Bank DDoS Attacks Employ Web Servers As Weapons

Researchers at Incapsula discovered a scheme by attackers to use a website as a bot in a DDoS attack

Dark Reading Staff, Dark Reading

January 9, 2013

4 Min Read

The recent wave of distributed denial-of-service (DDoS) attacks against U.S. banks is yet another entry on the list of examples of DDoS being used as a tool for protest.

But the latest spate of attacks attributed to the hacker group Izz ad-Din al-Qassam used an increasingly popular tactic: turning a compromised Web server into a weapon.

"Web servers have become the weapon of choice for DDoS attacks," says Marc Gaffan, co-founder and vice president of new business and marketing at Incapsula. "They have significantly more computing and networking capacity than a home PC and can cause havoc when used to launch DDoS attacks. This is becoming more and more prevalent with cloud computing environments where spinning up new servers from hacked IT administrator accounts can be done in an instant."

This is more common in the hosting provider space than the enterprise space, notes Stephen Gates, security evangelist at Corero Network Security. This is likely due to the available computing power and bandwidth at the attackers' disposal when it comes to hosting providers, he says.

In the case of Izz ad-Din al-Qassam's campaign, Incapsula discovered that one of its customers had been compromised in an attempt to use them as a launch pad for attacks.

"This client, a small and seemingly harmless general interest UK website, was suddenly a focal point of a rapidly increasing number of security events," blogged Ronen Atias, senior security researcher at Incapsula. "The cause? Numerous requests with encoded PHP code payload."

"A closer look revealed that these intercepted requests were attempts to operate a backdoor and use the website as a bot - an unwilling foot soldier in a DDOS army," Atias continued. "The backdoor was instructed to launch HTTP and UDP flood attacks against several U.S. banks, including PNC, HSBC and Fifth Third Bank."

The backdoor was controlled using an API that leveraged the server’s PHP environment to inject dynamic attack code that allowed the attacker to adapt quickly to any changes in the website's security.

Since the commands were blocked by Incapsula, the attack was mitigated before it started. While it is unclear how the Web server was initially compromised, an analysis after the fact showed the server had a particularly weak administration password: "admin."

"Using weak passwords is one the most common causes of websites being hacked," Gaffan explains. "The paradox is that while we are constantly being educated to strengthen our password in our personal lives -- email, bank account, and social media -- server administrators who think that their servers don't contain anything valuable are negligent in selecting their passwords."

"What they don't realize," he adds, "is that computing resources that have access to loads of bandwidth like Web servers can be used as fire power to launch attacks against other entities. So it's not just about what you have on your server worth stealing, it's also about what your server can be used for."

Tracing the attack backward, Incapsula researchers followed the trail back to a Turkish Web design company. According to Atias, the website was used as a botnet command-and-control for the attack. The site was most likely also compromised and being used to provide an additional buffer between the true target and the actual attacker, he speculates.

Increasingly, attackers are using blended approaches of network- and application-layer DDoS attacks to hit companies, Gates says. On the horizon are potential attacks that use mobile devices, though this approach has its limitations.

"Since most mobile devices have limited upload speeds, mobile devices, at least in the beginning, could be used primarily to launch the low and slow application-layer DDoS attacks instead of volumetric, flooding types of attacks in order to stay under the radar of wireless providers," he says.

"Organizations must have a DDoS defense plan in place as well as technology specifically built to combat these attacks," Gates adds. "Depending on an organization's budget, they may opt for one solution over another. Ideally a multipronged approach blending on-premise and ISP solutions is the most effective way to combat against this growing threat. If an organization only can use one technology, then on-premise is the way to go as it covers the broadest range of attacks, including traditional network-based attacks as well as today’s increasing application layer, low and slow attacks."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights