Post-mortem: DDoS Attack on Unipage on May 9, 2025

What is a DDoS attack?

A DDoS attack disrupts websites and servers by overwhelming network services in an attempt to exhaust the resources of an application. Attackers flood a website with unwanted traffic, causing performance to degrade or the site to go entirely offline. These attacks are increasingly common in Q1 2025, as many DDoS attacks were recorded as in the entirety of 2024 (source).

How did we respond?

Our infrastructure is protected by a robust firewall (Cloudflare), which performed exactly as intended: 98% of the attack was automatically mitigated. The remaining 2% reached our infrastructure and required manual intervention from our cloud specialists.

Our immediate mitigation was activating “Under Attack Mode” across the platform. This instantly absorbed 100% of the attack and restored webshop availability. However, this came with a trade-off: certain application features stopped functioning temporarily (such as receiving payments and printing tickets).

Next, we initiated several measures to restore full functionality:

• Permanently blocking specific high-risk countries
• Allowing other countries access only after solving a Cloudflare challenge
• Blocking suspicious behavioural patterns
• Placing certain pages in “extra protection” mode

By 17:03, the attack was fully mitigated and the platform was able to resume normal operation.

Throughout the remainder of the weekend, attackers attempted additional disruptions, all of which were successfully blocked thanks to the newly implemented protections.

On May 9, 2025, Unipage had to fend off a large-scale DDoS attack targeted at one of our customers. In this post, we outline exactly what occurred, how we reacted, the impact it had, and what we’re doing to reinforce our systems going forward.

What happened?

At around 16:28 local time, we detected a sudden surge in traffic to a single shop running on our infrastructure. Within minutes, we received more than 30 million requests, primarily originating from distributed IP addresses across the globe. The attack had a clear objective: overwhelm and break our infrastructure.

What are we doing to prevent this in the future?

We’ve learned several important lessons from this incident and are implementing improvements:

• We can now isolate individual webshops when necessary, without impacting the entire platform
• Intelligent rules are in place to flag and stop suspicious browsing behaviour
• Printing of kiosk & app tickets can no longer be disrupted by this type of attack
• We are exploring offline payment options for our POS systems with CCV and Worldline
• The attack has been reported to both the Belgian and European cybersecurity centres
• We have upgraded our Cloudflare SLA from 98% to 100% automated mitigation, ensuring future attacks are fully absorbed without manual intervention

Additionally, we are inviting a team of security experts to conduct a proactive, full-system audit to help prevent potential future incidents.

Finally

We encourage you to check the Unipage status page whenever you have doubts, this is a third-party system that transparently monitors our platform. During incidents, it is always the first place where updates will be posted.