How to Pull Off a Near Undetectable DDoS Attack Using DNS
Simon Wijckmans
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Simon Wijckmans, founder of c/side (formerly Csides), demonstrated how an attacker could build a nearly undetectable DDoS botnet using nothing but malicious JavaScript running in legitimate human browsers — no malware installation required, no suspicious IP addresses, no IoT devices. The attack exploits the structural neglect of client-side security and would defeat virtually every existing DDoS mitigation technique. The defense, frustratingly, must also begin on the client side. ---
AI review
Wijckmans identified a genuinely uncomfortable threat model — Layer 7 DDoS from legitimate human browsers, with residential IPs, no installed malware, full TLS, CAPTCHA-passing by design — and walked the math of why current defenses are structurally inadequate against it. The expired S3 bucket angle is criminally underappreciated and I want to see more of it.