Introduction
On Saturday, September 13, 2025, a major Distributed Denial-of-Service (DDoS) attack targeted a European payment processing platform, prompting response and mitigation efforts by the F5 Security Operations Center (SOC). Several phases of the attack unfolded in high-intensity waves, employing multiple DDoS techniques and achieving traffic volumes previously unseen by F5’s defenders. These events were successfully mitigated without any significant service disruption reported by the targeted organization.
The Initial Attack Waves
The initial phase of the attack occurred between 17:21 and 17:32 UTC. Two destination IPs within the organization’s network were targeted simultaneously. The attackers used a Push-Acknowledgment (PSH-ACK) flood, which is a volumetric attack designed to overwhelm the network with high-bandwidth traffic, leveraging TCP segments with a size of 1420 bytes—a small deviation from this attackers’ observed behavior in previous attacks, of sending segments sized at 1440 bytes.
While many may be familiar with the TCP three-way handshake, the usual way TCP connections are established, there is nothing stopping attackers from sending TCP segments with any number of TCP flags set and ignoring the usual way of doing things. SYN floods are a common tactic – an attacker sends a SYN, and the target sends a SYN-ACK back, and the attacker ignores it. This consumes resources both in terms of bandwidth used but also computationally on the target, as each SYN takes up a spot in a limited size connection table, which can be overwhelmed (although mitigations for this are in place in almost every target, practically). SYN segments are expected to be very small – and rogue SYN segments with larger than expected sizes would stand out from normal traffic. Attackers therefore frequently resort to other types of segments, such as PSH-ACK. In normal operations, PSH-ACK segments will be quite large, since they normally are expected to contain data, and TCP attempts to send as much data in each segment as possible. Typically, the Maximum Transmission Unit is 1500 bytes. The IP Header uses 20 bytes of this, and the TCP header uses somewhere between 20 and 60 more bytes depending on which optional fields are set, leading to a maximum segment size (MSS) between 1420 to 1460. This is the amount of non-header data that can be present in a TCP segment. Variations in the size of PSH-ACK segments, at least for typical traffic, will not be hugely variable, so this becomes one of many places where DDoS detection can take place. By modifying the size of PSH-ACK segments sent, the attacker may have been attempting to confuse automated detections. DDoS detection can take place. By modifying the size of PSH-ACK segments sent, the attacker may have been attempting to confuse automated detections.
The first wave peaked at 419 Gbps (Gigabits per second) and 38 Mpps (Million packets per second) against one of the IP addresses. A concurrent attack on the second IP reached the same bit-rate and packet-rate, resulting in a combined total throughput exceeding 800 Gbps.
After subsiding briefly, the attackers shifted their approach at 17:25 UTC, deploying a smaller SYN flood targeting one of the IPs, which reached 12 Mpps before dissipating within two minutes.
The most intense stage of this initial assault began at 17:30 UTC, when the attackers escalated the PSH-ACK flood to reach a peak of 1.8 Tbps (Terabits per second) and 158 Mpps. This surge lasted approximately two minutes before the attack ceased entirely by 17:32 UTC.
F5 was able to mitigate this attack with no impact to this customers network and no collateral impact to any other customers.
Defenses and Mitigation Measures
Mitigation defenses had already been activated prior to this incident, as the targeted IP addresses had a history of previous DDoS activity. Traffic Management Systems (TMS) were configured to effectively counter the ongoing threats. SOC confirmed that the countermeasures were successful, and the organization reported normal operations throughout the event, with Border Gateway Protocol (BGP) sessions remaining stable.
The Second Attack
Following a brief respite, the second wave of activity began at 18:33 UTC, persisting until 18:38 UTC. This phase introduced a combination of repeated PSH-ACK floods and a subsequent flood of Acknowledgment (ACK) packets. The attackers reverted to their standard PSH-ACK packet size of 1440 bytes but introduced smaller ACK packets, measuring merely 49-50 bytes each. This variably sized traffic was designed to maximize packet rates and overwhelm network resources.
During this wave, the attack reached a 550 Mpps packet-rate, a particularly high value that underscored the shift in strategy toward overwhelming packet-based processing capabilities rather than saturating available bandwidth. To counter this, SOC activated additional measures, including “zombie” and SYN authentication countermeasures, which effectively intercepted and dropped the attack traffic. These automated defensive mechanisms demonstrate adaptability on the part of the SOC to respond to changing attacker behavior.
Each segment of the second attack wave lasted approximately two minutes before subsiding, and by 18:38 UTC, the attack had fully ceased.
Analysis of Attacker Tactics
This coordinated DDoS campaign demonstrated a high degree of sophistication and adaptability on the part of the attackers. The use of volumetric PSH-ACK floods, first with unique packet sizes and later with standard-sized packets, indicates an effort to evade detection and bypass existing mitigation measures. The adoption of small ACK packets in the second wave to drive up packet rates—a shift from a bandwidth-focused attack approach to resource exhaustion—highlighted the attackers' ability to evolve their methods in real-time.
Conclusion
The events of September 13, 2025, showcase the evolving threat landscape and the importance of robust and adaptable mitigation strategies against large-scale DDoS attacks. Through the utilization of preemptive defenses and real-time mitigation tools, the targeted organization experienced no disruption to its services. Despite the record-breaking scale of the attack, the continued operational stability of the network with no impact to this customer and no collateral impact to others underscored the effectiveness of the countermeasures employed.
This incident serves as a reminder for organizations that handle large volumes of sensitive or financial transactions to invest in comprehensive DDoS defense mechanisms. Attackers are deploying increasingly complex and potent techniques, and maintaining a proactive defense is essential to safeguarding network availability and customer trust.
