Strengthening DDoS Resilience for a Dutch Retail Bank

The Company

This Dutch Retail Bank is a rapidly growing digital-first financial institution operating primarily online. Headquartered in the Netherlands, the bank also serves customers across multiple European regulatory regions. With a growing customer base and internet-based service delivery at its core, maintaining availability, security and trust is essential to its reputation.

The bank operates several data centres, each supported by a common internet service provider (ISP) that also delivers a managed DDoS mitigation service.

The Challenge

As part of standard operational best practice, the bank wanted to assess the resilience of each data centre during an extended maintenance window. This included validating their ability to withstand a range of Distributed Denial of Service (DDoS) attack types while continuing to deliver uninterrupted online services to customers.

Given the significant ongoing investment in managed DDoS mitigation under a long-term contract, the bank needed assurance that the solution was configured correctly and performing as expected under real attack conditions. Any failure could expose the organisation to operational disruption and reputational risk in a highly regulated and trust-sensitive sector.

The Solution

A structured DDoS testing programme was carried out to evaluate the bank’s on-premise, LAN-based traffic pass-through mitigation system, supported by the service provider’s cloud-based flood protection. The managed service provider was notified in advance of a simulated attack but was not given specific attack parameters.

Testing was conducted using a VMware image deployed in each data centre to replicate common internet-facing services. Traffic was generated from multiple geographically distributed test nodes and routed over the public internet to each data centre, with tests targeting one site at a time to ensure customer services remained available during the maintenance window.

A series of attack scenarios were executed, including UDP-based, TCP-based, HTTPS GET and TCP SYN attacks. This approach allowed detailed observation of alerting behaviour, mitigation effectiveness and response consistency across protocols and locations.

The Results

The testing programme revealed several critical misconfigurations within the managed DDoS mitigation setup. Early tests showed a lack of alerting visibility, while later scenarios demonstrated that mitigation relied heavily on simple IP-blocking strategies that could be bypassed by changes in attack geography.

Further testing highlighted inconsistent protocol-based blocking and limitations in real-time mitigation reporting. In some scenarios, lower-volume follow-up attacks were able to pass through unmitigated, despite alerts being generated for earlier traffic patterns.

While some mitigation responses performed well - particularly during TCP SYN testing - the overall programme exposed weaknesses that would not have been identified without live simulation. 

Following the tests, clear recommendations were made to address service provider configuration issues and to enhance internal monitoring of early-stage attack indicators. These insights enabled the bank to strengthen its defensive posture, reduce reputational risk and gain greater confidence in its ability to protect customer-facing services.

• Identification of critical misconfigurations in managed DDoS mitigation
• Improved understanding of real-world attack behaviour and system limitations
• Actionable recommendations to strengthen data centre resilience
• Reduced operational and reputational risk in a highly regulated sector
• Greater confidence in the bank’s ability to maintain service availability under attack