06:30 PM
Connect Directly

Bank DDoS Attacks Employ Web Servers As Weapons

Researchers at Incapsula discovered a scheme by attackers to use a website as a bot in a DDoS attack

The recent wave of distributed denial-of-service (DDoS) attacks against U.S. banks is yet another entry on the list of examples of DDoS being used as a tool for protest.

But the latest spate of attacks attributed to the hacker group Izz ad-Din al-Qassam used an increasingly popular tactic: turning a compromised Web server into a weapon.

"Web servers have become the weapon of choice for DDoS attacks," says Marc Gaffan, co-founder and vice president of new business and marketing at Incapsula. "They have significantly more computing and networking capacity than a home PC and can cause havoc when used to launch DDoS attacks. This is becoming more and more prevalent with cloud computing environments where spinning up new servers from hacked IT administrator accounts can be done in an instant."

This is more common in the hosting provider space than the enterprise space, notes Stephen Gates, security evangelist at Corero Network Security. This is likely due to the available computing power and bandwidth at the attackers' disposal when it comes to hosting providers, he says.

In the case of Izz ad-Din al-Qassam's campaign, Incapsula discovered that one of its customers had been compromised in an attempt to use them as a launch pad for attacks.

"This client, a small and seemingly harmless general interest UK website, was suddenly a focal point of a rapidly increasing number of security events," blogged Ronen Atias, senior security researcher at Incapsula. "The cause? Numerous requests with encoded PHP code payload."

"A closer look revealed that these intercepted requests were attempts to operate a backdoor and use the website as a bot - an unwilling foot soldier in a DDOS army," Atias continued. "The backdoor was instructed to launch HTTP and UDP flood attacks against several U.S. banks, including PNC, HSBC and Fifth Third Bank."

The backdoor was controlled using an API that leveraged the server’s PHP environment to inject dynamic attack code that allowed the attacker to adapt quickly to any changes in the website's security.

Since the commands were blocked by Incapsula, the attack was mitigated before it started. While it is unclear how the Web server was initially compromised, an analysis after the fact showed the server had a particularly weak administration password: "admin."

"Using weak passwords is one the most common causes of websites being hacked," Gaffan explains. "The paradox is that while we are constantly being educated to strengthen our password in our personal lives -- email, bank account, and social media -- server administrators who think that their servers don't contain anything valuable are negligent in selecting their passwords."

"What they don't realize," he adds, "is that computing resources that have access to loads of bandwidth like Web servers can be used as fire power to launch attacks against other entities. So it's not just about what you have on your server worth stealing, it's also about what your server can be used for."

Tracing the attack backward, Incapsula researchers followed the trail back to a Turkish Web design company. According to Atias, the website was used as a botnet command-and-control for the attack. The site was most likely also compromised and being used to provide an additional buffer between the true target and the actual attacker, he speculates.

Increasingly, attackers are using blended approaches of network- and application-layer DDoS attacks to hit companies, Gates says. On the horizon are potential attacks that use mobile devices, though this approach has its limitations.

"Since most mobile devices have limited upload speeds, mobile devices, at least in the beginning, could be used primarily to launch the low and slow application-layer DDoS attacks instead of volumetric, flooding types of attacks in order to stay under the radar of wireless providers," he says.

"Organizations must have a DDoS defense plan in place as well as technology specifically built to combat these attacks," Gates adds. "Depending on an organization's budget, they may opt for one solution over another. Ideally a multipronged approach blending on-premise and ISP solutions is the most effective way to combat against this growing threat. If an organization only can use one technology, then on-premise is the way to go as it covers the broadest range of attacks, including traditional network-based attacks as well as today’s increasing application layer, low and slow attacks."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
1/23/2013 | 11:14:37 PM
re: Bank DDoS Attacks Employ Web Servers As Weapons
The interesting type of DDoS are the low-and-slow type of attacks that exhaust server resources.

Kelly Jackson Higgins, Senior Editor
Dark Reading
User Rank: Apprentice
1/16/2013 | 11:17:13 AM
re: Bank DDoS Attacks Employ Web Servers As Weapons
The article uses the term webserver, when I believe they mean website.

While it might be a small point, it still needs clarification.-á
I felt it necessary to point this out as many of our customers ask why hackers want their website. This is one reason why. Thank you for bringing this to the attention of the public.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.