WAF report from WEDOS Global Protection for May 2023


In May, we continued to build our WEDOS Global infrastructure. We’ve also moved forward with the WEDOS Zone service, allowing you to use only our anycast DNS. WEDOS Global Protection also experienced the largest L7 DDoS onslaught since we have been measuring and recording attacks in detail.

WEDOS Global

WEDOS Global is the name of our infrastructure that runs the global network of the same name. The entire WEDOS Global infrastructure currently has over 1500 physical servers and connectivity of over 2.5 Tbps. At the end of May, we had servers in 24 locations in 19 countries on 5 continents. The other 2 sites are in the process of completion.

If you want to learn more about WEDOS Global, listen to the lecture from Kubernetes Community Days Czech & Slovak 2023 in Bratislava, where two of our colleagues who are working on the development of the service gave a lecture “WEDOS Global – global Kubernetes infrastructure, its development and maintenance”.

New WEDOS Global point in Istanbul

On Tuesday 02.05.2023 at 14:04 we launched a new WEDOS Global site in Turkey with 45 physical servers and 100 Gbps connectivity. This site is very important as it will be in charge of operations for the Middle East and part of Africa. It will be accessed by more than 400 million internet users in the region. Istanbul is already 24. WEDOS Global location.

New WEDOS Global connections

In April, we announced our connection to the Bulgarian Internet eXchange (BIX.bg) through our point in Sofia, Bulgaria. This was an important step that confirmed that we are on the right track. Even the results exceeded our expectations.

As part of WEDOS Global’s strengthening in the region, we also joined Balkan-IX. While BIX.bg will provide us with great availability and response especially in Bulgaria, Balkan-IX will improve its response and availability throughout the region.

WEDOS Global is constantly expanding. We are working hard to add more sites and are also negotiating with fifteen IXP (Internet Exchange Points) operators, mostly European.

What is an IXP (Internet Exchange Point)?

An IXP (Internet Exchange Point) is a physical place where different networks are connected. Network operators can connect and exchange data. This reduces latency and increases the speed of data transfer between their networks. It’s basically the crossroads of the local internet.

This takes WEDOS Global to a new level. We have already reached the top 10 in Europe and we know it will be even better.


The following statistics are from the proxy servers at each point that handle requests cleared of L3/L4 DDoS attacks.

What are L3/L4 attacks?

DDoS attacks at the L3 and L4 layer target the network and transport layers and use a variety of techniques to overwhelm target servers or devices.

Network layer (L3) – provides routing of data between different networks using logical addresses (IP).

Transport layer (L4) – provides reliable and controlled data transfer between endpoints using protocols such as TCP or UDP.

They are also purged of all requests that come from servers on our blacklists.

How does WEDOS use blacklists?

WEDOS uses a number of blacklists that we create ourselves or obtain from third parties.

Most IP addresses are on automatically generated blacklists, which are created by algorithms based on real-time traffic analysis. The IP address here can be units of minutes or even hours.

We also have standard blacklists that are created by our cyber security experts in response to attacks or from log analysis. We also use third-party paid blacklists (Udger, AbuseIPdb).

Furthermore, some of the requirements that we use to monitor the availability and performance of individual points are not included in the overview so as not to bias the statistics.

At the end of May, the number of WEDOS Global Protection protected domains had grown to 3,034. These are mostly domains that have been added by support due to attacks or they are demanding sites that are greatly helped by automatic caching on the proxy server (basically a CDN). There are 804 users outside of us using WEDOS Global Protection.

In May, a total of 2,679,570,211 requests (+43.35%) were recorded out of 8,101,233 (+1.96%) unique IP addresses that were directed to protected domains. On average, the proxy servers handled 86,437,749 requests per day.

Daily chart of accesses to WEDOS Global for May, adjusted from L3/L4.

The increase can be attributed to the increasing number of protected domains, but also to the longer L7 DDoS attacks, which have gained significantly in popularity in recent years. To eliminate them, we need to see them in operation, because from the outside they look like legitimate approaches. Which is no problem for us 🙂

What is an L7 DDoS attack?

L7 A DDoS attack is a type of cyber attack on a website or application that uses common internet requests such as GET and POST. The goal is to slow down or make a web page or an API inaccessible.

Attacks on L7 are difficult to detect and distinguish from normal traffic because they use the same protocols and methods as legitimate users. Special tools and techniques and a thorough analysis of network traffic are needed to eliminate them.

In May, we were debugging and improving the protection, so unfortunately we don’t have exact statistics on how much was captured by which protection method, such as request limiting, connection limiting, etc. However, these are hundreds of millions of requests.

The WAF blocked 12 489 704 requests.

What is a Web Application Firewall (WAF)?

A WAF (Web Application Firewall) is a protection on our reverse proxies that is placed between the attacker and your website. It scans each request in real time, looking for specific signs of an attack or security hole exploitation. If it encounters a suspicious request, it can redirect it to a test (redirect, captcha) or block it.

The most powerful DDoS attacks

In May, we have seen increased attack activity through services offering anonymous VPNs. Mostly it was vulnerability scanning and SQLi attacks. For now, we’re dealing with this on an individual basis, but in the future, we’ll have to permanently put services that offer free VPNs or some form of free trial period on the list of potentially dangerous ones. Accesses from them will always be tested to ensure that they are not robots. So they will not be blocked, but the visitor will have to wait for a JavaScript redirect or in some cases fill in a simple captcha.

But now to the strongest L7 DDoS attacks in May, which reached the proxy server.

1st attack on WEDOS.com – peak 1.65M requests per minute

Our websites are usually under attack regularly, but this time it was a bit more complicated because we were unifying all websites under one domain and not everything was finalized yet. The attackers seemed to have sensed an opportunity and launched a strong attack, which they gradually scaled up. The attack lasted for 4 hours and 53.8M requests from 11,154 IP addresses were sent to the proxy server during that time. At peak, it was 1,657,083 requests per minute.

Whenever there is a very strong attack, a captcha is triggered on the points where it comes from as a precaution. We have this for all protected domains and the idea is to prevent the customer’s webserver from “choking”. It is not always one kind of attack. There may be others with different objectives.

In addition, there are various limits on requests, connection attempts, etc. according to other rules.

If all of this fails for some reason, we have a backup plan where the identified attacking IP addresses are simply thrown on a blacklist until the problem is resolved.

Something didn’t work quite right here (due to the grouping of sites). However, as it is our website and not the customer’s, we do not deal with any slowdown or shorter outage. The priority is to find out why the problem occurred, collect the data and resolve everything. Of course, if it is customer administration or something else that will limit our customers, we will not “play”.

What was interesting was that the attackers seemed to take our scrutiny as a sign that we had a problem and were doing well. We had several people active, so while the technicians were checking if the webserver was running, the developers were looking for and fixing the problem, the analysts were going through the logs and seeing what was going where.

To be on the safe side, roughly 2 thousand attacking IP addresses were put on the blacklist one by one. And then the attackers revealed their cards and launched more attacks from completely new ranges. It’s possible that they just invited someone new to help out who doesn’t normally attack, look for vulnerabilities, etc. So after midnight we were mainly collecting data.

Then it was decided that it was time to go to bed and they started protecting themselves.

2nd attack on WEDOS.com – peak 1.31M requests per minute

A few days later, the attackers tried again, a little earlier. The attack took just over 2 hours, but it was only 36,401,597 requests from 4,740 IP addresses. Peak at the beginning of 1,318,016 requests per minute. It took a while for the protection to kick in.

3rd attack on the gaming web – peak 948K requests per minute

A rather interesting attack took place earlier this month on a game server website. Attacks between communities are nothing new, but they are usually primitive. This one looked pretty decent, the only thing missing from a professional performance was synchronization. It lasted less than 6 minutes. 2 029 781 requests from 2 273 IPs is not a small number. Peak 948 0140 requests per minute.


Anyone can use WEDOS Global Protection to load faster and protect their websites. The service can be used without the need to move hardware or change web hosting providers. Simply point the domain to the WEDOS Global DNS and add the domain to the WEDOS Global Protection administration.