DDoS Attacks Against Financial Institutes Resurge in June 2021


According to the latest report published by Radware’s Threat Research team, Q1 of 2021 saw an increase in volume of DDoS attacks by 30%. Beyond the sheer volume, technology evolution brings new means of DDoS attacks. The attack techniques are becoming more sophisticated, and the volumes increase. For cyber attackers, no business is too big or too small.

Over the last month, there has been a wave of attacks targeting specifically financial institutes all around the globe. One of the latest victims was a global European bank that was targeted by a multi-vector attack.

The bank, ranked as one of the top 15 banks in Europe, with over a trillion dollars in assets, has data centers all over the globe. During the second week of June 2021, it became a victim of three large bursts of traffic, which repeated persistently. This attack has reached over 200 gigabytes of volume in total (see Fig. 1)

Fig. 1: recurring bursts

The first attack started around the evening and peaked at 80 Gbps within seconds (see Fig. 2). As the attack began, Radware’s ERT team immediately got involved to ensure complete and immediate mitigation.

Fig. 2: the first attack peaking at over 80 Gbps

An hour later, the attackers launched the second and third attacks that followed. This wave of attacks peaked at 45 Gbps and 24 Gbps (see Fig. 3 and Fig. 4).

Fig. 3: The second attack peaking at over 45 Gbps

Fig. 4: The third attack peaking at over 24 Gbps

The Attack Vectors and the Radware Defense

All three attacks were multi-vector attacks, including the following:

  1. Network flood ipv4 UDP-FRAG
  2. Network flood ipv4 UDP
  3. DOSS-tcp-zero-seq
  4. Network flood ipv4 ICMP
  5. DOSS-ip-proto-oddness
  6. ICMP-BlackNurse-Attack
  7. TCP handshake violation. First packet not SYN
  8. DOSS-IP-GGP-Protocol-Flood
  9. DOSS-DNS-Ref-L4-Above-3000
  10. Memcached-Server-Reflected

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content. ]

Amplification DDoS Attacks Using Exposed MemCached Servers

The last vector targets MemCached servers which are used for internal purposes and not meant to be exposed to the internet. When exposed, they can be exploited to launch amplified attacks potentially overwhelming a victim’s resources. Such exploit was used to launch the massive DDoS attack on GitHub in 2018. The fact that the servers do not have native authentication made it easier to launch amplified attacks against the victims

When the attack on the bank started, Radware’s behavioral detection technology immediately kicked in. It allows the analysis of the traffic and differentiates between legitimate and malicious traffic accurately. As a result, it took only seconds to generate signatures to block the attack. In parallel, all traffic containing anomalies, such as packets with invalid IP header length or port value set to zero, was automatically blocked.

All the bank’s data centers are protected by Radware’s always–on cloud services. All traffic is constantly diverted to one of Radware’s 14 scrubbing centers globally in such a setup. After the traffic is scrubbed and clean, it continues to its original destination.

[Click for Full Report: Quarterly Threat Intelligence Report]

Mitigated, As If It Never Happened

When under such types of attacks, on the bank’s side, one thing is crucial: protecting the SLA and user experience by ensuring absolutely no impact on the network.

While such a persistent and high-volume attack unfolded on the bank, no impact whatsoever was caused to the network. All legitimate users trying to access the network during the attack could do so, and no outages were reported even for one second.

How to Choose the Right Security Vendor

Last year 86% of enterprises were affected by a DDoS attack (Radware annual security report); now more than ever, there’s no room for mistakes when choosing the security technology and approach. Enterprises should make sure that the selected vendor is indeed capable of defending its network from bursts and multi-vector attacks becoming so current.

Top Three Questions to ask your vendor?

  • Can the vendor ensure business continuity under attack?
  • How much time into the attack will a contact from the emergency response team be available for support?
  • What happens if the volume increases a certain threshold?

Organizations should make sure they are prepared now, to not find out otherwise under the worst circumstances.

Download Series 1 of Radware’s Hacker’s Almanac 2021.

Download Now

Eva Abergel

Eva is a Product Marketing Manager in Radware’s network security group. Her domain of expertise is data center protection, where she leads positioning, messaging and product launches. Prior to joining Radware, Eva led a Product Marketing and Sales Enablement team at Elmo Motion Control - a global robotics company - and worked as an engineer at Intel. Eva holds a B.Sc. degree in Mechatronics Engineering from Ariel University and an Entrepreneurship Development certificate from the York Entrepreneurship Development Institute of Canada.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center