How to Detect and Mitigate Hit and Run DDoS Attacks
Most DDoS attacks are short in duration. According to Cloudflare, 92% of layer 3/4 attacks and 75% of HTTP DDoS attacks in Q2 2025,ended within 10 minutes. A subset of these are Hit and Run DDos Attacks, which are gaining popularity among cybercriminals, possibly since they are relatively low cost and easier to execute.
Characterized by short bursts of high volume attacks, Hit and Run attacks last 5-6 minutes or less, and are relatively hard to detect and mitigate, since they often end before conventional DDoS defenses are triggered.
Hit and Run attacks can also challenge automatic DDoS protections. This is because such protections frequently rely on measuring the baseline of traffic and triggering the protection when the request count exceeds the baseline. When the malicious traffic stays under the radar and is not classified as malicious traffic, it distorts the legitimate traffic’s baseline measurements. As a result, the overall traffic baseline increases, and the automatic protection might not be triggered.
Defending against Hit and Run Attacks
Hit and run DDoS attacks effectively demand specialized automatic mechanisms that can trigger quickly enough, before attacks end.
Dedicated rate limiting rules
Standard WAF and DDoS mitigation rules that are effective against many DDoS attacks are simply not triggered fast enough to address hit and run attacks.
Recently, we implemented for a gaming company a multi-layered rate-limiting system to specifically address hit-and-run application-layer DDoS attacks (see case study here).
In addition to the ‘standard; block-mode rate-limiting rules, a managed challenge set of rules is applied to suspicious requests with a lower threshold. The JavaScript challenge is fulfilled by valid users’ browsers, separating bots that are unable to handle such a challenge. This enables mitigating the hit and run attacks early enough.
These configurations are regularly fine-tuned based on the number of false positives detected each month.
Blocking unnecessary services
Another protection method, which is a best practice against all types of DDoS attacks, is blocking unused protocols in specific endpoints, and enabling TCP challenges.
Every open port or enabled protocol represents a potential target for attackers, so minimizing these significantly reduces risk. Regular audits can ensure that services are only accessible to the right port, protocol, and HTTP method.