Attacks/Breaches
4/4/2013
03:32 PM
50%
50%

Laws Can't Save Banks From DDoS Attacks

A threat information-sharing bill wouldn't do much to help banks defend themselves against distributed denial of services (DDoS) attacks.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The co-author of the Cyber Intelligence Sharing and Protection Act (CISPA) ought to know better.

Rep. Mike Rogers (R-Mich.), who is also chairman of the House Intelligence Committee, told NBC News on Wednesday that the Operation Ababil bank disruption campaign run by al-Qassam Cyber Fighters could be stopped, if only private businesses had unfettered access to top-flight U.S. government threat intelligence. Currently the federal government is "trying to share cyber threat information with these banks to help them get ahead of these attacks," Rogers said. "Unfortunately, a series of policy and legal barriers is impeding that cooperation, as well as slowing down cooperation within the private sector and making it less effective."

The problem with that reasoning is that the bank disruptions -- often publicized in advance by attackers -- overwhelm targeted networks through sheer quantities of packets. They don't employ attacks of a stealthy or unknown nature that banks might have difficulty spotting if only they had access to better attack data.

[ Downtime for bank websites has doubled, an all-time high, says website monitor. Read Banks Hit Downtime Milestone In DDoS Attacks. ]

Said Rico Valdez, a senior threat researcher at Bit9: "Threat intelligence ... for more targeted attacks -- where adversaries are trying to penetrate your systems, get in, steal data, intelligence -- can be very, very useful. But in the world of DDoS attacks, there's just not a ton that can be done there."

Valdez continued: "Some intelligence can help you -- it's good to know the attack techniques being used, that might help you put in place better mitigation technologies. But most of the [DDoS] attacks these days are sheer packets-per-second attacks, designed to overwhelm your infrastructure so that you can't service any requests. In that type of scenario, with threat intelligence, it's ... not going to effectively help your mitigations."

A spokeswoman for Rep. Rogers, contacted by phone and email, didn't immediately respond to our requests for comment. But in Rogers' comments to NBC, the Congressman also suggested that banks simply can't blunt the full fury of a nation state's DDoS disruption campaign. "These banks are among the best in the country when it comes to cyber security, but even they are having trouble keeping up with attacks that have the sophistication and the level of resources that a nation-state entity like Iran can devote to them," he said.

In fact, multiple security experts I've spoken with contend that banks are combating the DDoS attacks quite well via layered defenses, DDoS scrubbing services from third-party providers, and dedicated DDoS mitigation defenses running on premises or in the cloud. In some cases, banks can also use content delivery networks that spread instances of their sites across different geographical regions, helping minimize the effects of a DDoS-generated disruption in any one of those areas.

As a result, bank officials say that even in the face of massive DDoS attacks, their websites are for the most part remaining online, or going offline just briefly. Still, during the DDoS disruptions more customers than normal might not be able to reach their websites, perhaps as a side effect of scrubbing or other DDoS defenses that might be temporarily blocking their PC, network segment or geographic region. "Typically what customers see [from DDoS attacks] is slow responses ... especially with these banking sites," said Bit9's Valdez. "So it's not like [attackers] are taking down the servers. The servers are still there, they're running, they're happy. But they're effectively preventing them from responding to legitimate requests, because they're just eating up all their cycles."

That's just a DDoS attack fact of life. "Everyone is vulnerable, to some extent," he said. "The reality is you've got a pipe attached to your system, and there's only so much that can go through that pipe, and when attackers are filling it up with junk, you can't get the rest through." Scrubbing services can route the traffic down an even bigger pipe and let only the good stuff through, but that approach requires large pipes -- typically operated by service providers -- and isn't foolproof.

"There is always the possibility with anything like that, when you're getting into a blocking or scrubbing type of mode for that technology, to occasionally cause disruption to legitimate service," said Chris Novak, managing principal of the RISK Team for Verizon Enterprise Solutions. "However ... talking to entities in financial services and others, we haven't received feedback that it's affected in any meaningful way the organizations we're working with."

That isn't to say that threat intelligence might not help banks defend themselves better against some types of attacks. "In my view it is the peer-to-peer sharing that is most helpful here," said Doug Johnson, VP of risk management policy for the American Bankers Association, an industry trade group, by email. "We on the private side are the recipients of and actively share the threat signatures. Our ability to get the ISPs to act on those signatures by shutting down sites would be enhanced with the greater liability protections within CISPA."


In other words, banks still see room to improve threat mitigation, and some type of cyber-threat intelligence legislation or White House voluntary executive order might help them take the gloves off, at least for some types of attacks. The CISPA legislation that Rep. Rogers co-authored passed in the U.S. House of Representatives last year but then died in the Senate amid strong opposition from privacy rights groups and the Obama Administration. Rogers reintroduced it earlier this year.

But given the technical limits to which DDoS attacks can be mitigated, U.S. banks are arguably defending themselves to the best extent possible, and no Congressionally delivered intelligence would improve on those efforts.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tony_Gam
50%
50%
Tony_Gam,
User Rank: Apprentice
4/17/2013 | 4:21:20 PM
re: Laws Can't Save Banks From DDoS Attacks
I didnG«÷t see too many folks howling that the sheer volume of traffic was taking them down (a la the recent open DNS mess), rather it was the SSL terminators that were burdened with handshakes, and the web apps receiving gobs of garbage logins/searches that ruined everyoneG«÷s day. I'm totally open to the idea that I may be wrong, or that my position in the layered architecture prevented me from seeing relevant the border router data, but as a web session intelligence guy, I just haven't seen the clogged pipe assertion supported by the data.

I do disagree with the idea there's not much you can do to thwart a HULK-style DDoS attack. If weG«÷d given banks the generic heads up that they should take steps to detect and temporarily deflect requests from IPs that (1) made 10 or more requests per second (2) changed their UA string in at least 60% of those requests and (3) focused 80% or more of those requests on a single resource, we could have taken a serious bite out of this thing. The "zero day" for HULK was back in March- IG«÷m not saying government is necessarily the right choice for an intel clearinghouse, but if we'd collectively taken steps to inoculate last Spring, things would have turned out differently.
dennisearlbaker
50%
50%
dennisearlbaker,
User Rank: Apprentice
4/5/2013 | 8:37:08 PM
re: Laws Can't Save Banks From DDoS Attacks
I'm still waiting for the citizens to protected from the corruption of the banks, and that's the priority.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1449
Published: 2014-12-25
The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

CVE-2014-2217
Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2014-7300
Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.