On May 3, 2026, and May 13, 2026, one of India’s leading public sector banks faced sophisticated, multi-vector distributed denial-of-service (DDoS) attacks designed to overwhelm both network bandwidth and perimeter infrastructure. Through extensive reconnaissance, the attackers identified a critical login endpoint used by multiple banking applications. A successful attack would have disrupted customer access, preventing users from logging in and using the applications.
At its peak, the May 3 attack reached 1.72 Tbps and nearly 23 million packets per second (Mpps) — enough traffic to saturate the bandwidth and compute resources of many perimeter defenses (Figure 1). It was the biggest DDoS attack in the bank’s history — until the one that struck on May 13. That second attack peaked at 1.78 Tbps and nearly 171 million packets per second (Figure 2).
Fig. 1: The multiwave attack on May 3, 2026, peaked at 1.72 Tbps
Fig. 2: The largest wave of the multiwave attack on May 13, 2026, peaked at 1.78 Tbps
Despite the massive scale and complexity of the campaigns, the attacks never reached the bank’s infrastructure, and the bank’s customers experienced no service disruption related to the attacks. Instead, Akamai neutralized the attacks at the network edge through a combination of always-on platform capacity, customized preconfigured protections, and deep operational collaboration between the bank and Akamai’s global Security Operations Command Center (SOCC).
According to the bank’s Chief Security Officer, “Akamai helped us seamlessly mitigate the largest DDoS attacks in our bank's history. Despite the sheer scale of the incidents, no malicious traffic reached our environment, and our customers experienced no disruption.”
The two incidents highlight a growing reality in cybersecurity: Resilience no longer depends on mitigation capacity alone. Organizations also need security partnerships that are capable of continuously adapting defenses to evolving threats before attacks occur.
The coordinated, globally distributed attacks
Both attacks targeted multiple services simultaneously and leveraged globally distributed infrastructure to maximize operational pressure. Moreover, the majority of malicious traffic concentrated in Akamai’s Brazil scrubbing centers, while the remaining traffic distributed across Akamai’s globally distributed cloud of scrubbing locations (Figures 3 and 4). For both attacks, nearly 29% of attack traffic originated outside the primary mitigation regions, reinforcing the highly distributed nature of the campaigns.
Fig. 3: Attack percentages across the top 10 Akamai scrubbing locations where traffic was observed during the May 3, 2026, attack
Fig. 4: Attack percentages across the top 10 Akamai scrubbing locations where traffic was observed during the May 13, 2026, attack
Rather than relying on a single flood vector, the attackers launched coordinated waves using multiple techniques and targets intended to exhaust both bandwidth and compute resources. The level of orchestration reflects how modern DDoS attacks continue to evolve: Attackers increasingly combine volumetric scale with rapid vector switching and distributed infrastructure to create operational complexity alongside traffic saturation.
The attack windows lasted only minutes. Attackers found no value in persisting the attack because Akamai mitigated the traffic almost instantaneously at the edge. Importantly, Akamai did not need to deploy or “spin up” additional mitigation infrastructure during the attacks. Existing platform capacity and pre-established controls customized for the bank’s needs absorbed and filtered the traffic immediately.
Mitigating with always-on protection and proactive fortification and posture management
Akamai Prolexic, a cloud-based DDoS mitigation service, handled the bulk of the DDoS mitigation effort, absorbing malicious traffic at scale across the Akamai network edge before it could impact the bank’s infrastructure. But platform scale alone did not determine the outcome.
The Akamai SOCC had worked closely with the bank to progressively strengthen its security posture over time. Key activities and preparation that proved critical during the attack included:
- Continuous analysis
- Traffic profiling
- Proactive fortification and posture management
Akamai SOCC security architects invested significant time:
- Understanding the bank’s normal traffic patterns
- Correlating activity across services
- Designing preconfigured DDoS protection policies tailored specifically to the bank’s environment
Akamai implemented these protections using the Prolexic Network Cloud Firewall and its proprietary DDoS mitigation profiles. The controls allowed Akamai to immediately identify and block malicious traffic without affecting legitimate users. The combination of automated platform protections and human-led operational expertise created a highly effective system-human defense model.
Out-of-the-box protections mitigated the majority of attack vectors automatically, while the Akamai SOCC monitored traffic behavior and refined protections to handle highly targeted or evolving vectors in real time. Equally important, Akamai observed no false positives while these protections operated during the attacks.
In other words, the controls blocked aggressively and accurately. That outcome reinforces the precision of the analysis and tuning performed in advance by the Akamai SOCC team.
“Through the expertise and close partnership of the Akamai SOCC, we’ve been able to withstand wave after wave of evolving cyberthreats without disrupting banking services. Their continuous consultation, proactive guidance, and always-on support have helped strengthen our resilience and given us confidence in our ability to handle even the largest attacks,” said the bank’s Chief Security Officer.
DNS security played a critical role
Beyond Prolexic mitigation, Akamai’s broader security stack contributed to the bank’s resilience during the incidents. Akamai Secure Internet Access supported the bank’s DNS security posture through continuous tuning and optimization designed to improve traffic visibility and classification accuracy.
That work helped the platform distinguish legitimate banking activity from malicious traffic during the attacks, enabling Akamai to block harmful requests while preserving uninterrupted access for customers. This layered approach matters because modern DDoS defense increasingly depends on visibility and precision across multiple control points — not simply raw mitigation capacity.
Why public sector and financial institutions remain prime targets
Financial institutions continue to rank among the most targeted sectors for DDoS attacks because availability directly impacts customer trust, operational continuity, and market confidence. Banks now support massive digital ecosystems spanning customer portals, APIs, mobile applications, payment infrastructure, and third-party integrations. Attackers understand that disrupting those services can create immediate operational and reputational consequences.
At the same time, attack tooling continues to mature rapidly. Adversaries can now leverage AI-driven botnets, distributed attack infrastructure, and increasingly automated attack coordination at relatively low cost. The result is more attacks capable of combining:
- Massive traffic volume
- Multi-vector attack coordination
- Distributed global infrastructure
- Rapid attack adaptation
- Persistent attack waves designed to exhaust defenders
The two attacks that targeted the bank in India perfectly illustrate how the above attack elements can quickly converge into a campaign capable of overwhelming traditional perimeter architectures.
As the web evolves from human-centric to agentic, and attackers use AI to automate vector switching, Akamai counters by shifting defense to the edge. Using real-time intelligence, Akamai stops machine-speed attacks before they reach the core cloud.
Continuous protection changes the outcome
One of the most important lessons from these attacks is that resilience begins long before the first malicious packet arrives. Organizations that rely on reactive mitigation models often struggle when attacks evolve rapidly or combine multiple vectors simultaneously. In contrast, continuous protection models allow defenders to establish tuned controls, validate traffic behavior, and refine mitigation strategies before an incident occurs.
That preparation shaped the outcome here. Despite facing the largest DDoS attacks in the bank’s history:
- No attack traffic reached the bank’s infrastructure
- No disruption affected banking services
- No false positives impacted legitimate users
The combination of Akamai’s platform capacity, always-on Prolexic protections, proactively tuned ACLs, and continuous collaboration with the Akamai SOCC enabled the bank to maintain uninterrupted service throughout the attacks.
Resilience at the speed of modern attacks
Modern DDoS attacks continue to increase in scale, coordination, and sophistication. Organizations can no longer assume that attacks will arrive as isolated volumetric floods or follow predictable patterns. Instead, they must prepare for campaigns that simultaneously test infrastructure capacity, operational coordination, and defensive adaptability.
These incidents demonstrate what modern cyber resilience looks like in practice: mitigation at planetary scale paired with continuous protection, proactive tuning, and experienced operational collaboration. In a threat landscape defined by speed and complexity, that combination increasingly determines whether organizations experience disruption or continuity.
Learn more
Connect with Akamai’s security experts to assess your risk, respond to active threats, and deploy the world’s most powerful edge defense.
Tags
