Not sure about the parent commender, but a few of the small SaaS companies I've worked with were regularly targeted by carding and credential stuffing attacks. I don't know whether the attackers ever realised much direct benefit from targeting them, I always thought they were just soft targets for validating credit card or credential lists.
But if you don't have any DDoS protection set up, either of these attacks will essentially be L7 DDoS attacks when deployed at scale.
Those are completely different things though. If someone is trying to validate credentials/cards using your service, they're not trying to DoS it. Those types are usually using only a few IPs and are easy to detect/block (or even tarpit and help others) at app/proxy level. (Multiple failures for different usernames - block for some time)
You need DDoS protection when someone does not want your service to stay up.
Well no, cred stuffing often results in termination or suspension of service by the merchant accounts used by the victim. This denies them the ability to sell thier goods and services - generally this denies end users the ability to ise the victim's service just as effectively as a volumetric attack.
Further, cred stuffing is often automated by a botnet.
The two things are distinct, but have similar means and end results - they aren't completely different.
And a common thread is that they originate traffic from sleazy IPs: having a service like Cloudflare block those will protect against ton of internet background noise with very little downside for most businesses, so it’s unsurprising that so many sites do so.
There's a LOT of compromised instances on GCP and AWS. Attackers crawl for leaked credentials and access keys which they use to spawn more instances, run cryptominers on them, crawl for more keys, etc. They set these up in ways that are difficult for account owners to notice right away, such as by launching the instances in regions the account owner doesn't normally use or setting up large numbers of IAM accounts and roles to retain access if the new instances get purged. (Ask me how I know.)
I suspect a lot of the malicious traffic coming out of Africa is not direct attacks from cybercriminals but residential machines that have also been compromised to send malicious traffic. The only difference between that and cloud providers is that you cannot afford to block all of Amazon or Google. They have a level of economic privilege that the entire continent of Africa lacks.
The events I witnessed were all from rather large botnets. If it was just a few IPs then those particular companies might not have even noticed. Attacks like that aren’t always easy to solve with simple tools like says fail2ban.
Regardless of whether or not it’s the intention of the attackers to disrupt the service, that’s the effect it can have, and it’s something DDoS protections service will usually mitigate, especially the services that incorporate WAF functionality (which I think is pretty much all of them?…).
For small SaaS companies they are definitely not easy to detect and the card fees alone until you detect might make you not make payroll that month or go out of business.
Wow, why? Extortion? Competition? Collateral damage?