DDoS: Lessons from Phase 2 Attacks
Dual-Pronged Attacks Necessitate Stronger App ManagementAs a hacktivist group's second campaign of distributed-denial-of-service attacks against U.S. banks enters its sixth week, experts say financial institutions' mitigation strategies are improving and their communication methods are changing.
See Also: 57 Tips to Secure Your Organization
Since Dec. 11, when the hacktivist group Izz ad-Din al-Qassam Cyber Fighters kicked off its second campaign of DDoS attacks, Bank of America, JPMorgan Chase, Citigroup, Wells Fargo, U.S. Bancorp, CapitalOne, HSBC, PNC Financial Services, Corp., Ally Bank, Suntrust Banks, Regions Financial Corp, BB&T Corp. and Fifth Third Bank all have apparently been targeted. Some have been named by the attackers in updates posted to the online forum Pastebin. And some of these banks also were targeted during the group's first campaign, which ran from mid-September through mid-October.
The second campaign of attacks appears to be having less of an impact than the first wave, thanks to improved defenses, observers say. But the hacktivists are pledging to continue to wage attacks for many more months if the YouTube video they're protesting remains posted.
While some experts speculate that Iran may be behind the attacks, others point to signs that indicate that's not the case. Meanwhile, many banks are now communicating directly to their clients about the outages, rather than making statements on their websites or social media out of fear that too much publicity is fueling more attacks.
Technical Defense Improvements
Experts say banking institutions have dramatically enhanced their DDoS prevention methods and procedures since the first campaign. Dan Holden, director of the security engineering research team for Arbor Networks, which sells DDoS prevention products, says it's not just banks that have improved; ISPs and cloud-based DDoS-prevention providers have upped their efforts as well.
The result: Online-banking sites are suffering fewer outages for shorter periods of time during the second campaign. And in the wake of all the attacks, the financial services industry is now taking DDoS as a serious threat.
"From a technology standpoint, we have improved our defenses quite a bit since the fall," Holden says. "These attacks were different, and so, in the beginning, they were more effective. The focus and how they [the attackers] built it out - using high bandwidth servers and in lower numbers than what we typically see in botnets and hacktivism - was new."
The banks have learned they cannot defend against these attacks alone, he adds. As a result, information sharing within the industry and with technology vendors has improved.
"These attacks have been effective because they are two-pronged," Holden says. "They flood the [Internet service] providers, at the enterprise level, but then they also flood and test the bank at the application level."
This two-pronged attack approach has necessitated more lines of defense for website applications, and that's an area banks are addressing on their own, he says.
"The financial institutions are more familiar with how to protect the application level," Holden says. "They can't lean on an ISP for that. So now, when they build the application or reassess the security of the application, they're going back to harden it for these attacks."
By reviewing the bandwidth and resources consumed by certain input fields, such as searches and logins, institutions can adjust the applications. For example, if the application running a bank's search feature is attacked, the bank may opt to simply shut that feature off until the attack subsides, he explains.
"Logins and searches are the low-hanging fruit [for attackers], and so those are the applications the banks look at the most," Holden says. "And then there is the defense of the application, from a specific DDoS standpoint. From a pure traffic and flooding perspective, a lot of that is provided by a cloud-defense provider or ISP. But the application is very specific to that bank customer, so the bank has to build those defenses in."
The biggest lesson learned during this second campaign of attacks, Holden adds, is that bilateral strikes like the ones being waged now require in-cloud provider defenses as well as in-house defenses for applications.
So What's Next?
The biggest concern is how long these attacks will last. "The most disturbing piece is that ... they plan to carry these attacks out for an entire year," Holden says. "From a hacktivist standpoint, that's an extremely long campaign."
In its latest post, on Jan. 8, Izz ad-Din al-Qassam Cyber Fighters suggests the attacks will be waged for 56 additional weeks. Based on a series of numerical sequences, which the hacktivists claim they developed from tallied likes and dislikes affiliated with the YouTube video they're protesting, they've determined their attacks against bank will likely continue for an additional 14 months.
The longevity of the attack suggests the hacktivist group is not acting alone. "It would lead you to believe that there is definitely some kind of support behind this," Holden says. "Even if it is hacktivism, there is some serious backing of it, mainly because of the investment it takes to keep it going."
The longer the attacks run, the bigger the botnet grows. That's not unusual, Holden says, but it's definitely worrisome. "They are taking over more servers and launching their attacks from more places," he says. "And the longer the campaign goes on, and more cleanup effort that is occurring, the more the attackers are working to be out in front."
The Attacks: Who's Behind Them?
Since mid-December, Izz ad-Din al-Qassam Cyber Fighters has repeatedly threatened more attacks in protest of the YouTube video deemed offensive to Muslims.
But some experts say these anonymous posts on Pastebin are being used to fuel propaganda, and questions have been raised about who is actually behind the attacks and the posts.
The New York Times reported on Jan. 8 that the complexity of the attacks has led some security experts to believe the attacks are being backed by Iran. The news story, which quotes James A. Lewis, a former official in the State and Commerce departments, claims the attacks against banks could be payback for cyberespionage attacks, such as Stuxnet, Flame and Duqu, that have over the last three years affected computer systems in Iran.
But Holden and DDoS expert John Walker, who also serves as the chairman of ISACA's Security Advisory Group in London, say attributing the true sources of DDoS attacks is nearly impossible.
"We've seen no proof that these attacks are backed by Iran," Holden says. "The government has very good attribution skills, but even with that capability, the digital attribution of these attacks would be incredibly difficult."
The style of these attacks is not typical of cyberwar activity, Holden contends. They've been too public. "Look at Stuxnet and Flame," he says. "Those were never supposed to be discovered."
Walker says signs over time may point to Iran, but it would be irresponsible to say definitively that Iran is behind these attacks. There would always have to be some level of inference, based on bits and traces of data from multiple sources, he says.
How Banks Have Communicated
In recent weeks, institutions have been less frequently using public forums, such as their corporate and online-banking sites and social media outlets, to share information about attacks causing online outages.
Instead, many are using e-mail to directly communicate with affected customers. That shift is occurring, in part, because of the perception that too much publicity is fueling more attacks.
"Regardless of what the motivation is, if this truly is hacktivism, the publicity is what makes hacktivism work," Holden says.
Even if online-banking sites aren't going down because of DDoS, if consumers believe hacktivists' claims, based on what they read, then the hacktivists win, he says.
Some banks believe the more the attacks are publicized, the more momentum they gain. "The publicity makes them more aggressive," one security officer at a leading U.S. institution, who asked to remain anonymous, tells BankInfoSecurity.
Bill Nelson, president and CEO of the Financial Services Sharing and Analysis Center, says banking institutions are more reserved about public communications than they were during the first wave of attacks in the fall.
"We really have to be careful, because we don't want to give too much information that the attackers can use to raise their business case for the next round," Nelson says. "But it certainly makes sense to have direct communications with our customers."
What Banks Are Sharing
So far this year, fewer banks are talking. Even PNC, which early on stood out for its open dialogue with the press and consumers, has been quieter in recent weeks.
On Jan. 4, PNC spokeswoman Marcey Zwiebel said the bank was taking steps to communicate directly with customers, but she never confirmed that PNC's website had actually suffered any outages or access issues.
PNC sent an e-mail Jan. 3 directly to its customers, a copy of which BankInfoSecurity obtained, acknowledging high volumes of online traffic that had flooded Internet connections and affected numerous U.S. banks.
On Jan. 8, PNC only publicly confirmed "unusual activity" affecting its site. Also on Jan. 8, BB&T Corp. and Fifth Third Bank acknowledged "intermittent" issues, but only BB&T attributed those issues to a DDoS event.
Since then, those three banks have reported normal systems activity. The other banks - Bank of America, JPMorgan Chase, Citigroup, Wells Fargo, U.S. Bancorp, CapitalOne, HSBC, Ally Bank, Suntrust Banks and Regions Financial Corp. - which had previously confirmed abnormal site activity have remained silent.
Fraud expert Avivah Litan, a Gartner Research analyst, says institutions can't halt all communications.
"Banks do need to have a clear, explicit communication plan for customers that addresses concerns they will undoubtedly have," Litan says.