Post-mortem: DDoS Attack on Unipage on May 9, 2025

In this post, we explain transparently what happened, how we responded, what the impact was, and which measures we are taking to further strengthen our infrastructure.

What is a DDoS attack?

A DDoS attack disrupts websites and servers by overwhelming network services in an attempt to exhaust the resources of an application. Attackers flood a website with unwanted traffic, causing performance to degrade or the site to go entirely offline. These attacks are increasingly common in Q1 2025, as many DDoS attacks were recorded as in the entirety of 2024 (source).

FAQ

Here are some frequently asked questions.

Was my shop targeted?

If your shop was targeted, we contacted you personally.

Why was the POS impacted?

The POS was affected when processing payments. Payments are routed through our infrastructure, which is why the attack had an impact there. We are working closely with Worldline and CCV to make offline payments possible in the future. Mollie payment terminals currently require a cloud infrastructure, so no short-term changes are expected on that front.

When I visit the admin page, I’m asked whether I’m a robot, why?

This is normal. The admin page is currently under enhanced protection to ensure that no further disruptions can occur.

When I visit the shop, I’m completely blocked, why?

This can happen if you’re travelling in a country that we currently block. Please email [email protected] with the name of your shop and the country you’re staying in, and we’ll look into granting an exception.

Was there a data breach?

No, no customer data, order data, or any other information was leaked. The attack was solely intended to overwhelm and disable the infrastructure.

Where can I check the system status?

You can do so by clicking “Status” in the navigation bar at the top of this page, or by visiting status.unipage.be.

How did we respond?

Our infrastructure is protected by a robust firewall (Cloudflare), which performed exactly as intended: 98% of the attack was automatically mitigated. The remaining 2% reached our infrastructure and required manual intervention from our cloud specialists.

Our immediate mitigation was activating “Under Attack Mode” across the platform. This instantly absorbed 100% of the attack and restored webshop availability. However, this came with a trade-off: certain application features stopped functioning temporarily (such as receiving payments and printing tickets).

Next, we initiated several measures to restore full functionality:

  • Permanently blocking specific high-risk countries

  • Allowing other countries access only after solving a Cloudflare challenge

  • Blocking suspicious behavioural patterns

  • Placing certain pages in “extra protection” mode

By 17:03, the attack was fully mitigated and the platform was able to resume normal operation.

Throughout the remainder of the weekend, attackers attempted additional disruptions, all of which were successfully blocked thanks to the newly implemented protections.

DDoS attack as seen from our firewall
DDoS attack as seen from our firewall

On May 9, 2025, Unipage had to fend off a large-scale DDoS attack targeted at one of our customers. In this post, we outline exactly what occurred, how we reacted, the impact it had, and what we’re doing to reinforce our systems going forward.

What happened?

At around 16:28 local time, we detected a sudden surge in traffic to a single shop running on our infrastructure. Within minutes, we received more than 30 million requests, primarily originating from distributed IP addresses across the globe. The attack had a clear objective: overwhelm and break our infrastructure.

Example challenge page
Example challenge page

What are we doing to prevent this in the future?

We’ve learned several important lessons from this incident and are implementing improvements:

  • We can now isolate individual webshops when necessary, without impacting the entire platform

  • Intelligent rules are in place to flag and stop suspicious browsing behaviour

  • Printing of kiosk & app tickets can no longer be disrupted by this type of attack

  • We are exploring offline payment options for our POS systems with CCV and Worldline

  • The attack has been reported to both the Belgian and European cybersecurity centres

  • We have upgraded our Cloudflare SLA from 98% to 100% automated mitigation, ensuring future attacks are fully absorbed without manual intervention

Additionally, we are inviting a team of security experts to conduct a proactive, full-system audit to help prevent potential future incidents.

Finally

We encourage you to check the Unipage status page whenever you have doubts, this is a third-party system that transparently monitors our platform. During incidents, it is always the first place where updates will be posted.

Interesse in een demo?

Wij contacteren u binnen de 24u voor een demo