[{"data":1,"prerenderedAt":238},["ShallowReactive",2],{"blog-stories/bot-attack-overnight":3},{"id":4,"title":5,"body":6,"category":218,"date":219,"dateModified":220,"description":221,"draft":222,"extension":223,"faq":224,"featured":222,"headerVariant":218,"image":224,"keywords":224,"meta":225,"navigation":226,"ogDescription":227,"ogTitle":224,"path":228,"readTime":224,"schemaOrg":229,"schemaType":230,"seo":231,"sitemap":232,"stem":233,"tags":234,"twitterCard":236,"__hash__":237},"blog/blog/stories/bot-attack-overnight.md","How a Bot Attack Overnight Crashed an Ed-Tech Platform's Servers",{"type":7,"value":8,"toc":212},"minimark",[9,16,19,24,44,47,53,57,91,114,118,129,132,153,175,204],[10,11,12],"tldr",{},[13,14,15],"p",{},"An ed-tech platform woke up to find its entire system crashed after bots hammered the API with millions of requests overnight. Without rate limiting, proper monitoring, or DDoS protection, the servers buckled under the load. The company lost 8 hours of uptime and learned expensive lessons about building resilient systems.",[13,17,18],{},"At 3:17 AM, the lead engineer's phone exploded with alerts. By the time he fumbled awake and checked the dashboard, everything was red. The servers had been down for over four hours, and nobody on the team knew it until student complaints started rolling in.",[20,21,23],"h2",{"id":22},"the-night-everything-went-down","The Night Everything Went Down",[25,26,27,32,36,40],"stat-grid",{},[28,29],"stat-card",{"label":30,"number":31},"Requests received","14M",[28,33],{"label":34,"number":35},"Total downtime","8 hrs",[28,37],{"label":38,"number":39},"Affected users","2,400",[28,41],{"label":42,"number":43},"Lost revenue","$4,200",[13,45,46],{},"The attack started at 11:23 PM. A botnet had discovered the platform's API and started hammering it relentlessly. The system, designed to handle maybe 100 requests per second on a busy day, was suddenly getting 50,000+ requests per second.",[48,49,50],"story-block",{},[13,51,52],{},"\"Why didn't the alerts wake anyone up sooner? Because the monitoring service was hosted on the same server that went down. The team was monitoring their system with their own system. Classic mistake.\"",[20,54,56],{"id":55},"the-attack-timeline","The Attack Timeline",[58,59,60,67,73,79,85],"timeline",{},[61,62,64],"timeline-item",{"time":63},"11:23 PM - Attack Begins",[13,65,66],{},"First bot requests hit the API. Traffic starts climbing rapidly.",[61,68,70],{"time":69},"11:47 PM - Database Overload",[13,71,72],{},"Connection pool exhausted. Database starts rejecting new connections.",[61,74,76],{"time":75},"12:02 AM - Complete Outage",[13,77,78],{},"Server process crashes. Automatic restart fails due to database state.",[61,80,82],{"time":81},"3:17 AM - First Alert",[13,83,84],{},"External student complains via email. The lead engineer finally wakes up.",[61,86,88],{"time":87},"8:00 AM - Full Recovery",[13,89,90],{},"All systems stable after blocking IPs and restarting services.",[92,93,95],"warning-box",{"title":94},"Why the Platform Was Vulnerable",[96,97,98,102,105,108,111],"ul",{},[99,100,101],"li",{},"No rate limiting on any API endpoints",[99,103,104],{},"No bot detection or CAPTCHA challenges",[99,106,107],{},"Monitoring hosted on same infrastructure being monitored",[99,109,110],{},"No DDoS protection or CDN in front of the servers",[99,112,113],{},"No auto-scaling or circuit breakers",[20,115,117],{"id":116},"what-the-team-implemented-immediately","What the Team Implemented Immediately",[119,120,125],"pre",{"className":121,"code":123,"language":124},[122],"language-text","# nginx rate limiting\nlimit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;\n\nlocation /api/ {\n    limit_req zone=api burst=20 nodelay;\n    limit_req_status 429;\n}\n","text",[126,127,123],"code",{"__ignoreMap":128},"",[13,130,131],{},"The team set up external monitoring (UptimeRobot, Better Uptime) and put Cloudflare in front of everything. Cloudflare's bot detection and DDoS protection became the first line of defense.",[133,134,136],"lesson-box",{"title":135},"Key Lessons Learned",[96,137,138,141,144,147,150],{},[99,139,140],{},"Always use external monitoring services - never self-host your only alerting",[99,142,143],{},"Rate limiting isn't optional - it's essential for every public API",[99,145,146],{},"Put a CDN/DDoS protection service in front from day one",[99,148,149],{},"Design for graceful degradation - better to serve 429s than crash",[99,151,152],{},"Test your disaster recovery plan before you need it",[154,155,156,163,169],"faq-section",{},[157,158,160],"faq-item",{"question":159},"How can I tell if I'm being targeted by bots?",[13,161,162],{},"Look for sudden traffic spikes, requests at unusual hours, high volume from single IP ranges, requests with suspicious user agents, or many requests to specific endpoints.",[157,164,166],{"question":165},"Is rate limiting enough to prevent bot attacks?",[13,167,168],{},"Rate limiting is essential but not sufficient alone. You'll want a layered approach: rate limiting, bot detection, DDoS protection services, and monitoring.",[157,170,172],{"question":171},"Should I use a CDN even for small projects?",[13,173,174],{},"Yes. Services like Cloudflare offer free tiers that provide basic DDoS protection and bot filtering. There's no reason not to use one.",[176,177,178,184,189,194,199],"related-articles",{},[179,180],"related-card",{"description":181,"href":182,"title":183},"How an exposed AWS credential led to a cryptocurrency mining operation on my account. The shocking bill, the investigati","/blog/stories/aws-bill-crypto","The $12,000 AWS Bill That Changed Everything",[179,185],{"description":186,"href":187,"title":188},"When I discovered multiple vulnerabilities in my app, the developer community helped me understand and fix them. A story","/blog/stories/community-helped","How the Dev Community Helped Me Fix a Security Mess",[179,190],{"description":191,"href":192,"title":193},"A competitor publicly disclosed a security vulnerability in a project management SaaS product. The embarrassment, the sc","/blog/stories/competitor-found-flaw","When a Competitor Found a Project Management SaaS's Security Flaw",[179,195],{"description":196,"href":197,"title":198},"A stranger found a health-tech startup's admin panel at /admin with no authentication. They could see all patient data, ","/blog/stories/admin-panel-found","When Someone Found a Health-Tech Startup's Unprotected Admin Panel",[179,200],{"description":201,"href":202,"title":203},"In early 2025, AI-assisted attackers compromised 50,000 FortiGate firewalls in weeks. Here's what happened and why it ma","/blog/stories/ai-assisted-fortigate-attack","How Attackers Used AI to Breach 50,000 FortiGate Firewalls",[205,206,209],"cta-box",{"href":207,"label":208},"/","Check Your Vibe Now",[13,210,211],{},"Scan your vibe coded projects for missing rate limits and exposed endpoints.",{"title":128,"searchDepth":213,"depth":213,"links":214},2,[215,216,217],{"id":22,"depth":213,"text":23},{"id":55,"depth":213,"text":56},{"id":116,"depth":213,"text":117},"stories","2026-01-15","2026-03-16","How automated bots overwhelmed an ed-tech platform's unprepared servers in the middle of the night. The chaos of waking up to a crashed system and how the team built resilience.",false,"md",null,{},true,"How automated bots overwhelmed an ed-tech platform's unprepared servers overnight.","/blog/stories/bot-attack-overnight","[object Object]","BlogPosting",{"title":5,"description":221},{"loc":228},"blog/stories/bot-attack-overnight",[235],"Security Story","summary_large_image","CUUZHp_sMHEZIrijId7fwlAywjujNnP_-NKmWNEA3pA",1775843936746]