BNY Mellon logo
Financial Services 30+
How does one of the largest banks in the world prepare for the possibility of a massive DDoS attack?

Globally the number of DDoS attacks grew 25 percent in 2015 and will increase 2.6-fold to 17 million by 2020. (Source: Cisco)

How Crownpeak’s Solution Helped BNY Mellon


Distributed denial of service (DDoS) attacks, a technique used by cyber criminals to overwhelm servers with so many requests that it compromises a website (or multiple websites’) availability, are an ongoing concern for enterprise companies.

In the case of a systemically important financial institution (SIFI), the disruption such an attack causes can be significant, not just to the organization and its customers, but to financial markets around the world.

About BNY Mellon

BNY is the largest holder of assets under custody and/or administration worldwide.

  • $29.5 trillion assets under custody and/or administration
  • $1.7 trillion assets under management
  • 100 markets worldwide

Over 30 BNY Mellon websites are hosted and managed using Crownpeak Digital Experience Management (DXM).

The challenge

As a SIFI, BNY Mellon is committed to being best in class when it comes to cyber defense and threat protection. That starts with making sure it’s prepared to absorb a DDoS attack of the highest magnitude.

To test the resiliency of the network infrastructure, BNY Mellon worked with Crownpeak to design a sophisticated DDoS-resilient platform and then test it by launching a massive DDoS attack.

The solution

Crownpeak leveraged Amazon Web Services’ new technology to enhance the threat protection strategy that was already in place. 

The goal was to measure how far the servers could be pushed and whether they would be able to scale to the level needed in order to deal with largest attacks taking place in the world today.

To mount as realistic an attack as possible, BNY Mellon also engaged RedWolf, a company that specializes in real-world DDoS testing using a set of diverse attack techniques, including Layer 3/4 volumetric attacks, as well as more sophisticated Layer 7 attacks using HULK (HTTP Unbearable Load King) and other techniques. 

The first step was to establish a baseline for the approximate volume of traffic that would need to be put into the front end before the new mitigation strategy would be activated.

The actual testing took a couple of days and employed a trio of very aggressive attempts to breach the infrastructure:

  • An HTTP GET test to demonstrate we could counter attacks where a site is inundated with traffic designed to take it down
  • A HULK test (enhanced by RedWolf with techniques such as obfuscating the source client, forging HTTP referral headers and URL transformation) to show whether the security architecture could hold out against a range of more sophisticated assaults designed to sneak in past defenses to go about their nasty business.
  • A WAF Overload test to see if AWS’ new Web Application Firewall technology could be specifically overwhelmed by exploits and attacks.

The Numbers

  • 200 concurrent attack vectors were launched to test what the most advanced adversaries are capable of carrying out.
  • At its peak, 100 million requests a minute and over 1 million requests a second were sent to servers, with no impact to the end user experience.
  • The system was able to recognize legitimate traffic so real users still experienced perfectly good response times, free of timeouts.
  • Nearly 50 million requests a minute were filtered out, while 20 million requests from legitimate traffic sources were permitted through with no backlogs.

Some of the Tactics Employed:

  • Used Amazon CloudFront log analysis to blacklist IP addresses that were originating disproportionately high levels of traffic.
  • Built rule set within AWS WAF to detect SQL injection attacks and cross-site scripting attacks (XSS).
  • Discarded large URLS and URIs.

The results

Crownpeak successfully demonstrated and validated that the BNY Mellon websites (hosted on Crownpeak) are capable of intercepting a catastrophic DDoS threat without any negative impact on the infrastructure or user experience.

As a result, Crownpeak is proud to now offer “Advanced Web Hosting”, a cyber defense product that offers protection against both Layer 3/4 and Layer 7 attacks, the most malicious DDoS threat, and which provides collective defense for all Advanced Web Hosting subscribers by pooling threat analysis and response tactics.  


The outcome of the Crownpeak BNY Mellon DDoS test was so well-received, this case study was presented in greater detail at AWS re:Invent 2016 and is available for viewing.