July 14, 2025
Every month we see an article about record-breaking DDoS attacks being mitigated by one WAF vendor or another, and this is useful work.
However, most online attacks are not DDoS. In fact, they depend on the target site being available.
Credential stealing, account takeover attempts, card testing, and SMS pumping abuse all fit this profile, and WAFs are generally quite bad at detecting anything except the most naive attacks in our experience.
One reason for this is the ready availability of residential proxy services.
These services pool tens of millions of IPs and resell them. Where they get the IPs varies widely, from payments to ISPs to router malware, "free" proxy services that resell users' bandwidth, or install-to-earn apps. These apps are often injected by desktop or mobile malware, or included by disreputable app developers to monetize users' traffic.
In all cases, the end result is the same: criminals attempting to abuse online services gain a simple way to abuse millions to tens of millions of IPs.
in our experience, scaled attacks by individual attackers can use millions to tens of millions of IPs, with request-per-IP rates as low as one request per day per IP.
Because these IPs are often in use by real people at the same time (e.g. a person with proxy malware on their desktop is also browsing the web), WAFs cannot reliably distinguish them.
For example, a recent scaled attack on an hCaptcha customer used nearly 9 million IPs within 24 hours, but made only one or two requests per IP.
The customer's WAF (provided by a top 3 security CDN) marked less than 10% of this traffic as suspicious, but hCaptcha detected ~100% of the requests as malicious.
If you work on an online service subject to these kinds of attacks and would like to hear more, reach out to us.
hCaptcha Enterprise is the choice of category leaders in every industry, and we'd like to help you too.
