Our client, a new retail bank, has rapidly emerged as a prominent player in the industry, with a growing customer base, operating principally over the internet. Primarily based in the Netherlands, the bank also operation in many other European regulatory areas. The bank has several data centres each with a common ISP that also provides a managed DDoS mitigation solution.
As a standard operational procedure, the bank aimed to assess the performance of each data centre within an extended maintenance period. This evaluation encompassed testing the data centres’ capacity to fend off various DDoS attack types and affirming their capability to maintain seamless service delivery to internet-based customers within configuration it had adopted.
With a significant monthly sum being spent on mitigation, as part of a long term contract, a DDoS test programme was critical to help validate this investment, the bank partnered with Babble for this collaboration.
The tested migration solution was an on-premise LAN-based, traffic pass-through system with in-Service Provider cloud flood protection. The managed service provider was informed in advance about a simulated attack without receiving specific attack parameters. Testing involved using a VMWare image at each data centre to replicate common internet services, with traffic being routed across the Internet from multiple test nodes to each data centre.
Babble’s engineers initiated the testing program with a UDP based attack, revealing an initial issue as no mitigation alerts were being sent to the customer. After resolving this issue with their service provider, testing moved on to a TCP based pattern.
It soon became evident that the service provider had been using a simple IP blocking strategy, as probes indicated that the targeted traffic went unnoticed. Moving the agents to a different geolocation allowed the attack traffic to bypass the mitigation equipment.
HTTPS GET tests showed the on-premise devices struggled to determine whether to block or allow the traffic and couldn’t consistently report their mitigation status in real-time. Although the device created an IP-based blacklist, the service provider’s SOC couldn’t clear it upon request.
In the final tests with TCP SYNs showed good mitigation and alerting well, but the last test with a UDP payload displayed inconsistent protocol-based blocking, without flagging the originating IP addresses as suspicious for other forms of traffic. This allowed a lower volume HTTP attack from the same agents to pass without mitigation, albeit that alerts were generated for the UDP component.
Whilst the customer data centre hosting banking sites experienced slowdowns or unavailability due to traffic volumes, the testing was designed to target one data centre at a time, ensuring customer service remained available during the maintenance window.
Financial institution customers naturally expect competence, safety, and security. The risks of reputational damage are a significant concern if the impact of a Denial of Service on operations becomes public knowledge.
Following the tests, Babble made several recommendations regarding their service provider and advised further internal monitoring of key statistics that might provide valuable insight into the initial ramping of an attack.