On a Friday evening, after typical closing time, a multinational bank had to resort to enabling geo-blocking on their network to stop a merciless DDoS attack. The bank had been enduring the attack for most of the day, placing both their ISPs under extreme strain. Neither of the two ISPs had any proper DDoS mitigation capabilities.
The attacks suffered were suspected to be part of the campaign that had been ongoing in Sub-Saharan Africa for several months. A group with access to a substantial botnet claiming to be “Fancy Bear” had been targeting the financial sector in various countries at the end of 2019.
Due to the geo-blocking, the bank’s customers were cut off from the rest of the world. The attack was volumetric in nature and was targeted at their web services infrastructure. The productivity hit would be costly, and the bank’s reputation was in jeopardy. They needed immediate help to stop the attack and put DDoS identification and mitigation measures in place to stop future attacks.
TigerLogic team immediately had a deep dive technical session with the relevant teams of the bank, this was to best understand the architectural setup of the IT environment and security requirements so as to recommend a best fit solution and best practice deployment architecture.
After the session, we informed the bank about the Arbor Cloud Emergency Provisioning Service and established that the bank had a /24 IPv4 prefix, which would make invoking traffic redirection to Arbor Cloud using Border Gateway Protocol (BGP), a valid mitigation strategy.
At 8am Saturday, our team started work through to Sunday evening. The team received a server, installed and configured ESXi, and the virtual AED. 27 hours later, we had the customer back online with a working virtual AED.
In the following days, we ran several successful tests. With cloud signaling configured for the AED and Arbor Cloud, the bank was able to leverage intelligent, automated signaling to request an upstream Arbor Cloud mitigation.
Once the attack was mitigated and the bank returned to business as usual, we worked with them on a properly scaled, day-to-day solution that they can rely on to continue the identification and mitigation of DDoS threat traffic, without impact on the remaining network or organizational productivity.
To our knowledge, they have experienced very little downtime and they rely on this solution so much that they purchased two AED appliances, one for their primary network and a second for their Data Center. That was followed up with another two AEDs for their sites in another African country, alongside TigerLogic Professional Services doing in-country training and installation.