Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/4/2013
03:32 PM
50%
50%

Laws Can't Save Banks From DDoS Attacks

A threat information-sharing bill wouldn't do much to help banks defend themselves against distributed denial of services (DDoS) attacks.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The co-author of the Cyber Intelligence Sharing and Protection Act (CISPA) ought to know better.

Rep. Mike Rogers (R-Mich.), who is also chairman of the House Intelligence Committee, told NBC News on Wednesday that the Operation Ababil bank disruption campaign run by al-Qassam Cyber Fighters could be stopped, if only private businesses had unfettered access to top-flight U.S. government threat intelligence. Currently the federal government is "trying to share cyber threat information with these banks to help them get ahead of these attacks," Rogers said. "Unfortunately, a series of policy and legal barriers is impeding that cooperation, as well as slowing down cooperation within the private sector and making it less effective."

The problem with that reasoning is that the bank disruptions -- often publicized in advance by attackers -- overwhelm targeted networks through sheer quantities of packets. They don't employ attacks of a stealthy or unknown nature that banks might have difficulty spotting if only they had access to better attack data.

[ Downtime for bank websites has doubled, an all-time high, says website monitor. Read Banks Hit Downtime Milestone In DDoS Attacks. ]

Said Rico Valdez, a senior threat researcher at Bit9: "Threat intelligence ... for more targeted attacks -- where adversaries are trying to penetrate your systems, get in, steal data, intelligence -- can be very, very useful. But in the world of DDoS attacks, there's just not a ton that can be done there."

Valdez continued: "Some intelligence can help you -- it's good to know the attack techniques being used, that might help you put in place better mitigation technologies. But most of the [DDoS] attacks these days are sheer packets-per-second attacks, designed to overwhelm your infrastructure so that you can't service any requests. In that type of scenario, with threat intelligence, it's ... not going to effectively help your mitigations."

A spokeswoman for Rep. Rogers, contacted by phone and email, didn't immediately respond to our requests for comment. But in Rogers' comments to NBC, the Congressman also suggested that banks simply can't blunt the full fury of a nation state's DDoS disruption campaign. "These banks are among the best in the country when it comes to cyber security, but even they are having trouble keeping up with attacks that have the sophistication and the level of resources that a nation-state entity like Iran can devote to them," he said.

In fact, multiple security experts I've spoken with contend that banks are combating the DDoS attacks quite well via layered defenses, DDoS scrubbing services from third-party providers, and dedicated DDoS mitigation defenses running on premises or in the cloud. In some cases, banks can also use content delivery networks that spread instances of their sites across different geographical regions, helping minimize the effects of a DDoS-generated disruption in any one of those areas.

As a result, bank officials say that even in the face of massive DDoS attacks, their websites are for the most part remaining online, or going offline just briefly. Still, during the DDoS disruptions more customers than normal might not be able to reach their websites, perhaps as a side effect of scrubbing or other DDoS defenses that might be temporarily blocking their PC, network segment or geographic region. "Typically what customers see [from DDoS attacks] is slow responses ... especially with these banking sites," said Bit9's Valdez. "So it's not like [attackers] are taking down the servers. The servers are still there, they're running, they're happy. But they're effectively preventing them from responding to legitimate requests, because they're just eating up all their cycles."

That's just a DDoS attack fact of life. "Everyone is vulnerable, to some extent," he said. "The reality is you've got a pipe attached to your system, and there's only so much that can go through that pipe, and when attackers are filling it up with junk, you can't get the rest through." Scrubbing services can route the traffic down an even bigger pipe and let only the good stuff through, but that approach requires large pipes -- typically operated by service providers -- and isn't foolproof.

"There is always the possibility with anything like that, when you're getting into a blocking or scrubbing type of mode for that technology, to occasionally cause disruption to legitimate service," said Chris Novak, managing principal of the RISK Team for Verizon Enterprise Solutions. "However ... talking to entities in financial services and others, we haven't received feedback that it's affected in any meaningful way the organizations we're working with."

That isn't to say that threat intelligence might not help banks defend themselves better against some types of attacks. "In my view it is the peer-to-peer sharing that is most helpful here," said Doug Johnson, VP of risk management policy for the American Bankers Association, an industry trade group, by email. "We on the private side are the recipients of and actively share the threat signatures. Our ability to get the ISPs to act on those signatures by shutting down sites would be enhanced with the greater liability protections within CISPA."


In other words, banks still see room to improve threat mitigation, and some type of cyber-threat intelligence legislation or White House voluntary executive order might help them take the gloves off, at least for some types of attacks. The CISPA legislation that Rep. Rogers co-authored passed in the U.S. House of Representatives last year but then died in the Senate amid strong opposition from privacy rights groups and the Obama Administration. Rogers reintroduced it earlier this year.

But given the technical limits to which DDoS attacks can be mitigated, U.S. banks are arguably defending themselves to the best extent possible, and no Congressionally delivered intelligence would improve on those efforts.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tony_Gam
50%
50%
Tony_Gam,
User Rank: Apprentice
4/17/2013 | 4:21:20 PM
re: Laws Can't Save Banks From DDoS Attacks
I didnGt see too many folks howling that the sheer volume of traffic was taking them down (a la the recent open DNS mess), rather it was the SSL terminators that were burdened with handshakes, and the web apps receiving gobs of garbage logins/searches that ruined everyoneGs day. I'm totally open to the idea that I may be wrong, or that my position in the layered architecture prevented me from seeing relevant the border router data, but as a web session intelligence guy, I just haven't seen the clogged pipe assertion supported by the data.

I do disagree with the idea there's not much you can do to thwart a HULK-style DDoS attack. If weGd given banks the generic heads up that they should take steps to detect and temporarily deflect requests from IPs that (1) made 10 or more requests per second (2) changed their UA string in at least 60% of those requests and (3) focused 80% or more of those requests on a single resource, we could have taken a serious bite out of this thing. The "zero day" for HULK was back in March- IGm not saying government is necessarily the right choice for an intel clearinghouse, but if we'd collectively taken steps to inoculate last Spring, things would have turned out differently.
dennisearlbaker
50%
50%
dennisearlbaker,
User Rank: Apprentice
4/5/2013 | 8:37:08 PM
re: Laws Can't Save Banks From DDoS Attacks
I'm still waiting for the citizens to protected from the corruption of the banks, and that's the priority.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25159
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
CVE-2020-25654
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
CVE-2020-28329
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
CVE-2020-29053
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
CVE-2020-25640
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.