On September 1, 2025, Qrator.AntiDDoS thwarted what is believed to be the largest Layer 7 distributed denial-of-service (L7 DDoS) botnet attack ever recorded.
Targeting a government sector organization, the assault involved a staggering 5.76 million unique IP addresses and unfolded in two distinct waves.
Approximately 2.8 million compromised endpoints initiated the first surge of HTTP flood requests, overwhelming web applications within minutes, before a second wave of roughly 3 million additional devices joined an hour later to sustain the onslaught.
Qrator’s mitigation systems blocked every malicious IP, preserving service availability without interruption.
Botnet Growth and Geographic Distribution
Qrator Labs has been monitoring this botnet’s evolution since its initial appearance on March 26, 2025.
The inaugural incident targeted an online betting firm, leveraging 1.33 million IPs predominantly from Brazil, Argentina, Russia, Iraq, and Mexico, to generate an estimated tens of millions of HTTP requests per second.
By the time of the second strike on May 16, the botnet had more than tripled in size to 4.6 million devices. The May attack again focused on a government-sector entity, with malicious traffic mainly emanating from Brazil, the United States, Vietnam, India, and Argentina.
Over the ensuing three months, the botnet expanded by 25% between May and September, but growth rates varied dramatically by region.
Vietnam saw an 83% increase in participating endpoints, while India experienced a remarkable 202% surge.
In the September operation, Brazil remained the most significant contributor with 1.41 million IPs, followed by Vietnam (661,000), the United States (647,000), India (408,000), and Argentina (162,000). These five countries together accounted for nearly 47% of the attack traffic.
Advanced Techniques and Attack Vector
This botnet employs adaptive behavior to evade conventional mitigation measures. Each compromised device runs a lightweight HTTP flood agent capable of dynamically adjusting request headers, referrer fields, and user-agent strings.
The botnet controller orchestrates multi-stage attacks, alternating high-volume bursts with sustained low-and-slow traffic to exhaust server resources and defeat rate-limiting defenses.
The September attack’s two-stage approach exemplified this tactic: an initial high-intensity flood to trigger auto-scaling and then a protracted flood to exhaust provisioned resources.
Qrator CTO Andrey Leskin emphasized the botnet’s destructive potential: “When targeting unprotected or poorly protected resources, a DDoS botnet of this scale can generate tens of millions of requests per second, overwhelming servers within minutes.
What’s more, not every DDoS protection provider is capable of withstanding such a massive attack, which means the availability of all their clients’ resources could be at risk simultaneously.”
Implications for Defenders
The rapid growth and geographic diversification of this botnet underscore the need for multi-layered DDoS defense strategies. Mitigation platforms must integrate real-time traffic analytics, behavioral anomaly detection, and automated mitigation playbooks to neutralize adaptive threats.
Organizations should also enforce stringent web application firewall rules and leverage Anycast routing to distribute traffic across globally dispersed scrubbing centers.
As the botnet continues to expand, Qrator Labs advises critical infrastructure operators to conduct regular stress tests of their DDoS defenses and maintain robust incident response plans.
Only through proactive, adaptive defenses can enterprises hope to withstand the next generation of large-scale L7 DDoS attacks.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
