure 2: Number of requests per second blocked by DDoS Protect during the 2nd flash attack
Distribution of the attacks
We can see that at any given time, the attacker used thousands of IPs and hundreds of user agents and autonomous systems to orchestrate these attacks. These were highly distributed attacks that spanned requests coming from 107 different countries (Figure 3). We can also see that the countries where the most requests originated from were Indonesia, the United States, Germany, Russia, and Turkey.
Figure 3: Countries where the most requests originated based on analyzed fingerprints
How were the attacks detected & blocked?
The requests coming from a specific range of IPs were immediately identified in milliseconds as malicious bot traffic. However, once the volume of these requests began to spike, it was a clear indication that the objective was a Flash DDoS attack.
Thanks to our multi-layered detection approach, the attack was detected using analysis of a wide spectrum of signals. Even if the attacker morphed part of its attack (for example, fingerprint or behavior), it would have likely been caught using other signals and approaches.
DDoS Protect neutralized the attack in milliseconds, automatically detecting and mitigating the surge in traffic at the network edge—before it could even reach the application layer. While other vendors struggle with delays, false positives, or downtime, our platform ensured uninterrupted service, keeping legitimate users online without rate-limiting or degradation. No downtime. No disruption. Just business as usual.
Protect your enterprise against downtime with DataDome
DDoS attacks are no longer just a nuisance—they’re a growing threat that can cripple online businesses in seconds, costing as much as $6,000 per minute of downtime. Modern attacks are more advanced, leveraging botnets, proxy networks, and AI-driven evasion tactics to bypass traditional defenses. The result can mean disrupted operations, lost revenue, and damage to brand trust and reputation—and it can happen in a matter of minutes.
When an attack is detected, DDoS Protect automatically blocks it, no matter how many requests flood your servers. Your business stays online, your customers remain unaffected, and your security team gains peace of mind.
Schedule a demo today to see how DataDome keeps your business protected.
*** This is a Security Bloggers Network syndicated blog from DataDome authored by Florent Pajot. Read the original post at: https://datadome.co/threat-research/how-datadome-defended-a-marketplace-with-90-million-users-flash-ddos-attacks/