What was the scale of the May 2026 DDoS attack?

The attack was a coordinated Layer 7 HTTP flood targeting both main and backup domains simultaneously, generating over 88 million total requests.

How did the attackers bypass Cloudflare's Under Attack Mode?

The attackers rotated through a large volume of residential proxy IPs and bypassed the JS challenges, sending over 45 million requests directly to the origin backend.

How was the attack successfully mitigated?

Mitigation was achieved by locking down Vercel to only accept Cloudflare IP ranges (preventing direct-to-origin bypass) and using FlareStack to automatically detect and block ~4,000 malicious IPs in real-time.

Infrastructure

Mitigating an 88M Request DDoS with FlareStack

How we automated the defense of a coordinated L7 flood targeting our infrastructure on May 26, 2026.

May 2026•5 min read•Security • Infrastructure • Automation

The Storm: Coordinated Double-Strike

Attack Window: Night of May 26, 2026

Our infrastructure faced a symmetric Layer 7 DDoS attack targeting both our main and backup domains simultaneously. The total request volume hit an astounding 88.18 Million requests.

Main Domain Metrics

• Total Volume: 63.38 Million requests
• Cloudflare Mitigated: 32.95M (52.0%)
• Leaked to Origin: 29.98M (47.3%)
• Peak Traffic: 7.0M at 22:30 on May 26

Backup Domain Metrics

• Total Volume: 24.8 Million requests
• Cloudflare Mitigated: 9.05M (36.5%)
• Leaked to Origin: 15.71M (63.3%)
• Peak Traffic: 5.1M at 00:00 on May 27

Why Standard "Under Attack" Mode Failed

Turning on Cloudflare's "I'm Under Attack" Mode was our first response, but it couldn't stop the flood:

1Residential Proxy Rotation: The botnet rotated through thousands of residential IPs, staying below individual rate-limiting thresholds.
2Challenge Bypass: Advanced headless browser tools solved or bypassed JS challenges, bleeding 45.69 Million requests directly through the edge filters to our origin.

Step 1: Vercel Origin Lockdown

Because the WAF challenges were bypassed, the attackers attempted to target our Vercel deployment URLs directly to bypass Cloudflare completely. We executed an immediate lockdown:

✓Cloudflare IP Enforce: Blocked all non-Cloudflare traffic at the Vercel level, allowing ONLY requests routed through Cloudflare's official IP ranges.
✓Neutralized Bypass: Direct backend flood attempts were rejected immediately with a 403 Forbidden status, shielding database connections.

Step 2: Real-Time Threat Sync (FlareStack)

Manually managing firewall rules during an active L7 flood is impossible. We deployed FlareStack to automate the edge defense:

1Log Parsing: Real-time extraction of abusing IP addresses based on threat signature matches.
2Automated WAF Sync: Pushed the malicious IPs instantly to Cloudflare WAF custom lists without human intervention.
3Edge Blocks: Safely blocked exactly 4,090 attacking IPs at the edge, reducing origin load back to zero.

Traffic spike and mitigation metrics on Main Domain

Key Takeaways

Symmetric Hardening

Staging and backup environments are prime targets. If routing exists, it must be protected with the same WAF rules as production.

Edge Automation

Automation is the only way to scale defenses. FlareStack turned an active, multi-million L7 request attack into a hands-off, auto-mitigated event.