DDoS: Lessons from Phase 2 Attacks

Dual-Pronged Attacks Necessitate Stronger App Management

By , January 14, 2013.
DDoS: Lessons from Phase 2 Attacks

As a hacktivist group's second campaign of distributed-denial-of-service attacks against U.S. banks enters its sixth week, experts say financial institutions' mitigation strategies are improving and their communication methods are changing.

See Also: Automate and Standardize your IAM to Radically Reduce Risk

Since Dec. 11, when the hacktivist group Izz ad-Din al-Qassam Cyber Fighters kicked off its second campaign of DDoS attacks, Bank of America, JPMorgan Chase, Citigroup, Wells Fargo, U.S. Bancorp, CapitalOne, HSBC, PNC Financial Services, Corp., Ally Bank, Suntrust Banks, Regions Financial Corp, BB&T Corp. and Fifth Third Bank all have apparently been targeted. Some have been named by the attackers in updates posted to the online forum Pastebin. And some of these banks also were targeted during the group's first campaign, which ran from mid-September through mid-October.

The second campaign of attacks appears to be having less of an impact than the first wave, thanks to improved defenses, observers say. But the hacktivists are pledging to continue to wage attacks for many more months if the YouTube video they're protesting remains posted.

While some experts speculate that Iran may be behind the attacks, others point to signs that indicate that's not the case. Meanwhile, many banks are now communicating directly to their clients about the outages, rather than making statements on their websites or social media out of fear that too much publicity is fueling more attacks.

Technical Defense Improvements

Experts say banking institutions have dramatically enhanced their DDoS prevention methods and procedures since the first campaign. Dan Holden, director of the security engineering research team for Arbor Networks, which sells DDoS prevention products, says it's not just banks that have improved; ISPs and cloud-based DDoS-prevention providers have upped their efforts as well.

The result: Online-banking sites are suffering fewer outages for shorter periods of time during the second campaign. And in the wake of all the attacks, the financial services industry is now taking DDoS as a serious threat.

"From a technology standpoint, we have improved our defenses quite a bit since the fall," Holden says. "These attacks were different, and so, in the beginning, they were more effective. The focus and how they [the attackers] built it out - using high bandwidth servers and in lower numbers than what we typically see in botnets and hacktivism - was new."

The banks have learned they cannot defend against these attacks alone, he adds. As a result, information sharing within the industry and with technology vendors has improved.

"These attacks have been effective because they are two-pronged," Holden says. "They flood the [Internet service] providers, at the enterprise level, but then they also flood and test the bank at the application level."

This two-pronged attack approach has necessitated more lines of defense for website applications, and that's an area banks are addressing on their own, he says.

"The financial institutions are more familiar with how to protect the application level," Holden says. "They can't lean on an ISP for that. So now, when they build the application or reassess the security of the application, they're going back to harden it for these attacks."

By reviewing the bandwidth and resources consumed by certain input fields, such as searches and logins, institutions can adjust the applications. For example, if the application running a bank's search feature is attacked, the bank may opt to simply shut that feature off until the attack subsides, he explains.

"Logins and searches are the low-hanging fruit [for attackers], and so those are the applications the banks look at the most," Holden says. "And then there is the defense of the application, from a specific DDoS standpoint. From a pure traffic and flooding perspective, a lot of that is provided by a cloud-defense provider or ISP. But the application is very specific to that bank customer, so the bank has to build those defenses in."

The biggest lesson learned during this second campaign of attacks, Holden adds, is that bilateral strikes like the ones being waged now require in-cloud provider defenses as well as in-house defenses for applications.

So What's Next?

The biggest concern is how long these attacks will last. "The most disturbing piece is that ... they plan to carry these attacks out for an entire year," Holden says. "From a hacktivist standpoint, that's an extremely long campaign."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Chase Breach Offers Detection Lessons

The latest details reported about the JPMorgan Chase breach investigation illustrate why it's...

Latest Tweets and Mentions

ARTICLE Chase Breach Offers Detection Lessons

The latest details reported about the JPMorgan Chase breach investigation illustrate why it's...

The ISMG Network