Akamai Diversity

The Akamai Blog

Brobot: Alive and Well in 2014

2013 was an absolute nightmare for many US banks, as they were targeted with massive DDoS attacks by the QCF as part of their Operation Ababil attacks. At Akamai we observed up to 20 banks being attacked in some weeks in 2013, and Akamai successfully protected our banking customers from these large attacks.
Fortunately, the QCF has been silent since the posting on July 23, and there have been only isolated and unrelated DDoS attacks on the banks since last summer.

But Brobot, the botnet of choice for the Operation Ababil attacks, is still out there and continues to present a major risk to the industry. And the bad news is that Akamai has recently seen it used in an attack against one of our banking customers.

The attack, shown below in Akamai's Luna Control Center, peaked at over 10,000 requests per minute against the bank. Over 800,000 requests were received over roughly a two hour period.

We observed and tracked the IP addresses of the servers used in this attack, and the majority of came from some of the same infected web servers that were used in the attacks last year: Brobot servers were back in action. To be clear, it's not QCF that was back in action, it was another attacker utilizing the some of the Brobot botnet servers.

Brobot Used to Attack a U.S. Bank 
Rich Bolstridge Blog 1.png

Because our bank customer still had these IP addresses on the Kona Site Defender blacklist, the attack did not impact their website, and it was business as usual for their customers. A quick look at the Compuware banking benchmark for this time shows 100% availability, and no performance impact during the attack for this bank.

Home Page Performance During the Attack

Rich Bolstridge Blog 2.png

Lessons Learned:

  • Brobot is still active, and available to attackers. This presents an ongoing risk to banks and other companies.
  • Information sharing is crucial. This attack was blocked because the IP addresses of the Brobot servers were identified and shared among the banks during the attacks last year, and this bank had that blacklist in place.
  • An always-on defense is key. Kona is an always-on defense, and immediately started blocking this attack, with no impact to the customers.

Keep your guard up, your blacklists in place, and continue to share intel!