Case Study

Bank of New York Mellon, Crownpeak, Amazon Web Services

In 2016 Bank of New York Mellon engaged Crownpeak and RedWolf to help test and harden their cyber defenses.


The Problem

Bank of New York Mellon is considered a Systemically Important Financial Institution, or SIFI: a bank so large that, should anything happened to them or their firm fail, it would cause a significant disruption to world financial markets or even a financial crisis. They’re one of the largest holders of financial assets in the world, operating in hundreds of worldwide markets with dozens of websites under their umbrella.

Testing and improving the cybersecurity of such a large-scale enterprise is therefore critical—but isn’t something that can be done with any off-the-shelf solution.

The Solution

Bank of New York Mellon engaged Crownpeak, their website hosting and management provider, who in turn engaged one of their partners, RedWolf, one of the world’s most trusted cloud-attack simulation firms, to help test and harden their cyber defenses.

Crownpeak and RedWolf took a two-step approach:
1. Baseline: Crownpeak and RedWolf needed to know at what point Bank of New York Mellon’s cyber threat mitigation processes would activate. How much unknown traffic would need to hit the sites before it was established as a potential threat? A baseline was established using simple HTTP GET requests.

2. HULK test: This is where RedWolf’s expertise came to the forefront. An HTTP Unbearable Load King, or HULK test, is the tip of the spear for a DDoS test, and RedWolf’s HULK test obfuscates sources, simulates forgery, transforms URLs—all the things a real DDoS attack does.

During the test attack, 200 concurrent attack vectors were used, at a rate of 200,000 requests sent per second on average (and more than 1 million at its peak). Almost 100Gb of SSL traffic was sent per second, with data sent at a rate of 2.5-3.5Gb per second and data returned at a rate of 35-40Gb. These are significant numbers that accurately simulate an extreme DDoS attack.

As the test attack begins, data showed the back-end CPU usage ramping up, and in short order, the security infrastructure responds, dedicating additional servers to handle the loads. As the networks packet deliveries spike, additional server instances—around 30—come online to handle them.

Initial results show that although the system handled the load well at the start of the test, as the test ramped up users began to experience delays and timeouts. Crownpeak knew that to truly defend itself, Bank of New York Mellon would have to harden its security infrastructure.

Crownpeak works closely with Amazon Web Services (AWS) on cybersecurity, and knows the ins-and-outs of AWS various features, including AWS Lambda responsive web servers and AWS Web Application Firewall (WAF), which adds a layer of security for software-as-a-service (SaaS) applications.

Crownpeak built a hardened structure using these tools to more effectively route DDoS attack packets, analyzing and responding to them in real time, accepting or denying each request as it comes thro

Read how Crownpeak used RedWolf to test and harden defenses and handled over 1 million HTTPS requests/sec.

The Benefit

A second test with these improvements in place proved their effectiveness. The same HULK test was run, and an additional WAF Overload test was added to try and overwhelm the new security measures.

The AWS WAF solution blocked about 9 million requests per minute, before they even reached the back end. Most importantly from a security perspective, during the second test the responsive server pool threshold was never triggered, even though more than 100 times more data was pushed to the system than the first test.

In all 175 of the 200 attack vectors were neutralized on the front end, and 47 million illegitimate requests were denied per minutes—all while allowing 20 million legitimate requests through with no delays.

With the new, hardened infrastructure proven, Bank of New York Mellon—and its clients—can rest assured that their assets are safe from any DDoS attack.

The Problem

Complex testing requirements

The Solution

An AWS-based overload test

The Benefit

Confidence in Cyber Security