Whatever Happened to DDoS Phase 4?

'Different' Bank Attacks Have Yet to Materialize

By , August 13, 2013.
Whatever Happened to DDoS Phase 4?

It has been three weeks since Izz ad-Din al-Qassam Cyber Fighters declared "The break's over and it's now time to pay off," announcing Phase 4 of "Operation Ababil," the nearly year-long campaign of distributed-denial-of-service attacks on major U.S. banks (see DDoS: Attackers Announce Phase 4).

See Also: Secure E-Banking: Consumer-Friendly Strong Authentication

But it has been nearly two weeks since any DDoS activity could be attributed to this group. Which begs the question: Is Phase 4 over before it ever really began? DDoS experts offer varying theories about the recent inactivity.

"I believe that to a large extent, this particular set of attacks is over," says Rodney Joffe, senior technologist at DDoS-mitigation provider Neustar. "If attacks come back, I believe [they] will be a totally new initiative, perhaps by the same actors and perhaps using the same proxy."

Mike Smith, a security evangelist at cybersecurity firm Akamai, says it's hard to be certain why al-Qassam has been silent.

"There are lots of theories that I've heard, but they're just that: theories, conjectures and unproven ideas," he says. "Aside from two Wednesdays at the beginning of Phase 4, they haven't attacked anything."

Historically, DDoS attacks have begun on Tuesdays and ended on Thursdays, but that has not been the pattern Phase 4 has followed. And there are no obvious signs, experts say, that the botnet, known as Brobot, used in the attacks is being geared up for new strikes.

Growth of Brobot has slowed as well.

Phase 4 Attacks

In announcing the start of Phase 4, al-Qassam promised "different" attacks from those that struck nearly 50 U.S. banking institutions in the earlier rounds.

"Planing [sic] the new phase will be a bit different and you'll feel this in the coming days," the group posted July 23 on Pastebin. Yet, since then, DDoS attacks linked to Brobot have struck on just two occasions - July 24 and July 31.

On July 24, JPMorgan Chase and Regions Financial Corp. were targeted by Brobot, experts say. Keynote, an online and mobile cloud testing and traffic monitoring provider, confirmed that both sites experienced intermittent outages on that date that appeared to be DDoS-related. Online outages at Regions actually spanned two days, and electronic banking remained inaccessible throughout that attack window, according to Keynote (see DDoS is Back; 2 Banks Attacked).

Detecting online glitches associated with those attacks took some digging, however, says Aaron Rudger, Keynote's Web performance marketing manager. And while DDoS trackers said some attack evidence suggested a link to Brobot, none were willing to say for certain the attacks came from al-Qassam.

Then, on July 31, attack code linked to Brobot struck a handful of leading U.S. banks, but had no impact on the availability of customer-facing interfaces, such as access to online banking, experts say.

Theories About Attackers

Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham and chief technology officer and co-founder of online security firm Malcovery Security, says there are a few reasons why this phase has not been as aggressive as previous attacks.

"In the early stages, the majority of the bandwidth that they were using for the attacks was from U.S.-based servers," Warner says. "The idea is that if I'm attacking a U.S-.based server, and I want a high bandwidth attack, I'll want most of my attacking nodes to come from U.S.-based infrastructure."

But in this fourth phase, many of the attacking servers are based overseas, he says. "That actually provides a disadvantage to the attacker, in that the bandwidth that is being used is likely to be lower bandwidth and less responsive against American targets."

Also, if one accepts the prevailing theory that al-Qassam is a Muslim group attacking from Iran, then the timing of the break could be linked to the Islamic holiday, Ramadan, Warner says (see Analysis: Who's Really Behind DDoS?).

The group has repeatedly stated it's waging its attacks against U.S. banking institutions in protest of a Youtube movie trailer deemed offensive to Muslims.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Sony Breach Response: Legal Threats

Three weeks after attackers launched a wiper malware attack against Sony Pictures Entertainment and...

Latest Tweets and Mentions

ARTICLE Sony Breach Response: Legal Threats

Three weeks after attackers launched a wiper malware attack against Sony Pictures Entertainment and...

The ISMG Network