Attacks/Breaches
4/4/2013
03:32 PM
Connect Directly
RSS
E-Mail
50%
50%

Laws Can't Save Banks From DDoS Attacks

A threat information-sharing bill wouldn't do much to help banks defend themselves against distributed denial of services (DDoS) attacks.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The co-author of the Cyber Intelligence Sharing and Protection Act (CISPA) ought to know better.

Rep. Mike Rogers (R-Mich.), who is also chairman of the House Intelligence Committee, told NBC News on Wednesday that the Operation Ababil bank disruption campaign run by al-Qassam Cyber Fighters could be stopped, if only private businesses had unfettered access to top-flight U.S. government threat intelligence. Currently the federal government is "trying to share cyber threat information with these banks to help them get ahead of these attacks," Rogers said. "Unfortunately, a series of policy and legal barriers is impeding that cooperation, as well as slowing down cooperation within the private sector and making it less effective."

The problem with that reasoning is that the bank disruptions -- often publicized in advance by attackers -- overwhelm targeted networks through sheer quantities of packets. They don't employ attacks of a stealthy or unknown nature that banks might have difficulty spotting if only they had access to better attack data.

[ Downtime for bank websites has doubled, an all-time high, says website monitor. Read Banks Hit Downtime Milestone In DDoS Attacks. ]

Said Rico Valdez, a senior threat researcher at Bit9: "Threat intelligence ... for more targeted attacks -- where adversaries are trying to penetrate your systems, get in, steal data, intelligence -- can be very, very useful. But in the world of DDoS attacks, there's just not a ton that can be done there."

Valdez continued: "Some intelligence can help you -- it's good to know the attack techniques being used, that might help you put in place better mitigation technologies. But most of the [DDoS] attacks these days are sheer packets-per-second attacks, designed to overwhelm your infrastructure so that you can't service any requests. In that type of scenario, with threat intelligence, it's ... not going to effectively help your mitigations."

A spokeswoman for Rep. Rogers, contacted by phone and email, didn't immediately respond to our requests for comment. But in Rogers' comments to NBC, the Congressman also suggested that banks simply can't blunt the full fury of a nation state's DDoS disruption campaign. "These banks are among the best in the country when it comes to cyber security, but even they are having trouble keeping up with attacks that have the sophistication and the level of resources that a nation-state entity like Iran can devote to them," he said.

In fact, multiple security experts I've spoken with contend that banks are combating the DDoS attacks quite well via layered defenses, DDoS scrubbing services from third-party providers, and dedicated DDoS mitigation defenses running on premises or in the cloud. In some cases, banks can also use content delivery networks that spread instances of their sites across different geographical regions, helping minimize the effects of a DDoS-generated disruption in any one of those areas.

As a result, bank officials say that even in the face of massive DDoS attacks, their websites are for the most part remaining online, or going offline just briefly. Still, during the DDoS disruptions more customers than normal might not be able to reach their websites, perhaps as a side effect of scrubbing or other DDoS defenses that might be temporarily blocking their PC, network segment or geographic region. "Typically what customers see [from DDoS attacks] is slow responses ... especially with these banking sites," said Bit9's Valdez. "So it's not like [attackers] are taking down the servers. The servers are still there, they're running, they're happy. But they're effectively preventing them from responding to legitimate requests, because they're just eating up all their cycles."

That's just a DDoS attack fact of life. "Everyone is vulnerable, to some extent," he said. "The reality is you've got a pipe attached to your system, and there's only so much that can go through that pipe, and when attackers are filling it up with junk, you can't get the rest through." Scrubbing services can route the traffic down an even bigger pipe and let only the good stuff through, but that approach requires large pipes -- typically operated by service providers -- and isn't foolproof.

"There is always the possibility with anything like that, when you're getting into a blocking or scrubbing type of mode for that technology, to occasionally cause disruption to legitimate service," said Chris Novak, managing principal of the RISK Team for Verizon Enterprise Solutions. "However ... talking to entities in financial services and others, we haven't received feedback that it's affected in any meaningful way the organizations we're working with."

That isn't to say that threat intelligence might not help banks defend themselves better against some types of attacks. "In my view it is the peer-to-peer sharing that is most helpful here," said Doug Johnson, VP of risk management policy for the American Bankers Association, an industry trade group, by email. "We on the private side are the recipients of and actively share the threat signatures. Our ability to get the ISPs to act on those signatures by shutting down sites would be enhanced with the greater liability protections within CISPA."


In other words, banks still see room to improve threat mitigation, and some type of cyber-threat intelligence legislation or White House voluntary executive order might help them take the gloves off, at least for some types of attacks. The CISPA legislation that Rep. Rogers co-authored passed in the U.S. House of Representatives last year but then died in the Senate amid strong opposition from privacy rights groups and the Obama Administration. Rogers reintroduced it earlier this year.

But given the technical limits to which DDoS attacks can be mitigated, U.S. banks are arguably defending themselves to the best extent possible, and no Congressionally delivered intelligence would improve on those efforts.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tony_Gam
50%
50%
Tony_Gam,
User Rank: Apprentice
4/17/2013 | 4:21:20 PM
re: Laws Can't Save Banks From DDoS Attacks
I didnGÇÖt see too many folks howling that the sheer volume of traffic was taking them down (a la the recent open DNS mess), rather it was the SSL terminators that were burdened with handshakes, and the web apps receiving gobs of garbage logins/searches that ruined everyoneGÇÖs day. I'm totally open to the idea that I may be wrong, or that my position in the layered architecture prevented me from seeing relevant the border router data, but as a web session intelligence guy, I just haven't seen the clogged pipe assertion supported by the data.

I do disagree with the idea there's not much you can do to thwart a HULK-style DDoS attack. If weGÇÖd given banks the generic heads up that they should take steps to detect and temporarily deflect requests from IPs that (1) made 10 or more requests per second (2) changed their UA string in at least 60% of those requests and (3) focused 80% or more of those requests on a single resource, we could have taken a serious bite out of this thing. The "zero day" for HULK was back in March- IGÇÖm not saying government is necessarily the right choice for an intel clearinghouse, but if we'd collectively taken steps to inoculate last Spring, things would have turned out differently.
dennisearlbaker
50%
50%
dennisearlbaker,
User Rank: Apprentice
4/5/2013 | 8:37:08 PM
re: Laws Can't Save Banks From DDoS Attacks
I'm still waiting for the citizens to protected from the corruption of the banks, and that's the priority.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.