Clavister Blog Staff

You can bank on GeoIP blocking to help stop DDoS attacks

In Blog post by Clavister Blog Staff

Online banking services at the major UK bank, Lloyds, were intermittently disturbed over a two-day period recently. At various times, different sets of customers were unable to access their accounts.  However, no sensitive data was accessed, and no funds were stolen.  On the scale of damaging cyberattacks, it didn’t appear to be too problematic.

But the outward calm masked frenetic activity behind the scenes, in Lloyds’ IT security team, as the service interruptions were due to a massive distributed denial of service (DDoS) attack, part of a broader campaign by a sophisticated gang of cybercriminals. Halifax and Bank of Scotland were also targeted.  By flooding the banks’ computer systems with masses of fake traffic, the criminals hoped to force systems offline, causing huge disruption.  From there, they might have demanded a ransom in bitcoins in return for stopping the attack, or might have used the confusion as an opportunity to find other routes into the network, stealing data or even funds.  DDoS attacks, far from being the mindless acts of digital vandalism that they have been assumed to be in the past, can actually be part of highly sophisticated heists.

But, in this case, the criminals came away with nothing.  How, then, was Lloyds able to keep disruption to a minimum?

IT security experts at the bank deployed a remarkably simple strategy to defend against this DDoS attack – geo-blocking.  Essentially, they proactively identified where the fake traffic was originating from, and then automatically blocked all traffic from those geographical regions from touching the bank’s network.  As the cybercriminals understood what was happening and moved to different servers, so too did Lloyds’ defence systems.  As a side effect, legitimate traffic from the bank’s customers in the geographical areas being blocked was, of course, also barred from entering the network – meaning that for a short while those customers were unable to access their accounts.

After a while, the perpetrators of the attack gave up – because they only have a very limited number of compromised servers from which to launch such an attack.  Hijacking IP addresses for sending out malware or spam is a costly and time-consuming process – cybercriminals can’t carry on doing it indefinitely.  In this case, it was more profitable for them to call a halt to that particularly DDoS attack and direct their efforts elsewhere.

And now that Lloyds’ IT security team know precisely which compromised IP addresses targeted them, they can automatically block traffic from those IP addresses from now onwards.  They have automatically reduced their risk of falling victim to future cyberattacks, because criminals are forced by scarcity to use the same servers for multiple attacks.

As we’ve blogged previously, GeoIP is a feature in our next-generation firewalls.  So if a DDoS attack begins, you can immediately analyse where the traffic is coming from using a real-time ‘heat map’ of where traffic arriving at the firewall or gateway originates from.  You can then form a strategy for mitigating the attack, blocking the traffic using the GeoIP capability, supported by other DDoS mitigation techniques including bandwidth management, appropriate load balancing and intelligent network segmentation.

As Lloyds’ successful defence against the sustained DDoS attack shows, GeoIP gives you protection you can bank on.