How Akamai Defended an Indian Bank Against Record-Breaking DDoS Attacks
In May 2026, a major Indian public sector bank was targeted by sophisticated, multi-vector DDoS attacks peaking at 1.78 Tbps and 171 Mpps. The attackers aimed to overwhelm network bandwidth and compute resources by targeting a critical login endpoint using globally distributed infrastructure. The attacks were successfully mitigated at the edge using preconfigured protections and continuous traffic profiling, resulting in no service disruption.
Detection / HunterGoogle
What Happened
In May 2026, a major Indian bank was hit by massive cyberattacks designed to knock its online services offline. The attackers sent a record-breaking amount of junk internet traffic to overwhelm the bank's login systems. Because the bank used specialized cloud defense services, the malicious traffic was blocked before it could reach the bank's actual network. As a result, customers were able to log in and use their banking apps without any interruptions. Organizations should ensure they have robust, always-on protections in place to handle large-scale disruptions.
Key Takeaways
- An Indian public sector bank faced record-breaking multi-vector DDoS attacks peaking at 1.78 Tbps and 171 Mpps in May 2026.
- The attacks specifically targeted a critical login endpoint used by multiple banking applications to maximize disruption.
- Attackers utilized globally distributed infrastructure, with a significant portion of the malicious traffic originating from Brazil.
- The attacks were successfully mitigated at the network edge with zero downtime or false positives using proactive, always-on cloud defenses.
Affected Systems
- Critical login endpoints
- Network perimeter infrastructure
- Banking applications
Attack Chain
Attackers conducted extensive reconnaissance to identify a critical login endpoint used by multiple banking applications. They then launched coordinated, multi-vector DDoS waves using globally distributed infrastructure to exhaust bandwidth and compute resources. The attacks peaked at 1.78 Tbps and 171 Mpps, rapidly switching vectors to create operational complexity. The malicious traffic was absorbed and filtered at the network edge by cloud-based DDoS mitigation services before reaching the target infrastructure.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article discusses high-level DDoS mitigation strategies and traffic profiling but does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: None — DDoS attacks target network infrastructure and bandwidth, which occur outside the scope of endpoint detection and response tools. Network Visibility: High — Volumetric and protocol-level DDoS attacks are highly visible at the network edge through flow logs, bandwidth monitoring, and WAF/DDoS protection telemetry. Detection Difficulty: Easy — The sheer volume of traffic (Tbps/Mpps) makes the attack highly anomalous and easy to detect; the primary challenge is mitigation rather than detection.
Required Log Sources
- NetFlow/sFlow logs
- WAF logs
- DNS query logs
- Edge router telemetry
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for sudden, massive spikes in inbound traffic volume or packet rates targeting specific authentication or login endpoints. | WAF logs, NetFlow | Impact | Low |
Control Gaps
- Lack of edge-based DDoS scrubbing
- Insufficient bandwidth capacity to absorb Tbps-scale attacks
Key Behavioral Indicators
- Unprecedented spikes in bandwidth utilization (Tbps)
- Massive increases in packets per second (Mpps)
- High concentration of traffic from unexpected geographic regions
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Review and update DDoS mitigation playbooks to ensure rapid routing to scrubbing centers during volumetric attacks.
Infrastructure Hardening
- Evaluate whether your current DDoS mitigation provider can absorb multi-Tbps attacks.
- Consider implementing always-on DDoS protection for critical endpoints rather than relying solely on on-demand routing.
- Ensure DNS infrastructure is protected against volumetric and resource exhaustion attacks.
User Protection
- N/A
Security Awareness
- Educate leadership on the operational impact of multi-vector DDoS attacks and the necessity of edge-based mitigation investments.
MITRE ATT&CK Mapping
- T1498 - Network Denial of Service
- T1498.001 - Direct Network Flood
- T1499 - Endpoint Denial of Service
