Akamai says it thwarted a major distributed denial-of-service (DDoS) attack aimed at a US bank that peaked at 55.1 million packets per second earlier this month.
The network traffic flood hit on September 5 against the unnamed finance giant Akamai describes as “one of the biggest and most influential US financial institutions.”
While it only lasted less than two minutes, it managed to spike to 633.7 gigabits per second with criminals using ACK, PUSH, RESET, and SYN flood attack vectors, according to the cloud services company’s Craig Sparling and Sandeep Rath.
Despite the tsunami of packets launched at the bank’s primary web landing page in an attempt to disrupt online banking, “there was no collateral damage or service degradation,” Sparling and Rath said just before the weekend.
This is the third such “largest-ever” successful DDoS mitigation Akamai has claimed, but it’s worth noting that these all have qualifiers. A year ago, Akamai nipped a record-breaking DDoS attack against one of its European customers. That one peaked at 704.8 Mpps, and was the second such attempt against the same Eastern European organization, which Akamai declined to name or even specify the industry due to safety concerns.
More recently, in February 2023, Akamai said it blocked the largest DDoS attack against one of its Asia-Pacific customers. This network flood hit 900.1 Gbps and 158.2 Mpps at its peak.
This most recent attack marks the largest yet against a US financial firm, we’re told.
For the record: in February Cloudflare claimed to have blocked the single largest ever DDoS event on record that soared to more than 71 million requests-per-second.
But, of course, records are made to be broken and there is undoubtedly a botnet waiting in the wings to set a new network tsunami surge.
DDoS against banks on the upswing
Akamai’s researchers told The Register that they don’t know which cybercrime gang or botnet is behind this latest DDoS incident. They did note, however, that such traffic floods intended to take out banking websites and business are on the upswing.
Historically, only between 10 and 15 percent of these types of attacks have targeted banking customers. Typically, tech firms, gaming companies, media/entertainment and internet/telecom providers bear the brunt of these security events.
“However, since 2021, there has been a distinct and noticeable surge in the number of DDoS attacks” aimed at financial institutions, according to Sparling and Rath.
“In fact, over the past four quarters, more than 30 percent of the DDoS attacks have been aimed at financial services companies,” they added.
Meanwhile, DDoS floods have become easier and cheaper for criminals to pull off, requiring less technical know-how with the advent of DDoS-as-a-service and botnets for hire. Cloudflare has previously said that these types of services can be purchased for as little as $30 a month.
Because of this, they have also become popular “cyberattack smokescreens” for so-called triple extortion ransomware attacks, Akamai says.
Triple extortion is an evolution of old-fashioned ransomware in which malware is dropped on victims’ machines, encrypts files with ransom demands for decryption. Next up: double extortion, in which the crooks steal data before encrypting it and threaten to leak the information if the victims don’t pay up.
With triple extortion: criminals exfiltrate sensitive data, encrypt it via ransomware, and then threaten the business with DDoS, which puts even more pressure on the organization to pay the ransom.
“Financial institutions are a key pillar of an economy, and targeting such businesses often has a larger impact on the overall economy,” Sparling and Rath said. ®