Lessons Learned From Bank DDoS Attacks

Defensive Measures That Other Sectors Can Use
Lessons Learned From Bank DDoS Attacks
Matthew Speare

The threatened fourth phase of distributed-denial-of-service attacks attacks against U.S. banks by the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters has been largely unsuccessful (see: DDoS Attacks Strike Three Banks). But experts believe these hacktivists, or other groups interested in pairing DDoS attacks with fraud, could soon target other sectors that have weaker defenses.

See Also: Rethinking Endpoint Security

Sectors that are at risk for increased DDoS attacks over the coming months, experts say, include government agencies, gaming companies (which include online casinos as well as video game manufacturers), e-commerce organizations and various services providers, including Internet service providers and cloud vendors.

This year, video game provider Steam, online gaming company SG Interactive, and EVE Online, a multiplayer on-line role-playing game, suffered several hours of downtime as DDoS attacks overwhelmed their servers. Also, a U.S. utility company's website, online payment system and automated pay-by-phone billing system were knocked offline for 48 hours by a DDoS attack.

Meanwhile, federal authorities and security experts are warning banks and government agencies to be on alert for a potential Sept. 11 wave of DDoS attacks launched by the same groups behind the unsuccessful Operation USA and Operation Israel attacks in May (see: 9/11 DDoS Alert for Banks, Agencies).

Lack of Preparation

Although DDoS attacks are not new to various business sectors, organizations may be unprepared to deal with the latest generation of large attacks sustained over a period of several days. Plus, many businesses are still uncertain about how to deal with application-layer attacks, says Carl Herberger, vice-president of security solutions at Radware, which sells appliances to detect and mitigate DDoS attacks.

And the latest generation of DDoS attacks can be used to help disguise efforts to commit fraud or steal intellectual property.

"DDoS has been around for a long time, but using the attacks to distract staff while [attackers attempt fraud] is a new trend," says Avivah Litan, an analyst with the consultancy Gartner.

For example, a new scheme, which has hit several institutions in recent months, involves the takeover of a banking institution's payment switch, Litan says. These takeovers, which were waged in conjunction with a DDoS attack, likely have led to millions of dollars worth of fraud, she adds.

Because DDoS attacks are now more sustained and powerful, conventional networking defenses, such as firewalls and intrusion prevention/detection systems, are not strong enough to withstand the assault, security experts say. That's why it's important to implement dedicated defenses instead of just relying on network monitoring.

Volumetric attacks, which involve flooding the targeted server with incomplete network requests or junk traffic, are getting much larger. Plus, new attack kits available in the underground market target the application layer by repeatedly making what looks like legitimate requests, such as login attempts or large file requests, to exhaust server resources. Multi-vector attacks combine different types, making it even tougher for the defenders to beat back the onslaught.

Faced with increasingly hostile threats, security professionals in other business sectors can learn three important lessons from the successful DDoS defenses the financial services industry have implemented.

First, investing in a dedicated DDoS-mitigation appliance or service is critical because conventional networking devices are not capable of handling these kinds of attacks. Second, organizations must create a detailed incident response plan that clearly lays out the steps that need to be taken during the course of an attack - and who will be responsible for each task. And third, it's critical to maintain security vigilance so that attackers can't take advantage of a DDoS distraction to commit fraud.

Step 1: Implement DDoS Defenses

Organizations have the choice of working with an on-site appliance, a cloud service or a hybrid of both.

The appliance is generally deployed at the perimeter so that it can analyze all the incoming network traffic. It immediately drops junk traffic and incomplete headers, identifies and blocks suspicious application requests and ensures only clean, legitimate traffic proceeds to the firewall and the rest of the network. The cloud service works in a similar manner; the organization has all the traffic pass through the cloud servers to be scrubbed before it even reaches the local network.

A challenge for organizations considering installing an appliance within their network is calculating how much capacity they need to buy, says Susan Warner, a manager at Neustar, a network service provider. If the attacks are larger than what the appliance's maximum capacity is, then the appliance will not be able to successfully mitigate the attack. It's important to determine the normal traffic that is coming to the network and to understand the size of attacks that similar organizations are experiencing to estimate the capacity needed, Warner says.

For some organizations, it's easier to use a cloud provider and leave the question of scalability up to the vendor.

"We subscribe to the 'clean pipe' theory and prefer to leverage a service provider to cleanse traffic before it hits our Internet connections," says Matt Speare, a group vice president at Buffalo, N.Y.-based M&T Bank Corp., the nation's 17th largest bank holding company. In this scenario, all traffic first flows to the cloud provider, which examines the packets and makes sure only legitimate traffic is allowed to reach the organization's servers.

Speare, whose bank has been a target of DDoS attacks, has been a featured speaker for a webinar on DDoS threats.

Many anti-DDoS vendors offer add-on services to monitor and manage the network traffic. The cloud service provider will be in charge of detecting the attacks and alerting the customer, while immediately moving into counter-measures.

Whether an organization picks a cloud-based provider or a locally hosted appliance, it should look for the ability to scrub traffic and drop bad packets requests, as well as to incorporate geo-IP filtering if all the malicious traffic is coming from a specific geographic region.

When evaluating a cloud-based scrubbing service, it's important ask what measures the vendor has taken to ensure that attacks affecting one customer doesn't impact other customers, says Neal Quinn, CTO of Prolexic, a provider of cloud-based DDoS defenses.

The provider should have countermeasures for different types of attacks and be able to deal with threats without any performance degradation, Radware's Herberger says. The cloud provider's service level agreement also needs to specify how soon, and under what circumstances, the provider would notify the customer during an attack.

Step 2: Have a DDoS Response Plan

Deploying an anti-DDoS system is just the beginning. Organizations also need to have a DDoS incident response plan - or a section within their existing incidence response plan to cover DDoS attacks - so that the defenses are effectively used.

The response plan should clearly identify who needs to be notified when an attack is detected and what steps to take. For example, the internal network team needs to know the details, such as the attack origin, type of techniques being used, what countermeasures are in place and how much bandwidth is being consumed. The responders need to know when to notify senior executives and business units and what information to provide carriers and upstream providers. The plan also identifies how to reach out to customers and what information to share.

"Making decisions on what to do next at a moment of crisis is never a good idea," Neustar's Warner says. "You need a checklist."

After creating the plan, Quinn of Prolexic recommends organizations run table-top exercises to test every aspect of the plan to ensure all the responders can work through each task and understand what needs to be done if an attack occurs. The plan should also be updated every time a new application is rolled out or new equipment is deployed.

Organizations should also have a post-mortem review after the attack to discuss what steps worked and what areas need to be improved.

Step 3: Be Vigilant for Fraud

Businesses in all sectors must keep in mind that DDoS attacks can be a smokescreen for fraud, says Stephen Gates, security evangelist at Corero Network Security.

A DDoS attack can frequently mask attempts by the infiltrators to breach other parts of the network. While fraud could mean account takeovers and unauthorized wire transactions at financial services organizations and retailers, it could also refer to theft of intellectual property and sabotage.

Washington Trust Bank has outlined steps for what other systems need to be monitored for potential fraudulent activity in its DDoS response plan, says Troy Wunderlich, vice president and operational risk manager at the $4 billion institution based in Spokane. "Our wire and ACH systems are monitored for potential fraudulent activity that may be trying to fly under the smokescreen of a DDoS attack," he explains.

M&T Bank takes similar steps and applies a "more stringent set of parameters" during the attack to look for suspicious activity, Speare says.

DDoS attacks are disruptive and throw people off-guard, and organizations wind up pulling people away from their regular duties to help with response and mitigation. Attackers may take advantage of this distraction to commit fraud.

"Don't turn a DDoS attack into an all-hands-on-deck," Quinn warns.


About the Author

Fahmida Y. Rashid

Fahmida Y. Rashid

Technology Editor

Fahmida Y. Rashid is a journalist with 10 years of experience covering information security and technology issues. Before joining Information Security Media Group, Rashid wrote for several publications, including eWEEK and Dark Reading. Earlier in her career, she spent a decade as a network administrator and software developer.




Around the Network