Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

1/11/2013
06:50 PM
50%
50%

Monitoring Bank DDoS Attacks Tough Task For Third Parties

While data is not readily available on the attacks hitting financial institutions, defenders dealing with the incidents say that the attacks are effective and costly

The distributed denial-of-service attacks hitting financial institutions continue to concern many security experts, but looking for evidence of the attacks serves up a meager helping of data points that belies the seriousness of the problem, say infrastructure and security experts.

Website monitoring firm Netcraft, for example, has documented downtime at major banks lasting hours during the past few weeks, but no crippling outages. Internet monitoring provider Renesys has also seen few signs of the attacks. Perhaps the most convincing data comes from Web-outage complaint portal Sitedown.co, which has collected hundreds of bank-outage reports in the past month. Yet there is no way to confirm the reports are true.

While the lack of external evidence has led some commentators to downplay the attacks, the problem is that the organizations that have the most data are not talking about the issues publicly, says Earl Zmijewski, vice president and general manager at Renesys.

"The people who know definitely are the banks, ... and Internet service providers will certainly know when things are not good," he says. "Otherwise, it is very hard unless you are doing very specific monitoring all the way down to the application level ... to the point of being viewed as a nuisance."

Despite last year's vigorous debate on the merits of information-sharing, very little information about the attacks is being passed to the public. The financial institutions are silent on the outages, except when customers are dramatically impacted, and then e-mail alerts are sent out to customers. And Internet-service providers will generally not discuss specific attacks.

Much of the information on the attacks is a mixture of classified and nonclassified data, says Bryan Sartin, director of Verizon's RISK team. Moreover, clients are worried that, if they speak up, they will become more intensely targeted. Verizon, which handles a large portion of Internet traffic, agreed to an extensive, but general, discussion of the attacks, but only about operations that had been made public.

"Internet-service providers, we are the battleground where these things take place," Sartin says. "There are a lot of facts and a lot of detail and a lot of perspective that, of course, we have, having such a significant percentage of the day's IP traffic, but speaking to those in any specifics -- I'm sorry, I can't."

In September, massive floods of data began hitting the online systems of major U.S. financial institutions following a statement calling for denial-of-service attacks. The statement -- made by a self-styled hacktivist group the Cyber Fighters of Izz ad-din Al Qassam -- called for volunteers to continue the attacks until a video that offended many Muslims was taken down. Yet the real attack did not come from the home systems of cyberprotesters, but from hundreds, or perhaps thousands, of content-management systems that had been compromised to form botnets.

Earlier this week, content-delivery network Incapsula detailed its analysis of a compromised server, finding an encoded PHP script designed to take part in an attack and consume the compromised server's processing power and bandwidth to do so.

The attacks, so far, have come in three waves, each kicked off with a Pastebin announcement by the Al-Qassam Cyberfighters. The latest announcement, posted on Jan. 8, promised to keep the attacks going for more than a year. The attacks have had limited visible impact, causing some U.S. banks to become inaccessible for hours: Bank of America had availability issues on Dec. 28, Wells Fargo on Dec. 19 and 20, as well as Jan. 3, and HSBC on Jan. 4, according to Netcraft data.

Such outages, even if they appear minor, are indicators that something significant is going on, says Mike Prettejohn, director of Netcraft. "The best hosting companies are flawless, where one failed request a month might move you down in the list of top-10 hosting companies," he says. "A decent bank would not want to be worse than that."

[Distributed denial-of-service attacks get bigger and combine application-layer exploits, requiring defenders to be more agile. See Evolving DDoS Attacks Force Defenders To Adapt.]

In fact, the attacks are serious and problematic, says Carl Herberger, vice president of security solutions for application-delivery firm Radware. The company has helped banks mitigate the attacks, but confidentiality agreements prevent the firm from talking about specifics, he says.

The attacks typically ramp up quickly as the attackers determine what level and mix of malicious network traffic will hinder a bank's accessibility. The average attack lasts about 20 days, Herberger says.

While there are typically seven different vectors through which the attackers attempt to hobble banks' networks, three techniques are the most effective. The top of the list are encrypted GET floods, which overwhelm the hardware that decrypts secure sockets layer (SSL) data, he says.

"Very few professionals have been able to handle the volumetric encrypted traffic, so unless you have dealt with it before, you will not be prepared," Herberger says.

The second effective technique is the much-reported Brobot botnet, which uses the large-bandwidth capacity of compromised content management servers to send traffic floods of 30 Gbps or more, overwhelming key pieces of network hardware. Finally, recursive DNS attacks are able to overwhelm critical domain-name system resolution, making the servers hard to reach for consumers.

In one operation, the recipe of attacks is quite similar, but there have been changes between the three major campaigns, Herberger says.

"Our technology needs to get better," he says. "IP-limiting and rate-limiting filters are no longer enough."

Herberger and other security experts interviewed for this article had no evidence whether the attacks were sponsored by nation-states -- much less Iran -- but Herberger said that any link would not be technical but based on human intelligence and likely classified.

Dan Holden, director of the security engineering response team at network-protection firm Arbor, argues that security professionals should be concerned about the tenacity of the attackers. The length of the campaign, and the threats to continue the attacks for more than a year, suggest some level of investment, he says. Moreover, the analysis by Incapsula that suggests that a botnet-for-hire is being used in the attacks, further strengthens arguments that the attackers are being funded.

"Given the fact that they have already been able to do it for months, given the [Incapsula] story about the server in the U.K. ... the question is whether this is hacktivism, or is it something else," Holden says. "At this point, we don't know, but I would believe that these attacks are being funded at some level."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
1/18/2013 | 2:34:29 PM
re: Monitoring Bank DDoS Attacks Tough Task For Third Parties
Want to Reduce Application Security
Risk? Build more Secure Software! Over the years IGve seen a variety of
approaches to this problem and have helped many customers on their path toward
more secure applications and reduced risk. ItGs interesting that you can
categorize most approaches into these three areas: Find and Fix, Protect in
Place, Secure at the Source.

While each of these approaches
plays an essential role in reducing application risk, you can get the greatest
long term impact by securing applications at the source. In this approach you
are targeting the development process itself, in an attempt to fix the systemic
issues which are leading to vulnerabilities in the first place. Discovery and
detection then become a backstop to catch anything that slips through the
cracks of a properly designed and implemented system.-

To better understand what
I mean, hereGs a great article to read: http://blog.securityinnovation....
Hope you find it useful!
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
1/14/2013 | 10:45:59 PM
re: Monitoring Bank DDoS Attacks Tough Task For Third Parties
With banks and ISPs keeping the details hush-hush on these DDoS attacks, the true significance of these attacks really can't be widely understood.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Bryan Yurcan
50%
50%
Bryan Yurcan,
User Rank: Apprentice
1/14/2013 | 3:56:27 PM
re: Monitoring Bank DDoS Attacks Tough Task For Third Parties
Information sharing is definitely paramount to combating these ongoing attacks.-
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27254
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encrypti...
CVE-2021-27255
PUBLISHED: 2021-03-05
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the refresh_status.aspx endpoint. The issue results from a lack of...
CVE-2021-27256
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists wit...
CVE-2021-27257
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via...
CVE-2021-26705
PUBLISHED: 2021-03-05
An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the...