Botnet Attack Anatomy: 4,507 Requests from 20 Countries

In December 2024, AnnuityAxis's production servers experienced a coordinated botnet vulnerability scan — 4,507 malicious requests from 20 countries across 3 hours. This is a detailed technical breakdown of what happened, what it cost, and how we defended against it.

What Is a Botnet Attack?

A botnet is a network of compromised computers ("bots") controlled by an attacker. Botnet operators rent access to these networks to launch coordinated attacks against websites, looking for security vulnerabilities like outdated PHP files, WordPress admin panels, SQL injection points, and file upload exploits.

The Attack Pattern

The attack targeted common vulnerability paths: WordPress admin URLs, PHP scripts, database admin tools, file upload endpoints, and known CVEs in popular web software. The requests came from cloud infrastructure across multiple countries, making simple IP blocking ineffective.

Defense Strategies

Effective defenses include blocking requests for non-existent file types (PHP, ASP, CGI), rate limiting by IP and user agent, blocking known malicious cloud IP ranges while preserving legitimate crawler access, and automated detection that blocks IPs after a threshold of malicious requests.

Lessons for Fintech Platforms

Fintech platforms are attractive targets because they may handle financial data. Even platforms with no user-side vulnerabilities face constant probing. Security-in-depth, aggressive bot blocking, and monitoring are essential for any financial technology platform.