Surge in Hacktivist DDoS: Keymous+ and DieNet Activity Analysis

Has anyone else noticed the spike in noise on their edge sensors following the recent geopolitical developments? Radware released a report this morning detailing a massive wave of retaliatory DDoS attacks after the 'Epic Fury' and 'Roaring Lion' campaigns.

According to the data, 149 attacks hit 110 organizations across 16 countries. What caught my eye is that this isn't just a disorganized swarm; two groups—Keymous+ and DieNet—are responsible for nearly 70% of the malicious traffic between Feb 28 and March 2.

While volumetric attacks are nothing new, the coordination here is notable. We've started seeing patterns indicating HTTP floods trying to exhaust server resources rather than just bandwidth pipe saturation.

I've pushed some updated rate-limiting rules to our NGINX reverse proxies to mitigate the immediate risk. If you're seeing similar traffic, you might want to enforce stricter burst limits in your config:

nginx limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

server { location / { limit_req zone=one burst=20 nodelay; } }

For those analyzing logs, look for high-frequency requests from single IPs that might be slipping under standard WAF thresholds. You can use this quick awk snippet to isolate top talkers:

awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -n 10

Are you guys seeing specific payload signatures, or is this mostly brute-force volume in your environment?