DEV Community

Cover image for A US-Origin Attack Nearly Killed Our SEO
AYA
AYA

Posted on

A US-Origin Attack Nearly Killed Our SEO

#discuss #webdev #cybersecurity #security

Back in March, our small team was hit by a sneaky and little-known attack: negative SEO.

Negative SEO is when someone tries to sabotage your site’s ranking by artificially generating harmful traffic or signals. The goal is to trick Google into thinking your site is shady, spammy, or low-quality - leading to a sharp drop in visibility.

How We Discovered the Attack

One day, we were checking the analytics for https://intlayer.org and noticed we were getting 10x more traffic than usual. I thought: awesome news!

But the next day, traffic kept spiking. We started to doubt it. Maybe a big account shared our site? I checked Google, X, Reddit… nothing.

Looking closer, we saw that all requests were coming from two locations in the US. And they were hitting random pages every 2 to 10 seconds, non-stop day and night.

Spike in traffic on March 4, 2025 — 2,146% increaseUnexplained spike in users on March 4, 2025: actual 337 vs expected 15 (+2,146.7%).

Another anomaly on March 19, 2025 — 914% increaseSecond traffic spike on March 19, 2025: actual 284 vs expected 28 (+914.3%).

Each spike showed a +2146% or +914% increase compared to expected traffic. And it didn’t feel like organic buzz.

At first, we suspected a DDoS, but it was too regular, too "clean". Most importantly, the requests looked like they were coming from a bot mimicking Googlebot behavior.

That’s when we started thinking: is someone trying to get us penalized by Google? Putting all the signs together, it strongly looked like a negative SEO attempt.

What do you think? Does this look like the kind of attack you've seen before?

Why Would Someone Do This?

Good question. We're a small team building Intlayer, a multilingual internationalization library for React, Next.js, Vue.js, Vite, Nuxt and soon Angular.

Maybe we're starting to rank well? Maybe a competitor didn’t like seeing us appear on some search queries? We don’t know.

Even though the IPs came from the US, it's totally possible to rent servers there, so nothing can be confirmed for sure.

But one thing is clear: someone wanted to hurt our visibility.

How We Handled It

We enabled a filtering option in our firewall to block requests based on specific criteria. Thanks to that, we were able to:

  • identify abnormal traffic,
  • block suspicious IPs,
  • and automatically filter sketchy access.

Traffic stabilized. Since then, we’ve set up simple alerts so we won’t be caught off guard again.

TL;DR

  • This wasn’t a DDoS, it was a targeted negative SEO attack.
  • We stopped it by enabling advanced filtering on our firewall.

If this helps anyone: keep an eye on your analytics. A sudden traffic spike with no clear reason isn't always good news.

Has anyone else dealt with something similar?

What do you use to protect yourself against this kind of attack? Any tools or tips to recommend?

Aurélia

https://intlayer.org

Top comments (0)