Record 14.2M RPS DDoS targets Turkish luxury retailer launch

A Turkish luxury retail platform suffered a record breaking application layer DDoS attack peaking at 14.2 million requests per second during its fall and winter 2025 collection launch, an incident that maps to ATT&CK technique T1499 (Endpoint Denial of Service) and highlights business risk from event timed disruption. Imperva reports that over 8,200 unique IP addresses drove traffic volumes more than 800 percent above baseline for roughly an hour, with requests masquerading as Chrome clients and basic bots instead of the site’s normal Safari heavy profile. Attack traffic originated globally, including Germany, the United States, Russia and Singapore, in contrast to the retailer’s predominantly domestic Turkish customer base. The campaign focused on Layer 7 floods that mimicked legitimate browsing behavior, making it harder to distinguish real customers from bots during a known high traffic window. By aligning the attack with the collection launch, adversaries maximized the potential for revenue loss, abandoned carts and reputational damage if shoppers perceived the site as unstable or unreliable. Imperva’s adaptive threshold technology analyzed historical traffic patterns to automatically adjust mitigation thresholds, helping sustain availability and avoid excessive false positives even as volumes surged. For retailers and other consumer facing brands, this event illustrates how predictable promotional calendars translate directly into attractive DDoS windows for adversaries, including extortion driven actors and competitors. Every minute of downtime or degraded performance during a major launch or sales event can have immediate revenue impact and longer term effects on customer loyalty, and regulators may scrutinize resilience practices in critical sectors like financial services or regulated e commerce markets. The broader trend shows steadily increasing DDoS scale and sophistication across retail, banking, beverage and education sectors over the past three years. Mitigation requires proactive capacity planning and layered defenses rather than last minute tuning during a live incident. Organizations should front critical web properties with cloud based DDoS protection that combines volumetric scrubbing and application aware filtering, and regularly simulate event day loads while testing mitigation policies. Security and marketing teams should coordinate on launch calendars so that high value events are covered by enhanced monitoring and response readiness, and logs from mitigation providers should feed back into risk assessments and tabletop exercises. Finally, defenders should align playbooks to handle DDoS extortion attempts and understand when to escalate to law enforcement or sector specific information sharing communities.