Why DDoS Should Worry Us

Why DDoS Should Worry Us

Attacks Gaining Power, Likely Causing More Damage

By Tracy Kitten, March 7, 2013. Follow Tracy @FraudBlogger
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.

How successful are these ongoing distributed-denial-of-service attacks against U.S. banks and credit unions? That's open for debate.

Everyone has a different opinion about how much of a threat these attacks really pose, but two things we all agree upon: The attacks can't be stopped, and we aren't likely to be told anytime soon who's behind them, even if certain intelligence has enough information to connect most of the dots.

 It would be naive for any of us to think these cyberattacks will be waged in isolation. 

We are now in the third phase - six months - of attacks that have pushed out DDoS strikes greater than any ever seen before. The length, sophistication and magnitude of these attacks proves the group taking credit for them - Izz ad-Din al-Qassam Cyber Fighters - is knowledgeable, trained and well-funded.

No doubt, DDoS will be a primary focus in 2013, and not just for banking institutions and government. Other critical industries, such as oil and gas, telecommunications and healthcare are starting to take notice, as well they should. It would be naive for any of us to think these cyberattacks will be waged in isolation. The financial sector is just the first - a testing ground for the attackers' capabilities.

Why We Should Worry

I've been covering the DDoS hits against leading U.S. banking institutions since mid-September, when the so-called first campaign was launched. As time has gone on, these attacks have gotten more powerful because the hacktivists' botnet, known as Brobot, has grown. And since the beginning of the year, they've expanded their aim to target more institutions at the mid-tier level.

The hacktivists' attacks are cascading by exploiting applications hosted in the cloud, says Carl Herberger, vice president of security solutions for Radware, an anti-DDoS provider for enterprise management.

Brobot is attacking cloud-based servers, infecting the applications they host and then using those applications as conduits to infect the cloud providers' infrastructures.

But the bot has been architected to only affect the applications, not the providers' overall performance. Thus, application infections are not immediately detected, and the cloud providers don't have much incentive to take proactive steps to monitor for infections.

Here's the genius of it all: Because banks rely on these cloud-hosted applications, when they respond to a DDoS attack, they can't just block IP traffic that comes from infected applications. "In essence, doing so caused them to DDoS themselves during the early attacks," Herberger says.

When institutions blocked the bad traffic, they also blocked the applications they needed to run their sites and programs.

It's a problem that has yet to be resolved. Banks may have come up with workarounds, but as Brobot grows, more hosted servers in the cloud are being taken over, and more institutions that rely on those hosted services for online applications are being targeted.

"This is where we are, by and large, today," Herberger says. "The perpetrators know what they have set up has been very successful, and they know the defenses are problematic. They are infecting more servers and sites, so we're in a moment here where we know that IP blocking won't work, and the best solution we have right now is to use technologies that understand bad behavior."

But it's just a band-aid, he admits.

"The brilliance of this bot is that it's open code, and provides a tool and an attack technique that gives the perpetrators access to powerful servers and processors, and does it in a way that is fairly unnoticeable," Herberger says.

See the cascade?

What They Aren't Saying

On the record, experts talk about all of the improvements banking institutions have made in their defenses against these attacks, and there's no doubt these targeted institutions have made major improvements.

Off the record, security experts' perspective is less optimistic. We can't really defend against attacks that force us to cannibalize ourselves, and the attackers know it. This is why they continue to wage their strikes - because they are, at least in part, successful.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE PCI Issues Penetration Test Guidance

Experts debate the value of new PCI guidance for how businesses should use penetration testing to...

Latest Tweets and Mentions

ARTICLE PCI Issues Penetration Test Guidance

Experts debate the value of new PCI guidance for how businesses should use penetration testing to...

The ISMG Network