06:30 PM

Bank DDoS Attacks Employ Web Servers As Weapons

Researchers at Incapsula discovered a scheme by attackers to use a website as a bot in a DDoS attack

The recent wave of distributed denial-of-service (DDoS) attacks against U.S. banks is yet another entry on the list of examples of DDoS being used as a tool for protest.

But the latest spate of attacks attributed to the hacker group Izz ad-Din al-Qassam used an increasingly popular tactic: turning a compromised Web server into a weapon.

"Web servers have become the weapon of choice for DDoS attacks," says Marc Gaffan, co-founder and vice president of new business and marketing at Incapsula. "They have significantly more computing and networking capacity than a home PC and can cause havoc when used to launch DDoS attacks. This is becoming more and more prevalent with cloud computing environments where spinning up new servers from hacked IT administrator accounts can be done in an instant."

This is more common in the hosting provider space than the enterprise space, notes Stephen Gates, security evangelist at Corero Network Security. This is likely due to the available computing power and bandwidth at the attackers' disposal when it comes to hosting providers, he says.

In the case of Izz ad-Din al-Qassam's campaign, Incapsula discovered that one of its customers had been compromised in an attempt to use them as a launch pad for attacks.

"This client, a small and seemingly harmless general interest UK website, was suddenly a focal point of a rapidly increasing number of security events," blogged Ronen Atias, senior security researcher at Incapsula. "The cause? Numerous requests with encoded PHP code payload."

"A closer look revealed that these intercepted requests were attempts to operate a backdoor and use the website as a bot - an unwilling foot soldier in a DDOS army," Atias continued. "The backdoor was instructed to launch HTTP and UDP flood attacks against several U.S. banks, including PNC, HSBC and Fifth Third Bank."

The backdoor was controlled using an API that leveraged the server’s PHP environment to inject dynamic attack code that allowed the attacker to adapt quickly to any changes in the website's security.

Since the commands were blocked by Incapsula, the attack was mitigated before it started. While it is unclear how the Web server was initially compromised, an analysis after the fact showed the server had a particularly weak administration password: "admin."

"Using weak passwords is one the most common causes of websites being hacked," Gaffan explains. "The paradox is that while we are constantly being educated to strengthen our password in our personal lives -- email, bank account, and social media -- server administrators who think that their servers don't contain anything valuable are negligent in selecting their passwords."

"What they don't realize," he adds, "is that computing resources that have access to loads of bandwidth like Web servers can be used as fire power to launch attacks against other entities. So it's not just about what you have on your server worth stealing, it's also about what your server can be used for."

Tracing the attack backward, Incapsula researchers followed the trail back to a Turkish Web design company. According to Atias, the website was used as a botnet command-and-control for the attack. The site was most likely also compromised and being used to provide an additional buffer between the true target and the actual attacker, he speculates.

Increasingly, attackers are using blended approaches of network- and application-layer DDoS attacks to hit companies, Gates says. On the horizon are potential attacks that use mobile devices, though this approach has its limitations.

"Since most mobile devices have limited upload speeds, mobile devices, at least in the beginning, could be used primarily to launch the low and slow application-layer DDoS attacks instead of volumetric, flooding types of attacks in order to stay under the radar of wireless providers," he says.

"Organizations must have a DDoS defense plan in place as well as technology specifically built to combat these attacks," Gates adds. "Depending on an organization's budget, they may opt for one solution over another. Ideally a multipronged approach blending on-premise and ISP solutions is the most effective way to combat against this growing threat. If an organization only can use one technology, then on-premise is the way to go as it covers the broadest range of attacks, including traditional network-based attacks as well as today’s increasing application layer, low and slow attacks."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
1/23/2013 | 11:14:37 PM
re: Bank DDoS Attacks Employ Web Servers As Weapons
The interesting type of DDoS are the low-and-slow type of attacks that exhaust server resources.

Kelly Jackson Higgins, Senior Editor
Dark Reading
User Rank: Apprentice
1/16/2013 | 11:17:13 AM
re: Bank DDoS Attacks Employ Web Servers As Weapons
The article uses the term webserver, when I believe they mean website.

While it might be a small point, it still needs clarification.-á
I felt it necessary to point this out as many of our customers ask why hackers want their website. This is one reason why. Thank you for bringing this to the attention of the public.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-27
Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.

Published: 2015-02-27
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 ( and HANA Developer Edition 80 ( allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or...

Published: 2015-02-27
SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.

Published: 2015-02-27
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.

Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.