1.23 million requests per second: Tracing a targeted attack campaign
According to VNETWORK's expert team, the attack was organized with two tightly linked phases that reveal clear signs of deliberate planning rather than opportunistic activity.
During the reconnaissance phase on April 24, peak bandwidth reached only 5.58 Gbps, but the system recorded an anomalous density of 76 million HTTP 302 redirect responses within a single peak minute. This was the result of an active filtering mechanism that forced suspicious connections through a Challenge Page for identity verification. The unusually high redirect frequency indicated both the massive scale of the botnet and the severe load requirements it would place on any defense system running continuously.
The main strike on April 26 peaked at 1.23 million requests per second and sustained between 400,000 and 500,000 requests per second for several hours. A total of 27.2 billion requests and 10.7 TB of data originated from dozens of countries including Indonesia, Vietnam, the United States, China, Turkey, and Mexico.
A significant portion of the attacking IPs belonged to Vietnamese ISPs and cloud service providers. This indicates that many devices and servers inside the country had already been infected with botnet malware and were being mobilized into the attack campaign without their owners' knowledge.
Fighting AI with AI: VNETWORK blocks 99.8% of malicious traffic at the edge
Throughout the entire incident, VNETWORK deployed its VNIS solution, which blocked over 99.8% of malicious traffic at the network edge using HTTP 403 responses. As a result, origin servers remained completely unaffected, error response rates (502, 503) were held near zero, and customer services continued operating without disruption.
Unlike traditional rule-based models that AI botnets can easily bypass, VNIS applies a real-time behavioral analysis engine built around WAF technology. Rather than relying on simple signature matching, the system detects anomalies at the session level and through TLS fingerprint analysis. AI Smart Load Balancing across a Multi-CDN network distributed the pressure of 27.2 billion requests without creating a single point of failure. Simultaneously, an AI-powered IP reputation scoring mechanism cut detection and response time from hours down to 5 minutes, allowing malicious addresses to be blocked before the botnet could rotate its tactics.
Nguyen Kim Tho, Head of Solutions at VNETWORK, commented: "Once attackers started using AI to coordinate botnets, static defense systems had no way to keep up. That is why VNIS was built with AI at its core — using AI to counter AI at every layer: behavioral analysis, load distribution, and deep-packet filtering. The attack we just handled represents only a fraction of our system's capacity, which is built across more than 2,300 PoPs spanning 146 countries with over 2,600 Tbps of DDoS mitigation capability."
No business is out of reach: Vietnam's DDoS landscape in 2025
According to Vietnam's latest Cyber Attack Report, the past year recorded a historic high of 512,438 DDoS incidents. Nearly half of those (234,918 attacks) involved AI assistance, with peak intensity reaching 1.89 Tbps. These figures make clear that DDoS is no longer a risk confined to Fintech, Gaming, or e-Commerce. It is now a direct and immediate threat to every organization with a digital presence.
The April 30 holiday DDoS attack targeting VNETWORK was covered by several leading Vietnamese news organizations:
- VnExpress: VNETWORK records large-scale AI-powered DDoS attack during holiday
- 24h.com.vn: A wave of cyberattacks hitting Vietnam, DDoS peaks at 27 billion requests
FAQ - Frequently asked questions about AI-powered DDoS attacks
1. How does an AI-powered DDoS attack differ from a conventional DDoS attack?
Conventional DDoS attacks use botnets with fixed, predictable behavior that can be blocked with static rules. AI-powered DDoS attacks use botnets that adapt their tactics in real time, simulate legitimate user behavior, and continuously rotate IP addresses, making them impossible to keep pace with using traditional rule-based defenses.
2. Why did VNETWORK's infrastructure stay online throughout a 10-hour attack?
VNETWORK's VNIS platform integrates AI Smart Load Balancing across a global Multi-CDN network, real-time AI-based IP reputation scoring, and session-level behavioral analysis. Over 99.8% of malicious traffic was blocked at the edge with HTTP 403 responses, keeping origin servers fully protected and maintaining uninterrupted service for 2,000 enterprise customers throughout the entire event.
3. Do small businesses need to worry about AI-powered DDoS attacks?
Yes. Current attack trends show no organization is exempt based on size or sector. Many DDoS campaigns specifically target small and mid-sized businesses precisely because their defenses tend to be thinner, while the resulting revenue loss and reputational damage are just as real regardless of company scale.
4. What should you do immediately if your infrastructure is under a DDoS attack?
Activate a dedicated Anti-DDoS solution if one is already in place. If not, contact a provider immediately for emergency support. In parallel, collect system logs, identify IPs generating abnormal traffic, and keep your technical team monitoring continuously until the situation is fully under control.
5. How can you tell whether your infrastructure has been infected with botnet malware and used to attack others?
Warning signs include abnormally high outbound traffic, unexplained CPU and bandwidth spikes, connections to unfamiliar IP addresses, and system logs showing large volumes of outbound requests during unusual hours.