Analytics // Security Monitoring
1/11/2013
06:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Monitoring Bank DDoS Attacks Tough Task For Third Parties

While data is not readily available on the attacks hitting financial institutions, defenders dealing with the incidents say that the attacks are effective and costly

The distributed denial-of-service attacks hitting financial institutions continue to concern many security experts, but looking for evidence of the attacks serves up a meager helping of data points that belies the seriousness of the problem, say infrastructure and security experts.

Website monitoring firm Netcraft, for example, has documented downtime at major banks lasting hours during the past few weeks, but no crippling outages. Internet monitoring provider Renesys has also seen few signs of the attacks. Perhaps the most convincing data comes from Web-outage complaint portal Sitedown.co, which has collected hundreds of bank-outage reports in the past month. Yet there is no way to confirm the reports are true.

While the lack of external evidence has led some commentators to downplay the attacks, the problem is that the organizations that have the most data are not talking about the issues publicly, says Earl Zmijewski, vice president and general manager at Renesys.

"The people who know definitely are the banks, ... and Internet service providers will certainly know when things are not good," he says. "Otherwise, it is very hard unless you are doing very specific monitoring all the way down to the application level ... to the point of being viewed as a nuisance."

Despite last year's vigorous debate on the merits of information-sharing, very little information about the attacks is being passed to the public. The financial institutions are silent on the outages, except when customers are dramatically impacted, and then e-mail alerts are sent out to customers. And Internet-service providers will generally not discuss specific attacks.

Much of the information on the attacks is a mixture of classified and nonclassified data, says Bryan Sartin, director of Verizon's RISK team. Moreover, clients are worried that, if they speak up, they will become more intensely targeted. Verizon, which handles a large portion of Internet traffic, agreed to an extensive, but general, discussion of the attacks, but only about operations that had been made public.

"Internet-service providers, we are the battleground where these things take place," Sartin says. "There are a lot of facts and a lot of detail and a lot of perspective that, of course, we have, having such a significant percentage of the day's IP traffic, but speaking to those in any specifics -- I'm sorry, I can't."

In September, massive floods of data began hitting the online systems of major U.S. financial institutions following a statement calling for denial-of-service attacks. The statement -- made by a self-styled hacktivist group the Cyber Fighters of Izz ad-din Al Qassam -- called for volunteers to continue the attacks until a video that offended many Muslims was taken down. Yet the real attack did not come from the home systems of cyberprotesters, but from hundreds, or perhaps thousands, of content-management systems that had been compromised to form botnets.

Earlier this week, content-delivery network Incapsula detailed its analysis of a compromised server, finding an encoded PHP script designed to take part in an attack and consume the compromised server's processing power and bandwidth to do so.

The attacks, so far, have come in three waves, each kicked off with a Pastebin announcement by the Al-Qassam Cyberfighters. The latest announcement, posted on Jan. 8, promised to keep the attacks going for more than a year. The attacks have had limited visible impact, causing some U.S. banks to become inaccessible for hours: Bank of America had availability issues on Dec. 28, Wells Fargo on Dec. 19 and 20, as well as Jan. 3, and HSBC on Jan. 4, according to Netcraft data.

Such outages, even if they appear minor, are indicators that something significant is going on, says Mike Prettejohn, director of Netcraft. "The best hosting companies are flawless, where one failed request a month might move you down in the list of top-10 hosting companies," he says. "A decent bank would not want to be worse than that."

[Distributed denial-of-service attacks get bigger and combine application-layer exploits, requiring defenders to be more agile. See Evolving DDoS Attacks Force Defenders To Adapt.]

In fact, the attacks are serious and problematic, says Carl Herberger, vice president of security solutions for application-delivery firm Radware. The company has helped banks mitigate the attacks, but confidentiality agreements prevent the firm from talking about specifics, he says.

The attacks typically ramp up quickly as the attackers determine what level and mix of malicious network traffic will hinder a bank's accessibility. The average attack lasts about 20 days, Herberger says.

While there are typically seven different vectors through which the attackers attempt to hobble banks' networks, three techniques are the most effective. The top of the list are encrypted GET floods, which overwhelm the hardware that decrypts secure sockets layer (SSL) data, he says.

"Very few professionals have been able to handle the volumetric encrypted traffic, so unless you have dealt with it before, you will not be prepared," Herberger says.

The second effective technique is the much-reported Brobot botnet, which uses the large-bandwidth capacity of compromised content management servers to send traffic floods of 30 Gbps or more, overwhelming key pieces of network hardware. Finally, recursive DNS attacks are able to overwhelm critical domain-name system resolution, making the servers hard to reach for consumers.

In one operation, the recipe of attacks is quite similar, but there have been changes between the three major campaigns, Herberger says.

"Our technology needs to get better," he says. "IP-limiting and rate-limiting filters are no longer enough."

Herberger and other security experts interviewed for this article had no evidence whether the attacks were sponsored by nation-states -- much less Iran -- but Herberger said that any link would not be technical but based on human intelligence and likely classified.

Dan Holden, director of the security engineering response team at network-protection firm Arbor, argues that security professionals should be concerned about the tenacity of the attackers. The length of the campaign, and the threats to continue the attacks for more than a year, suggest some level of investment, he says. Moreover, the analysis by Incapsula that suggests that a botnet-for-hire is being used in the attacks, further strengthens arguments that the attackers are being funded.

"Given the fact that they have already been able to do it for months, given the [Incapsula] story about the server in the U.K. ... the question is whether this is hacktivism, or is it something else," Holden says. "At this point, we don't know, but I would believe that these attacks are being funded at some level."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
1/18/2013 | 2:34:29 PM
re: Monitoring Bank DDoS Attacks Tough Task For Third Parties
Want to Reduce Application Security
Risk? Build more Secure Software! Over the years IGÇÖve seen a variety of
approaches to this problem and have helped many customers on their path toward
more secure applications and reduced risk. ItGÇÖs interesting that you can
categorize most approaches into these three areas: Find and Fix, Protect in
Place, Secure at the Source.

While each of these approaches
plays an essential role in reducing application risk, you can get the greatest
long term impact by securing applications at the source. In this approach you
are targeting the development process itself, in an attempt to fix the systemic
issues which are leading to vulnerabilities in the first place. Discovery and
detection then become a backstop to catch anything that slips through the
cracks of a properly designed and implemented system.-á

To better understand what
I mean, hereGÇÖs a great article to read: http://blog.securityinnovation....
Hope you find it useful!
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
1/14/2013 | 10:45:59 PM
re: Monitoring Bank DDoS Attacks Tough Task For Third Parties
With banks and ISPs keeping the details hush-hush on these DDoS attacks, the true significance of these attacks really can't be widely understood.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Bryan Yurcan
50%
50%
Bryan Yurcan,
User Rank: Apprentice
1/14/2013 | 3:56:27 PM
re: Monitoring Bank DDoS Attacks Tough Task For Third Parties
Information sharing is definitely paramount to combating these ongoing attacks.-á
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

CVE-2014-3024
Published: 2014-08-29
Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of arbitr...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.