Monitoring Bank DDoS Attacks Tough Task For Third Parties
While data is not readily available on the attacks hitting financial institutions, defenders dealing with the incidents say that the attacks are effective and costly
The distributed denial-of-service attacks hitting financial institutions continue to concern many security experts, but looking for evidence of the attacks serves up a meager helping of data points that belies the seriousness of the problem, say infrastructure and security experts.
Website monitoring firm Netcraft, for example, has documented downtime at major banks lasting hours during the past few weeks, but no crippling outages. Internet monitoring provider Renesys has also seen few signs of the attacks. Perhaps the most convincing data comes from Web-outage complaint portal Sitedown.co, which has collected hundreds of bank-outage reports in the past month. Yet there is no way to confirm the reports are true.
More Security Insights
- Integration with Oracle Fusion Financials Cloud Service
- Cloud for Business Managers in Midsize Organisations: the Good, the Bad & the Ugly
- Client Windows Migration: Expert Tips for Application Readiness
- Deeper Network Security: Protection Tips Revealed
While the lack of external evidence has led some commentators to downplay the attacks, the problem is that the organizations that have the most data are not talking about the issues publicly, says Earl Zmijewski, vice president and general manager at Renesys.
"The people who know definitely are the banks, ... and Internet service providers will certainly know when things are not good," he says. "Otherwise, it is very hard unless you are doing very specific monitoring all the way down to the application level ... to the point of being viewed as a nuisance."
Despite last year's vigorous debate on the merits of information-sharing, very little information about the attacks is being passed to the public. The financial institutions are silent on the outages, except when customers are dramatically impacted, and then e-mail alerts are sent out to customers. And Internet-service providers will generally not discuss specific attacks.
Much of the information on the attacks is a mixture of classified and nonclassified data, says Bryan Sartin, director of Verizon's RISK team. Moreover, clients are worried that, if they speak up, they will become more intensely targeted. Verizon, which handles a large portion of Internet traffic, agreed to an extensive, but general, discussion of the attacks, but only about operations that had been made public.
"Internet-service providers, we are the battleground where these things take place," Sartin says. "There are a lot of facts and a lot of detail and a lot of perspective that, of course, we have, having such a significant percentage of the day's IP traffic, but speaking to those in any specifics -- I'm sorry, I can't."
In September, massive floods of data began hitting the online systems of major U.S. financial institutions following a statement calling for denial-of-service attacks. The statement -- made by a self-styled hacktivist group the Cyber Fighters of Izz ad-din Al Qassam -- called for volunteers to continue the attacks until a video that offended many Muslims was taken down. Yet the real attack did not come from the home systems of cyberprotesters, but from hundreds, or perhaps thousands, of content-management systems that had been compromised to form botnets.
Earlier this week, content-delivery network Incapsula detailed its analysis of a compromised server, finding an encoded PHP script designed to take part in an attack and consume the compromised server's processing power and bandwidth to do so.
The attacks, so far, have come in three waves, each kicked off with a Pastebin announcement by the Al-Qassam Cyberfighters. The latest announcement, posted on Jan. 8, promised to keep the attacks going for more than a year. The attacks have had limited visible impact, causing some U.S. banks to become inaccessible for hours: Bank of America had availability issues on Dec. 28, Wells Fargo on Dec. 19 and 20, as well as Jan. 3, and HSBC on Jan. 4, according to Netcraft data.
Such outages, even if they appear minor, are indicators that something significant is going on, says Mike Prettejohn, director of Netcraft. "The best hosting companies are flawless, where one failed request a month might move you down in the list of top-10 hosting companies," he says. "A decent bank would not want to be worse than that."
[Distributed denial-of-service attacks get bigger and combine application-layer exploits, requiring defenders to be more agile. See Evolving DDoS Attacks Force Defenders To Adapt.]
In fact, the attacks are serious and problematic, says Carl Herberger, vice president of security solutions for application-delivery firm Radware. The company has helped banks mitigate the attacks, but confidentiality agreements prevent the firm from talking about specifics, he says.
The attacks typically ramp up quickly as the attackers determine what level and mix of malicious network traffic will hinder a bank's accessibility. The average attack lasts about 20 days, Herberger says.
While there are typically seven different vectors through which the attackers attempt to hobble banks' networks, three techniques are the most effective. The top of the list are encrypted GET floods, which overwhelm the hardware that decrypts secure sockets layer (SSL) data, he says.
"Very few professionals have been able to handle the volumetric encrypted traffic, so unless you have dealt with it before, you will not be prepared," Herberger says.
The second effective technique is the much-reported Brobot botnet, which uses the large-bandwidth capacity of compromised content management servers to send traffic floods of 30 Gbps or more, overwhelming key pieces of network hardware. Finally, recursive DNS attacks are able to overwhelm critical domain-name system resolution, making the servers hard to reach for consumers.
In one operation, the recipe of attacks is quite similar, but there have been changes between the three major campaigns, Herberger says.
"Our technology needs to get better," he says. "IP-limiting and rate-limiting filters are no longer enough."
Herberger and other security experts interviewed for this article had no evidence whether the attacks were sponsored by nation-states -- much less Iran -- but Herberger said that any link would not be technical but based on human intelligence and likely classified.
Dan Holden, director of the security engineering response team at network-protection firm Arbor, argues that security professionals should be concerned about the tenacity of the attackers. The length of the campaign, and the threats to continue the attacks for more than a year, suggest some level of investment, he says. Moreover, the analysis by Incapsula that suggests that a botnet-for-hire is being used in the attacks, further strengthens arguments that the attackers are being funded.
"Given the fact that they have already been able to do it for months, given the [Incapsula] story about the server in the U.K. ... the question is whether this is hacktivism, or is it something else," Holden says. "At this point, we don't know, but I would believe that these attacks are being funded at some level."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.