Inside a DDoS attack against a bank: What happened and how it was stopped

Home/Uncategorized/Inside a DDoS attack against a bank: What happened and how it was stopped
endpoint security

22-11-2022, DDoS attacks can happen to anyone with an online website or service. Infosec Skills author John Wagnon explains how one bank managed to stop a distributed denial-of-service attack in its tracks.

Targeting a bank with a DDoS attack

Distributed denial-of-service attacks are often used to disrupt websites. Learn how one bank got attacked and what they did to stop it in this Cyber Work Applied episode featuring Infosec Skills author John Wagnon.


Inside a DDoS attack against a bank | Free Cyber Work Applied series

Cyber Work listeners get free cybersecurity training resources. Click below to check out the free courses and other materials.

DDoS attack walkthrough

The edited transcript of the DDoS attack walkthrough video is provided below, separated into each step John covers in the video.

What is a DDoS attack?

(0:00- 0:30) Attackers are constantly looking for victims to exploit. And many times, they use an attack method called a distributed denial-of-service, or DDoS attack. The purpose of an attack like this is to overwhelm the victim’s website so that it can’t possibly keep up with all the traffic from the attack, and then it just finally stops working. My name is John, and I’m going to tell you a real-life story about how a bank got DDoS attacked and how the attack was stopped.

Generating 20 Gbps with a botnet

(0:31- 0:43) Attackers used a botnet, which is a collection of infected computers and other internet-connected devices, to launch an attack that generated over 20 gigabits per second of volume against this bank’s website.

Leveraging vulnerable NTP servers

(0:44- 1:23) The attackers used vulnerable network time protocol, or NTP servers, in this attack. They would send very small requests to the NTP server, but the servers responded with very large responses.

The attackers would spoof the IP address so that it looked like the bank’s website sent the request. Then the response, which is very large, was sent from the NTP server back to the bank’s website.

Specifically, the attackers used a monlist command, which contains the last 600 entries within that NTP server’s memory. So, while the request size was very small, the response size was very large against this bank’s website.

Leveraging DNS-vulnerable servers

(1:24- 1:43) And just like NTP, they also use the domain name system (or DNS) vulnerable servers to amplify attacks as well against the bank’s website. Specifically, they utilized the DNSSEC Extension to amplify the attack, and they also use the “Any” flag in the DNS attack to send large responses to the victim.

Other amplification protocols

(1:44- 1:51) Other protocols, like connectionless LDAP, or CLDAP, were also used to amplify attacks.

Utilizing IPsec tunnels

(1:52- 2:39) While these flood attacks were happening, the attacker also launched a creative attack that utilized IPsec tunnels. IPsec tunnels are used for secure communication between two connecting endpoints on the internet.

There are two different phases that are used to set up an IPsec tunnel. Phase 1 is used to set up management details of how the tunnel is going to be used. Phase 2 is effectively a tunnel inside that tunnel where the secure communication flows.

So, attackers used the Phase 1 data to communicate with this bank’s website, but then they never fully completed the Phase 2 tunnel. What that did is it left the bank’s website holding onto resources, consuming resources and waiting for the Phase 2 tunnel to complete. Overall, this attack generated over 20 gigabits per second of volume against this bank.

Steps to mitigate the attack

(2:40- 3:39) Several steps were taken to mitigate this attack. The first step was to close the UDP ports for the attack traffic. They also used known good white lists for known good traffic. A firewall that has the ability to allow or deny certain port numbers was configured to block the specific ports used by this attack.

And many of the protocols that were used don’t need to be allowed through the company firewall at that point, so it was acceptable to keep them closed. But others needed to be closed for the duration of the attack and then reopened once the attack was over, like DNS, for example.

After that, the IPsec flood was mitigated by checking to see if Phase 1 was opened by any IP address, but phase two was not completed. And then that offending IP address was blocked. Then, a known list of offenders was compiled as these IP addresses were being blocked and this allowed the bank to prevent future attacks by those known bad actors.

Impact of the DDoS attack

(3:40- 4:10) In all, the attack was stopped, and the bank was able to provide services to its customers. During the attack, the customer experience slowed down a little bit, but it never fully stopped.

So, you can see these types of DDoS attacks are serious business. Anyone with an online website or service can be targeted by these types of actors. So it’s important to understand how different types of DDoS attacks work and how you can mitigate them.

Check out my OWASP Top 10 courses in Infosec Skills for more information on common attacks and how you can protect against them.