Is another wave of distributed denial of service attacks imminent?
For the past two weeks, DDoS attacks that caused online outages at several major U.S. banks started on Tuesday mornings and ended by Friday afternoons, says Mike Smith, a senior security evangelist at Akamai Technologies, an Internet platform provider.
Smith and other security experts are standing by to see if this week brings a third round of attacks. While they wait, these thought-leaders offer insights in response to these outstanding questions:
- Why were banks unable to stop the DDoS attacks from causing outages?
- What steps should banks and other organizations take now to prepare for additional attacks?
Technology does play a role in thwarting such attacks, says Smith, who also blogged about the attacks. But a renewed focus on information sharing is the best investment an organization can make, he says.
"Packet captures from the attack traffic we shared with our customers, for instance, allowed them to build IDS [intrusion detection system] signatures, so when they first start to receive that traffic, they can block it," he says.
Why Attacks Succeeded
DDoS attacks are not new - they have been around since at least 2001.
Simply defined, a DDoS attack usually involves an external party saturating a targeted website with traffic until the site's servers are overloaded, ultimately rendering the site unable to respond and unavailable. This is what happened to the banks, whose customer-facing websites subsequently faced varying degrees of unavailability.
Yet as Anton Chuvakin, a security analyst at Gartner, pointed out in May, DDoS attacks seem to have become a "forgotten area" of security - until the latest string of incidents.
"Denial-of-service attacks, in general, cannot be stopped," Chuvakin says. "If their entire network connection is full of traffic, nothing they do on their own will remove the flood."
The recent wave of attacks is unique for its scale, Smith says.
The average online user in the United States and Western Europe uses about 1 megabyte per Internet node per second.
"Even at the height of the Anonymous attacks, we saw traffic coming in from 7,000 or 8,000 people [at approximately 1 gigabyte per second] involved in attacks at any given time," he says. "That's a lot."
But in the most recent attacks, the traffic coming in was the equivalent to about 65 gigabytes per second, Smith says. "A typical DDoS attack waged by a hacktivist group looks much different than what we saw here," he says. "You would expect less than 1 gbps [gigabyte per second] of attack traffic for the average hacktivist, and would expect peaks up to, maybe, 2 gbps."
"The leading DDoS prevention software, more or less, stops working when the attacks get larger than 60-70 gigabytes," Litan writes. "The major ISPs only have a few hundred gigabytes bandwidth for all their customers, and even if they added more on to that, the hacktivists could quickly and easily eat the additional bandwidth up."
Where Did Attacks Originate?
Recent attacks have been attributed to Izz ad-Din al-Qassam. But this group, which in the past has been known to support Hamas, has not historically been affiliated with hacktivism, says Bill Wansley, a fraud expert at financial-services consultancy Booz Allen Hamilton.
"All of the sudden, for them to become a hacktivist group, it's just really interesting," Wansley says. "We've never seen that before" (see More U.S. Banks Report Online Woes).
Thus, determining, with any certainty, who or what is actually behind the attacks has proven difficult.
"There are indications it's an Iranian group," Wansley says, based on the IP addresses linked to the attack and the timestamp of the attacks.
These latest attacks are unlikely to be the product of traditional hacktivists, experts say, citing this evidence:
- The sheer number of hits seem too large to be waged by social or political hacktivists. "The volume of the traffic is far higher than what we normally see," Smith says.
- During a typical hacktivist attack, variations in the site traffic are evident. "The attacks in this case were homogeneous, which is not typical," Smith says. "The traffic looked the same."
- And there wasn't a lot of bragging going on after the attacks, either, which also is typical in a hacktivist event. "The attacks are unique and seem to have a different character than previous [hacktivist] attacks," Wansley says.
How Can Organizations Respond?
Although U.S. banks have been the initial targets of the latest DDoS attacks, experts say all organizations should be on notice: They could be next.
Gregory Nowak, a principal research analyst for the Information Security Forum, says security leaders need to realize that these incidents are ideological attacks against the U.S.
"The attacks have nothing to do specifically with the activities of these banks - they were innocent bystanders," Nowak says. "The message is: This can happen to any organization, and they need to consider [hacktivism response] as part of their risk management" (see Banks Under Attack: PR Missteps).
So, what can organizations do to prepare?
Litan says DDoS is not an issue any individual organization can control.
"It's a networking bandwidth and network security software issue," she says. "Simply put, the DDoS prevention software can't handle this large of an attack, in terms of the bandwidth it consumes."
Among the steps organizations can take:
- Protect default online pages or homepages. "This is the page most commonly attacked in a DDoS and can be easily protected with basic caching," Smith says.
- Communicate with ISPs about suspicious traffic. "The [organization] has to work with its ISP, and potentially other ISPs, to see if the ISP can identify the traffic before it gets to the website and drop it earlier in its travels," says Alex Horan of CORE Security, an online security firm that specializes in vulnerability assessment and testing. "But the [organization] doesn't want to accidently drop legitimate traffic when doing that, so it has to be very cautious."
But organizations also must know the privacy limitations ISPs face when it comes to blocking or removing computers or users linked to attacks. "We need every ISP to be able to work together," Horan says. "While this appears to be in the ISPs' favor, most would be reluctant to do it, as it would mean they would have to inspect the packets sent by their customers, and it could very easily be seen as an invasion of privacy."
DDoS attacks occur on a daily basis, Smith notes. So Institutions and others need to focus on intrusion detection and DDoS attack identification.
ISPs also should have mechanisms in place to block DDoS attacks. "That way, they limit an attack against one customer and limit the impact to their other customers," Smith says. "The ISP is the conduit; they are at risk, and they know this. That's why they also usually offer protective services."
If the ISP with which an institution works does offer protective services, banks and others should take advantage, Smith says.
But if the ISP doesn't offer protective services or does not have the ability to filter traffic, the institution can at least block traffic coming in from IP addresses identified as being connected to an attack.
Information sharing between banking institutions and among institutions, ISPs, law enforcement and third-party vendors is critical. "The attackers will change," Smith says. "Understanding how those attacks are changing is critical."
For now, however, experts are anxious to see if the wave of attacks that targeted banks the last two weeks will continue. "What does this week hold?" Smith asks. "We'll soon know if the pattern will continue."