DDoS Attacks Against Financial Institutes Resurge in June 2021

5
7175

According to the latest report published by Radware’s Threat Research team, Q1 of 2021 saw an increase in volume of DDoS attacks by 30%. Beyond the sheer volume, technology evolution brings new means of DDoS attacks. The attack techniques are becoming more sophisticated, and the volumes increase. For cyber attackers, no business is too big or too small.

Over the last month, there has been a wave of attacks targeting specifically financial institutes all around the globe. One of the latest victims was a global European bank that was targeted by a multi-vector attack.

The bank, ranked as one of the top 15 banks in Europe, with over a trillion dollars in assets, has data centers all over the globe. During the second week of June 2021, it became a victim of three large bursts of traffic, which repeated persistently. This attack has reached over 200 gigabytes of volume in total (see Fig. 1)

Fig. 1: recurring bursts

The first attack started around the evening and peaked at 80 Gbps within seconds (see Fig. 2). As the attack began, Radware’s ERT team immediately got involved to ensure complete and immediate mitigation.

Fig. 2: the first attack peaking at over 80 Gbps

An hour later, the attackers launched the second and third attacks that followed. This wave of attacks peaked at 45 Gbps and 24 Gbps (see Fig. 3 and Fig. 4).

Fig. 3: The second attack peaking at over 45 Gbps

Fig. 4: The third attack peaking at over 24 Gbps

The Attack Vectors and the Radware Defense

All three attacks were multi-vector attacks, including the following:

  1. Network flood ipv4 UDP-FRAG
  2. Network flood ipv4 UDP
  3. DOSS-tcp-zero-seq
  4. Network flood ipv4 ICMP
  5. DOSS-ip-proto-oddness
  6. ICMP-BlackNurse-Attack
  7. TCP handshake violation. First packet not SYN
  8. DOSS-IP-GGP-Protocol-Flood
  9. DOSS-DNS-Ref-L4-Above-3000
  10. Memcached-Server-Reflected

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content. ]

Amplification DDoS Attacks Using Exposed MemCached Servers

The last vector targets MemCached servers which are used for internal purposes and not meant to be exposed to the internet. When exposed, they can be exploited to launch amplified attacks potentially overwhelming a victim’s resources. Such exploit was used to launch the massive DDoS attack on GitHub in 2018. The fact that the servers do not have native authentication made it easier to launch amplified attacks against the victims

When the attack on the bank started, Radware’s behavioral detection technology immediately kicked in. It allows the analysis of the traffic and differentiates between legitimate and malicious traffic accurately. As a result, it took only seconds to generate signatures to block the attack. In parallel, all traffic containing anomalies, such as packets with invalid IP header length or port value set to zero, was automatically blocked.

All the bank’s data centers are protected by Radware’s always–on cloud services. All traffic is constantly diverted to one of Radware’s 14 scrubbing centers globally in such a setup. After the traffic is scrubbed and clean, it continues to its original destination.

[Click for Full Report: Quarterly Threat Intelligence Report]

Mitigated, As If It Never Happened

When under such types of attacks, on the bank’s side, one thing is crucial: protecting the SLA and user experience by ensuring absolutely no impact on the network.

While such a persistent and high-volume attack unfolded on the bank, no impact whatsoever was caused to the network. All legitimate users trying to access the network during the attack could do so, and no outages were reported even for one second.

How to Choose the Right Security Vendor

Last year 86% of enterprises were affected by a DDoS attack (Radware annual security report); now more than ever, there’s no room for mistakes when choosing the security technology and approach. Enterprises should make sure that the selected vendor is indeed capable of defending its network from bursts and multi-vector attacks becoming so current.

Top Three Questions to ask your vendor?

  • Can the vendor ensure business continuity under attack?
  • How much time into the attack will a contact from the emergency response team be available for support?
  • What happens if the volume increases a certain threshold?

Organizations should make sure they are prepared now, to not find out otherwise under the worst circumstances.

Download Series 1 of Radware’s Hacker’s Almanac 2021.

Download Now

5 COMMENTS

  1. Your article has brought a ton of valuable data for me, a debt of gratitude is in order for the extraordinary sharing. I will regularly circle back to your next posts, so kindly continue to give such helpful data.

  2. The security is the main issue in the online financial and accounting transaction! From this point of perspective I could say nice post. thanks for very interesting and essential for us to know more about such topics.Keep up the good writing.

LEAVE A REPLY

Please enter your comment!
Please enter your name here