Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

06:50 PM

Monitoring Bank DDoS Attacks Tough Task For Third Parties

While data is not readily available on the attacks hitting financial institutions, defenders dealing with the incidents say that the attacks are effective and costly

The distributed denial-of-service attacks hitting financial institutions continue to concern many security experts, but looking for evidence of the attacks serves up a meager helping of data points that belies the seriousness of the problem, say infrastructure and security experts.

Website monitoring firm Netcraft, for example, has documented downtime at major banks lasting hours during the past few weeks, but no crippling outages. Internet monitoring provider Renesys has also seen few signs of the attacks. Perhaps the most convincing data comes from Web-outage complaint portal Sitedown.co, which has collected hundreds of bank-outage reports in the past month. Yet there is no way to confirm the reports are true.

While the lack of external evidence has led some commentators to downplay the attacks, the problem is that the organizations that have the most data are not talking about the issues publicly, says Earl Zmijewski, vice president and general manager at Renesys.

"The people who know definitely are the banks, ... and Internet service providers will certainly know when things are not good," he says. "Otherwise, it is very hard unless you are doing very specific monitoring all the way down to the application level ... to the point of being viewed as a nuisance."

Despite last year's vigorous debate on the merits of information-sharing, very little information about the attacks is being passed to the public. The financial institutions are silent on the outages, except when customers are dramatically impacted, and then e-mail alerts are sent out to customers. And Internet-service providers will generally not discuss specific attacks.

Much of the information on the attacks is a mixture of classified and nonclassified data, says Bryan Sartin, director of Verizon's RISK team. Moreover, clients are worried that, if they speak up, they will become more intensely targeted. Verizon, which handles a large portion of Internet traffic, agreed to an extensive, but general, discussion of the attacks, but only about operations that had been made public.

"Internet-service providers, we are the battleground where these things take place," Sartin says. "There are a lot of facts and a lot of detail and a lot of perspective that, of course, we have, having such a significant percentage of the day's IP traffic, but speaking to those in any specifics -- I'm sorry, I can't."

In September, massive floods of data began hitting the online systems of major U.S. financial institutions following a statement calling for denial-of-service attacks. The statement -- made by a self-styled hacktivist group the Cyber Fighters of Izz ad-din Al Qassam -- called for volunteers to continue the attacks until a video that offended many Muslims was taken down. Yet the real attack did not come from the home systems of cyberprotesters, but from hundreds, or perhaps thousands, of content-management systems that had been compromised to form botnets.

Earlier this week, content-delivery network Incapsula detailed its analysis of a compromised server, finding an encoded PHP script designed to take part in an attack and consume the compromised server's processing power and bandwidth to do so.

The attacks, so far, have come in three waves, each kicked off with a Pastebin announcement by the Al-Qassam Cyberfighters. The latest announcement, posted on Jan. 8, promised to keep the attacks going for more than a year. The attacks have had limited visible impact, causing some U.S. banks to become inaccessible for hours: Bank of America had availability issues on Dec. 28, Wells Fargo on Dec. 19 and 20, as well as Jan. 3, and HSBC on Jan. 4, according to Netcraft data.

Such outages, even if they appear minor, are indicators that something significant is going on, says Mike Prettejohn, director of Netcraft. "The best hosting companies are flawless, where one failed request a month might move you down in the list of top-10 hosting companies," he says. "A decent bank would not want to be worse than that."

[Distributed denial-of-service attacks get bigger and combine application-layer exploits, requiring defenders to be more agile. See Evolving DDoS Attacks Force Defenders To Adapt.]

In fact, the attacks are serious and problematic, says Carl Herberger, vice president of security solutions for application-delivery firm Radware. The company has helped banks mitigate the attacks, but confidentiality agreements prevent the firm from talking about specifics, he says.

The attacks typically ramp up quickly as the attackers determine what level and mix of malicious network traffic will hinder a bank's accessibility. The average attack lasts about 20 days, Herberger says.

While there are typically seven different vectors through which the attackers attempt to hobble banks' networks, three techniques are the most effective. The top of the list are encrypted GET floods, which overwhelm the hardware that decrypts secure sockets layer (SSL) data, he says.

"Very few professionals have been able to handle the volumetric encrypted traffic, so unless you have dealt with it before, you will not be prepared," Herberger says.

The second effective technique is the much-reported Brobot botnet, which uses the large-bandwidth capacity of compromised content management servers to send traffic floods of 30 Gbps or more, overwhelming key pieces of network hardware. Finally, recursive DNS attacks are able to overwhelm critical domain-name system resolution, making the servers hard to reach for consumers.

In one operation, the recipe of attacks is quite similar, but there have been changes between the three major campaigns, Herberger says.

"Our technology needs to get better," he says. "IP-limiting and rate-limiting filters are no longer enough."

Herberger and other security experts interviewed for this article had no evidence whether the attacks were sponsored by nation-states -- much less Iran -- but Herberger said that any link would not be technical but based on human intelligence and likely classified.

Dan Holden, director of the security engineering response team at network-protection firm Arbor, argues that security professionals should be concerned about the tenacity of the attackers. The length of the campaign, and the threats to continue the attacks for more than a year, suggest some level of investment, he says. Moreover, the analysis by Incapsula that suggests that a botnet-for-hire is being used in the attacks, further strengthens arguments that the attackers are being funded.

"Given the fact that they have already been able to do it for months, given the [Incapsula] story about the server in the U.K. ... the question is whether this is hacktivism, or is it something else," Holden says. "At this point, we don't know, but I would believe that these attacks are being funded at some level."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/18/2013 | 2:34:29 PM
re: Monitoring Bank DDoS Attacks Tough Task For Third Parties
Want to Reduce Application Security
Risk? Build more Secure Software! Over the years IGve seen a variety of
approaches to this problem and have helped many customers on their path toward
more secure applications and reduced risk. ItGs interesting that you can
categorize most approaches into these three areas: Find and Fix, Protect in
Place, Secure at the Source.

While each of these approaches
plays an essential role in reducing application risk, you can get the greatest
long term impact by securing applications at the source. In this approach you
are targeting the development process itself, in an attempt to fix the systemic
issues which are leading to vulnerabilities in the first place. Discovery and
detection then become a backstop to catch anything that slips through the
cracks of a properly designed and implemented system.-

To better understand what
I mean, hereGs a great article to read: http://blog.securityinnovation....
Hope you find it useful!
User Rank: Strategist
1/14/2013 | 10:45:59 PM
re: Monitoring Bank DDoS Attacks Tough Task For Third Parties
With banks and ISPs keeping the details hush-hush on these DDoS attacks, the true significance of these attacks really can't be widely understood.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Bryan Yurcan
Bryan Yurcan,
User Rank: Apprentice
1/14/2013 | 3:56:27 PM
re: Monitoring Bank DDoS Attacks Tough Task For Third Parties
Information sharing is definitely paramount to combating these ongoing attacks.-
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...