ARBOR INSIGHT
Defending Against the
“It looks like they are
testing…by having a rela-
tively sophisticated denial of
service program that actually
adapts to the defensive
architecture of the banks.”
 ichael Chertoff, Fmr Secretary
M
Homeland Security
DDoS Resources
The following enterprise White Papers
offer additional information on how
DDoS attacks work, as well as methods
of mitigating these attacks. They are
available at www.arbornetworks.com/
research/resources.
• Why Firewalls and IPS Fall Short on
DDoS Protection (registration required)
• Layered Intelligent DDoS Mitigation
Systems
• The Risk vs. Cost of Enterprise
DDoS Protection
“Triple Crown” Financial
Services DDoS Attacks
Beginning in October 2012, major banking institutions were
targeted by a powerful new multi-vector DDoS attack, previously
identified as “Operation Ababil,” and producing devastating
effects. These attacks have continued and evolved, with the
most recent producing a more complex methodology, as well
as broader attack focus, and have therefore been identified and
characterized by the Arbor Security Engineering and Research
Team (ASERT) as the “Triple Crown” DDoS attacks.
These “Triple Crown” attacks take DDoS to a new level of sophistication by utilizing
three attack strategies designed to block online availability to accounts, resources,
and critical functionality. These coordinated, multi-vector attacks initially targeted key
financial institutions such as Bank of America, JP Morgan Chase and Wells Fargo.
However, the most recent attacks have broadened their scope to include smaller
financial institutions—such as regional banks and credit unions, ISPs and MSSPs,
as well as targets in Europe.
The Triple Crown attacks also challenged the protection offered by typical carriers/
MSSPs. During these attacks, MSSP network scrubbing center resources have been
strained when high-bandwidth servers employing a wide array of files and PHP-based
tools attacked multiple customers simultaneously. Capacity models need to be
re-evaluated, as larger multi-vector, multi-customer attacks have become a reality.
As networks evolve to become more multi-faceted in terms of access, content and sophis-
tication, so to have the attacks evolved with a focus on disrupting availability and gaining
access to data. Therefore, multi-vector DDoS attacks are indicators that the attacks against
the networks will become exponentially more sophisticated and multi-dimensional in size
and scope. This Arbor Insight will discuss how you can best protect your business from
the growing threat of multi-vector DDoS attacks targeting your business.
What is Triple Crown?
What is exceptional about these attacks is not the techniques used, but the strategic
combination of the attack in a concerted effort. This unique methodology makes the
Triple Crown DDoS attack both powerful and difficult to defend against.
The Triple Crown DDoS attacks utilized the following three attack vectors, simultaneously:
• GET and POST application layer attacks on HTTP and HTTPS
• DNS query application layer attack
• Volumetric attacks on UDP, TCP Syn floods, ICMP and other IP protocols

The Arbor Solution
Through its extensive network of sensors
and data feeds, Arbor has real-time visibility
into over 70% of global Internet traffic.
This gives Arbor unmatched insight into
emerging threats—information used to
develop defenses to new, emerging threats.
The best way for enterprises, data
centers and cloud operators to have
optimal protection against DDoS attacks
is through a combination of on-premise
and in-cloud protection. Cloud Signaling™
functionality offers this comprehensive
protection, enabling Pravail APS to auto-
matically alert the upstream provider to
growing attacks that threaten availability.
By combining a powerful but easily
implemented on-premise Intelligent DDoS
threat mitigation system with multiple
upstream options, Pravail APS gives your
IT team the capability to help thwart Triple
Crown attacks and many other DDoS
threats that arise moving forward.
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300
Europe
T +44 207 127 8147
Asia Pacific
T +65 6299 0695
www.arbornetworks.com
ARBOR INSIGHT
As these attacks continue to evolve, so do the tools used to launch them. The
attacks have evolved to take advantage of vulnerabilities in PHP web applications on
Wordpress sites. Through the use of pre-infected bots and their associated botnets,
attacks against organizations utilizing Joomla and other PHP-based applications are
compromising systems and blocking access to organizations’ websites. This wave of
attacks shows a more sophisticated attack methodology capable of targeting devices
with significantly more upstream bandwidth. In doing so, attackers achieve a higher
volumetric “packet per second” attack rate per individual source. What makes these
attacks most dangerous is the time-consuming and costly nature of both attack
identification and mitigation.
How to Protect Your Availability—and More
On-premise enterprise solutions based on stateful traffic inspection alone could not
effectively defend against DDoS attacks like Triple Crown. Firewalls/IPS state tables
would have been overwhelmed and do not offer effective protection against the speed
and complexity of such a multi-vector threat. All organizations affected by Triple Crown
had deployed firewalls/IPS in depth.
Triple Crown also exposed that typical carrier/MSSPs coverage has limitations.
Network scrubbing center resources were strained when multiple customers within
the same vertical were attacked simultaneously by high-bandwidth servers employing
a wide array of files and PHP-based tools. MSSP capacity models need to be
re-evaluated as larger multi-vector, multi-customer attacks have become a reality.
Today’s sophisticated, multi-vector DDoS attacks require a combination of cloud-based
mitigation from an MSSP for protection against volumetric attacks, and on-premise
protection against attacks targeting existing infrastructure (firewalls/IPS) and the
application layer. Only with this layered protection is the enterprise fully protected
from modern DDoS attacks.
Pravail® APS with ATLAS® Provides Just That
The Pravail Availability Protection System (APS) empowers enterprise IT teams by
automatically detecting and blocking complex state-exhausting and application layer
DDoS attacks—before services are degraded.
An out-of-the-box solution easily installed in front of the firewall, Pravail APS’ Web
GUI gives enterprise IT teams better control in addressing threats to availability, with
additional fallback plans and resolution techniques when attacks cannot be readily
identified and mitigated.
Pravail APS appliances are provisioned with the latest defenses to new threats and
updated IP location data—all in real time—through Arbor’s update service, the ATLAS
Intelligence Feed (AIF). Arbor enjoys a close relationship with leading ISPs around
the world—90% of Tier 1 service providers use Arbor solutions.
© 2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How
Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are
all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
AI/TRIPLECROWN/EN/0413