Anatomy of a Layer-7 flood, blocked at the edge

A walk through 41 Gbps of garbage that never reached the origin, broken down by ASN and rule that stopped it.

May 14, 20261 min read

At 03:14 UTC the edge started absorbing a sustained POST flood targeting a single endpoint on a customer zone. Here is what we saw.

Shape of the attack

The traffic concentrated on two ASNs and a handful of residential ranges fronting the same C2.

asn AS14618  ec2/aws       8.2 Gbps
asn AS16276  ovh           5.9 Gbps
ip  198.51.100.0/24         11k rps

Block-list policy with two ASN rules and one IP range. Rule push to all edge nodes took 3.1 seconds.