How we “slept through” the most powerful DDoS attack ever launched against us and nobody noticed


Just a week ago, I bragged on social media how we were hit by another major DDoS attack after a long time (traffic was up to 32 Gbps with 5-minute averages). Well, we almost missed the record holder. Or rather, they overslept because we didn’t even notice.

We have faced very strong attacks before, but only by switching to 100 Gbps lines can we measure them accurately. We currently have connectivity to Hlubokou with 3 routes and 100Gbps each, so we have 3x 100Gbps to the internet (via other providers) even more. 23. On the evening of March, the strongest DDoS attack on record began. In no time at all, traffic jumped to over 38 Gbps (5 minute average).

And what happened in our country? The DDoS protection evaluated the data from the sensors in a matter of seconds (this time is from 1.5 – 3.5 seconds) and started to solve the situation like any ordinary DDoS attack, which we receive hundreds of daily. She lowered the turnout and began filtering the problem traffic.

Customer support advised with administration, answered questions on the community website and technicians finished the last resty. No fluctuation anywhere, no one complained, just as if nothing was happening.

It was only the next day, during a routine check of DDoS protection traffic, that a technician noticed a “pretty strong” attack. In the meantime, only one alert came via SMS and email that a strong attack was underway.

When attacking at up to 44.5 Gbps

All attacks above 10 Gbps are sent to the technicians by SMS, so it’s not entirely true that nobody knows about this at all. However, the text message no longer states how strong the attack is. In recent years, such strong attacks are quite common, so text messages are coming regularly. The technicians just make sure the attack doesn’t limit customer service and don’t address it further. No need.

The fact that the attack is impacting customer service is monitored by other systems, and so a different alert would come up. Nothing happened.

Most of the stronger attacks are composed of multiple smaller ones. Different parts of the network are attacked in different ways. If we added up all the malicious traffic that was coming at us at the time, it would have reached 44.5 Gbps at peak.

This was his strongest part. As you can see, the attacker tried again after a while. However, he no longer had such power at his disposal. With such strong attacks, something often gets blocked along the way. Not everyone has 3x 100 Gbps connectivity like we do 🙂

In the following graph you can also see the strength in the number of packets sent. For most protections, it is the number of packets that is more challenging than the total traffic.

DDoS protection for peaceful sleep

In 2014, we went through three very challenging months due to DDoS attacks. At that time, we said we never wanted to experience anything like that again, so we set about building our own DDoS protection. They invested millions of crowns and a huge amount of time. Our goal was to create DDoS protection that would ensure we could sleep well.

Of course, there were other difficult moments. New forms of attacks have emerged, we have encountered the limits of branded hardware and our suppliers. But as time has gone by over the years, we have gained experience and improved many things, invested millions and the current state is such that we can sleep through a 44.5 Gbps attack.

What’s next for DDoS protection?

We cherish DDoS protection and are duly proud of it. We try to keep it sufficiently oversized and we are constantly looking for new technologies. It consists of many very powerful servers spread across the network (some of them are from our connectivity suppliers). What you need is strong computing power and enough memory.

Actually, we have improved our protection tonight, but we will write about that next time.

We have another big improvement planned for this year. The WEDOS AnyCast service is in the pipeline to ensure that your content with us can be accessed quickly and securely from around the world. We will deploy our servers at selected locations (so-called POPs) around the world, through which your international visitors will connect directly to us. The installation will also include servers dedicated to, for example, CDNs.

Of course, we’ll also put in servers for better detection and filtering. That takes us a step further. We get a better overview of the attacks, more effective filtering and in case someone launches a really extremely strong attack, only the POP will always get hit. Here in the Czech Republic you won’t know it.

The question, of course, is how it will be in the world now.


Sometimes you write to us to tell us that you want to know more about our protection and that you want special settings. This is also in the pipeline. First, we will write more information and second, we want to add additional services.