Multinational Bank Thwarts DDoS Attack to Repair Productivity Losses and Rescue Reputation
On a Friday evening after typical closing time, a multinational bank based in Africa had to resort to enabling geo-blocking on their network to stop a merciless DDoS attack. The bank had been enduring the attack for most of the day, placing both their ISPs under extreme strain. Neither of the two ISPs had any proper DDoS mitigation capabilities.
The attacks suffered were suspected to be part of the campaign that had been ongoing in Sub-Saharan Africa for several months. A group with access to a substantial botnet claiming to be Fancy Bear had been targeting the financial sector in various countries at the end of 2019.
Due to the geo-blocking, the banking customers were now cut off from the rest of the world. The attack was volumetric in nature and was targeted at their web services infrastructure. The network would have eventually come down under the pressure and all bank activity would have stopped.
The productivity hit would be costly, and the bank’s reputation was in jeopardy. They needed immediate help to stop the attack and put DDoS identification and mitigation measures in place to stop future attacks.
Once they realized they were under attack, the bank’s NetOps and SecOps staff researched DDoS Mitigation options and were directed to the Arbor Cloud™ DDoS Mitigation Service by a mutual partner. The NETSCOUT® Arbor team jumped on to a conference call with the customer and informed the customer about the Arbor Cloud Emergency Provisioning Service. Furthermore, the NETSCOUT Arbor team established that the customer had a /24 IPv4 prefix, which would make invoking traffic redirection to Arbor Cloud using Border Gateway Protocol (BGP), a valid mitigation strategy.
In parallel to the emergency provisioning of the Arbor Cloud DDoS mitigation service, the next step was for the customer to repurpose a decommissioned server in order for the NETSCOUT Arbor team to get a virtual AED installed and configured. A demo or purchased physical appliance would be days away at best. At 8am Saturday the team started again and worked through to Sunday. The team received the server and installed and configured ESXi, and the virtual AED. The AED was installed in front of the CPE (router) as the customer was running NAT on the device. 27 hours later, we had the customer back online with a working virtual AED.
Most of Sunday was spent with the Arbor Security Operations Center (SOC) team getting the signaling and GRE tunnel configured. In the following days, we ran several successful tests in terms of auto signaling to Arbor Cloud. With cloud signaling configured for the AED and Arbor Cloud, the customer was now able to leverage intelligent, automated signaling to request an upstream Arbor Cloud mitigation. Once the attack traffic had been eliminated, clean traffic was returned to the network and the network was back up and running.
The customer did suffer some reputation and financial loss from being offline for two days but with the help of Arbor Cloud, the damage was minimized.
Once the attack was mitigated and the bank returned to business as usual, we worked with them on a properly scaled, day-to-day solution that they can rely on to continue the identification and mitigation of DDoS threat traffic, without impact on the remaining network or organizational productivity.
To our knowledge, they have experienced very little downtime and they rely on this solution so much that they purchased two AED appliances, one for their primary network and a second for their Data Center. That was followed up with another two AEDs for their sites in another African country, alongside NETSCOUT Professional Services doing in-country training and installation.