[Bender]

What you are describing is a DDoS and most major websites pay for services to defend against such things. To overwhelm CDN's and DDoS scrubbing centers assuming the site is using them would require overwhelming the CDN and DDoS scrubbing centers and the numbers would depend on what resources these companies have and how fat the bandwidth pipes are. About 30% of people using these services report they get overwhelmed at times.

You specifically asked about "how many users" I assume customers. Customers are rarely the ones performing a DDoS unless servers are improperly configured causing a company to DDoS itself from it's own customers. This is never intentional and is usually short lived usually because the company launched an event they did not properly plan and scale for or an engineer flubbed an update. Once the event is over or the planned change was reverted the DDoS will likely cease and some people will be fired and/or they will better plan next time maybe.

If you mean all the customers one day decided to revolt and they all agreed to commit felonies then it is unlikely they could achieve a full sustained outage for long as their identity and IP addresses are already well known. Customers do have the advantage of being able to attack authenticated and thus going deeper into the stack increasing load. If anonymous attackers can do much the company may need to rewrite everything. It would make for some good bodycam videos and I will enjoy all of them with snacks. Bonus if they manage to get reviewed by Donut Operator.

For actual DDoS attacks, official detailed numbers will never be public as this would tell attackers how much more they need to spend to achieve 100%. It will vary by company, ddos cdn's and scrubbing sites used, website infrastructure, how well applications are coded and a number of other factors.

[micio-micio]

Thanks.

If you mean all the customers one day decided to revolt and they all agreed to commit felonies then it is unlikely they could achieve a full sustained outage for long as their identity and IP addresses are already well known.

If you feel like saying more, I'm wondering what actions a platform could take to stop an attack like this by their customers, and especially how easy or difficult it would be to stop without impacting business as usual (like say business with customers who weren't part of the attack?)

[Bender]

If customers were being malicious the normal process would be to

- block them by their IP accepting that if they are being a SNAT or CG-NAT legit customers may be blocked for a while. Adjust procedure based on whatever attack tools and resources are being utilized.

- have internal meeting with head of legal, all the C-levels, head of customer support

- send cease and desist emails from the legal department and/or cancel their accounts or just:

- coordinate with the FBI, provide logs and specific customer information to FBI or whichever agencies are appropriate for the customers physical locations on file.

- get a cup of coffee and maybe put some Kava in it to stay awake but also chill. Work on other tasks until the FBI wants more logs or whatever.

- maybe guess why customers are being buttholes and if the company actually did something to deserve it. Maybe update CV. Go for a walk with head on a swivel in case angry customers are in parking lot. Sit on thinking chair (toilet).

[JojoFatsani]

Hire a qualified CISO.