Are Banks Winning the DDoS Battle?Traffic Monitoring Shows Decline in Online Outages
Despite the claims of hacktivists, U.S. banking institutions say their websites now suffer fewer and less severe outages linked to traffic surges tied to distributed-denial-of-service attacks. And online traffic patterns tracked by one third-party monitoring service appear to support the banks' contention.
See Also: 2016 State of Threat Intelligence Study
Keynote Systems Inc., an Internet and mobile cloud testing and monitoring firm that tracks online traffic, reports that outages affecting U.S. banking websites have declined in recent weeks, during phase 2 of the hacktivists' DDoS campaign. Keynote tracks site availability statistics for all leading U.S. financial institutions and other companies across numerous industries.
Last fall, during phase 1 of the campaign, monitored banks' websites were showing a 94.86 percent reliability response rate - a "pretty bad" rating, according to Keynote's statistics.
But for the week ending Jan. 13 - amidst the hacktivists' highly-touted phase 2 campaign - that rate had risen to an average of 97.21 percent.
Some observers site these stats as evidence that banks have improved their abilities to detect and defend against DDoS attacks. Others warn that traffic patterns also show that banks are not the only entities facing DDoS attacks, and all organizations should be on notice to defend against this growing threat.
"Whilst [traffic attributed to DDoS] has fluctuated, it has remained above the norm relative to previous reporting periods," says DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London. "Thus, the problem of attack conditions and DDoS are very present and represent a growing threat."
Since mid-September, the hacktivist group Izz ad-Din al-Qassam has taken credit for DDoS attacks launched against leading U.S. banks. So far, the group, in protest of a YouTube video deemed offensive to Muslims, has claimed attacks against PNC Financial Services Group, BB&T Corp., Fifth Third Bank, Bank of America, JPMorgan Chase, Citigroup, Wells Fargo, U.S. Bancorp, CapitalOne, HSBC, Ally Bank, SunTrust Banks, Regions Financial Corp. and, most recently, Zions Bancorp.
On Jan. 1, the group boasted that it would step up its assaults in the New Year. "Rulers and officials of American banks must expect our massive attacks," the group posted on Pastebin. "From now on, none of the U.S. banks will be safe from our attacks."
But Ben Rushlo, Keynote's director of performance management, says traffic patterns suggest U.S. banks have done better maintaining site availability since mid-December, when the second DDoS campaign began.
"We've got a good feel for whether the banks are getting hit," Rushlo says. "We would definitely be seeing error messages on our end if the sites were down, just like any online user would."
Traffic statistics collected by Keynote reflect average online response times and reliability rates for leading institutions.
Pointing to the most recent set of traffic stats, collected for the week beginning Jan.7 and ending Jan. 13, Keynote cites an average reliability response rate of 97.21 percent for the homepages, online-banking login/account summary pages, transaction detail pages and logout pages for 13 leading U.S. institutions.
As a note of comparison, stats collected for the week beginning Sept. 24 and ending Sept. 30 - around the time Izz ad-Din al-Qassam's attacks were initiated - reveal the average reliability response rate for those pages was 94.86 percent.
Rushlo says 99.5 percent reliability is the typical "gold standard" for banks and other brokerages. "So, 97 percent is not good, and 94 is pretty bad," he says. "However, because we are averaging, then any single bank can pull down the average."
But relatively speaking, financial institutions' websites have the highest overall reliability compared to other industries, he adds.
Over the past month, Keynote has noted online availability issues affecting Regions Bank, PNC, Capital One, HSBC, BB&T and Wells Fargo. Most of those problems have subsided, despite some ongoing issues still plaguing BB&T and HSBC this week, Rushlo adds. "But none of the other major banks are having anything significant, as far as technical struggles."
Keynote's public site-availability index collects data based on availability tests coming from 10 separate U.S. locations, Rushlo says. The availability tests, which are run every 15 minutes, include 40 data points per hour. "That means we pick up on issues within minutes," he says. "We have quite a lot of data that we generate on the banks."
As recently as this week, some U.S. banks continue to contend with DDoS attacks. BB&T spokesman Brian Davis confirmed Jan. 17 that the bank's site was hit with DDoS activity during the afternoon of Jan. 15, but says BB&T's site has been functioning normally since Jan. 16.
Other banks targeted since September have either confirmed they've suffered no recent outages or have declined to comment about traffic patterns.
Mike Smith of Akamai Technologies, an Internet platform provider, says Keynote's findings support what the industry has been saying about increased DDoS defenses having a positive impact.
"Anecdotal evidence is that the impact on banks is less for Phase 2 than it was during September and October," Smith says. "This is because of information sharing through FS-ISAC [Financial Services Information Sharing and Analysis Center], relationships with DDoS mitigation providers, and the amount of planning and operational alertness that is happening."
But Smith warns hacktivists could take signs of reduced impact as a catalyst to shift gears. "The reduced impact of their attacks could drive the QCF [Izz ad-Din al-Qassam Cyber Fighters] to attack new banks, to branch out to other types of financial services and even to start attacking other industries."
Banks Are Not Only Targets
Keynote's online traffic analysis for the past six months notes increases in online activity, as would be seen in a DDoS attack, hitting big-name, publicly traded entities - not just financial institutions.
Independent research by ENISA's Walker also points to an increase in traffic related to DDoS attacks globally over the last 12 months. Not all of the attacks are linked to hacktivists, but the traffic patterns suggest serious concerns all industries must address, he says.
"There is absolutely no doubt in my mind that the current position of DDoS, and, to some extent, the attractiveness of CaaS [crimeware-as-a-service] is growing and will continue to grow into 2013 and beyond," Walker says.
Gartner analyst and DDoS researcher Anton Chuvakin says DDoS defense is about resiliency. The problems banks and others will face in coming months, however, will relate to their abilities to remain resilient in the fact of evolving attacks. "Banks, together with the anti-DoS [denial-of-service] service providers they may use, are getting better at filtering attack traffic," he says. "Unless the attacks change significantly, they are expected to fare better over time."
What It Means for Banks
Walker says the U.S. financial industry has responded to increasing online attacks better than most industries in other international markets. But the investments required for DDoS prevention and mitigation are substantial.
Dan Holden, director of the security engineering research team for Arbor Networks, which sells DDoS prevention products, says costs associated with technology and resources to deflect DDoS attacks will be a focal point for banks in the coming year.
"We would agree that both the providers and the banks are better at defenses, and this should continue to get better as the attacks continue," Holden says. "However, defending against these attacks still costs technological and people resources, so it's not a set-it-and-forget type of defensive tactic."
Walker and Holden both note that organizations cannot ignore that the DDoS attacks and the size of the botnets used to wage them are constantly changing and growing. Those evolutions will demand that organizations consistently reassess their risks and test their defense measures.
Ultimately, targeted organizations must decide how and where they find the balance between security and online-user satisfaction. Walker says. "The biggest question: 'What is the offset-performance cost associated with defending the perimeter in relation to the customer experience when logging on to their on-line accounts?" he says.