Full story
On November 9th, 2025, at about 8:00 am, alerts began to be received regarding the detection of attacks on the SMB’s customer IP address.
The system identified an attack that included several vectors of attack, with a capacity of 450 Gbps of traffic that was blocked by FlowSec’s system.
The attacks lasted for more than 3 hours, with an increase in the peak volume of the attack to about 8 GB, 16 GB, and up to 23.4 GB, while the Packet Per Second traffic reached from about 800K up to 3.2M PPS.
The attack protocols were UDP, ICMP, and TCP (SYN, ACK) on the following ports: 0, 80, 443.
The system detected the attack and created signatures that were sent to the ISP’s routers. During the detection of the attacks and the creation of signatures, email alerts were sent to the customer and their ISP for each signature.
Loss prevention for the customer – the customer estimation for loss prevention is about $1.5M for 3 hours.
To resolve the issue, we sent the attack signatures to the routers of this ISP, which successfully blocked the malicious traffic and cleaned the pipe leading to the attacked SMB customer.
At the end of the attacks and after the traffic returned to normal levels, the signatures were removed from the ISP’s routers according to system settings.
During the attack, the customer was working as usual and serving its customers.
