In today's cloud‑native era, distinguishing between genuine user growth and malicious Web DDoS surges is critical. When Auto-Scaling Lies: Diagnosing False Demand in Kubernetes During Web DDoS would be a disaster. Kubernetes auto‑scaling may interpret both as demand, but only one represents business success. The other—an advanced Layer‑7 DDoS flood—can bankrupt resources, degrade performance, and mislead operations.
This blog explains why scaling ≠ security, how Radware's Kubernetes WAAP (KWAAP) plus Web-DDoS defense provides layered mitigation, and why Activity Tracking is the missing puzzle piece which plays an important role. In other words, Why Kubernetes Needs WebDDoS + WAAP Together.
The Problem: Kubernetes Scales, Attackers Fake Scale
Horizontal and Vertical Pod Auto-scalers (HPA/VPA) react to spikes in CPU, memory, or custom metrics. When attackers launch massive HTTP(S) floods that mimic legitimate requests, Kubernetes keeps scaling—without realizing it's fueling an attack. This results in inflated infrastructure bills, service latency, and even outages.
As Radware has shown in real‑world mega‑campaigns, Web DDoS can sustain millions of requests per second for days.
What is Web DDoS (Layer‑7 DDoS)?
Unlike volumetric network floods, Web DDoS targets application logic. Attackers rotate IPs, headers, and user‑agents to evade filters—appearing like normal users. Campaigns have reached the trillion‑request scale, as seen in Radware's mitigation of a 1.4T campaign. These attacks drain CPU cycles, overwhelm APIs, and blur the line between growth and assault.
Radware KWAAP + WebDDoS: Smarter, Kubernetes‑Native Protection
Radware's KWAAP integrates natively with CRDs, RBAC, and DevOps pipelines—delivering low‑latency, multi‑layer defenses inside Kubernetes. When paired with WebDDoS mitigation, the system generates granular, real‑time signatures to block bad traffic while letting business traffic flow. This ensures auto-scalers only respond to authentic demand, not attack noise. For example, API‑first defenses secure modern workloads that attackers frequently target.
Activity Tracking + WebDDoS: Double Defense
Activity Tracking (AT) in KWAAP monitors per‑actor request rates (e.g., by host header or device fingerprint).
When thresholds are exceeded, AT triggers WebDDoS sampling.
The Layer‑7 engine builds attack‑specific signatures in real-time, which enforcers then apply across ingress points.
This lifecycle—detect, block, adapt, cool‑down—ensures attacks are contained without breaking real scaling. Radware explains this synergy in detail in its Activity Tracking notes.
Scaling vs. Attack: A Playbook for SRE & Security Teams
When Kubernetes clusters experience sudden surges, teams need to quickly decide: Is this a real business demand or a Web DDoS attack? The following playbook provides a structured response framework:
(Customers with Web DDoS protection already have a huge advantage — most of the heavy lifting is automated. But they still need the playbook.)
- Baseline & Compare Traffic Metrics
- Continuously monitor ingress RPS (raw) vs. cleaned RPS (post-mitigation).
- A widening delta (high ingress, much lower cleaned) indicates malicious noise filtered out.
- Integrate this visibility into dashboards so SREs can distinguish scale vs. attack immediately.
- Inspect Traffic Quality in Real Time
- Look beyond volumes: analyse HTTP headers, methods, cookies, and user-agents.
- High repetition, malformed headers, or abnormal HTTP verbs (e.g., excessive OPTIONS or HEAD requests) often reveal automation.
- Use Radware WebDDoS signatures to flag suspicious patterns while allowing genuine browsers and apps through.
- Correlate Infrastructure and Security Signals
- Align application latency, error budgets (e.g., 5xx ratios), and CPU/memory metrics with security telemetry.
- Example: if latency spikes but cleaned RPS remains steady, it may indicate bot pressure instead of organic growth.
- SREs should coordinate with SOC teams so infra health and security defence are viewed as one system.
- Mitigate at Layer 7, Not Just with Pods
- Blindly scaling pods only buys attackers more surface area.
- Instead, enable real-time WebDDoS signatures and Activity Tracking thresholds to throttle malicious actors at the ingress.
- Consider applying graduated actions (log → challenge → block) to minimize false positives during scale events.
- Stabilize and Roll Back Safely
- When RPS stabilizes and malicious traffic subsides, gradually relax defences.
- Avoid abrupt signature removals—use a cool-down period so enforcers can expire rules without re-exposing the cluster.
- Feed lessons learned into runbooks for continuous improvement (e.g., new header patterns, updated AT thresholds).
The Numbers Behind Web DDoS Growth
Radware threat intel shows a 550% YoY surge in Web DDoS activity in 2024, with Q2‑2025 marking the highest spike on record. Attacks are longer, larger, and increasingly API‑focused. Examples include the [six‑day, 14.7M RPS campaign] and H1 2024 DDoS Threat Review.
Conclusion: Protecting Real Growth
Kubernetes scaling is for business, not bots. Without intelligent L7 filtering, auto-scalers expand clusters for attackers. By combining KWAAP, WebDDoS and Activity Tracking, Radware ensures scaling reflects legitimate growth. The result: reduced costs, clean demand signals, and resilient applications. For deeper insights, explore Radware's Threat Intelligence Center and to learn more about Radware's Web Application Firewall (WAF) solutions and Web-DDOS features, please visit Radware's Official site.