Financial institutions have been battling waves of large distributed denial of service (DDoS) attacks since early last year. Many of these attacks have been the work of a group called the Qassam Cyber Fighters (QCF), who until recently posted weekly updates on Pastebin reminding readers of the reasons for their efforts and summarizing Operation Ababil, their DDoS campaign.
Other Hacktivist groups have launched their own DDoS attacks and targeted financial services institutions with focused attacks on web forms and content. There have also been reports of nation-state-organized cyber assaults on banks and government agencies, along with complex, multi-vector efforts that have combined DDoS attacks with online account tampering and even fraud.
[Bill Stewart, SVP and lead of Booz Allen Hamilton's financial services practice, says Banks Must Take a Holistic Approach to Cybersecurity]
The past year-and-a-half points to a state of hacking activity that consistently increases in intensity and evolves regularly. The recent incidents against all sizes of banks have shown that there are many kinds of DDoS attacks. These have included traditional SYN and DNS floods, as well as DNS amplification, application layer and content targeted methods. Denial of Service (DoS) activities that have targeted SSL-encrypted web page resources and content are an additional challenge. In some instances, the adversaries have moved to a blended form of attack that incorporates harder-to-stop application layer methods alongside “cheap,” high-volume attacks that can be filtered and blocked through simpler means.
To cope with this level of malicious activity, CIOs, CISOs, and their teams need to have a plan in place and consider a broad set of defensive tools that combine on-premise technologies and cloud-based scrubbing services. They must also begin to explore and ultimately implement intelligence gathering and distribution methodologies that help lead to a comprehensive DoS mitigation strategy.
1. Have a scrubbing service or similar cleaning provider to handle large volumetric attacks. The volumes associated with DDoS activity have reached a level where 80 Gbps of DDoS traffic is a normal event. There are even reports of attacks in the range of 300 Gbps. Few, if any, organizations can maintain sufficient bandwidth to cope with attacks of this size. And, when faced with DDoS incidents this large, the first thing an organization needs to consider is the option to route its Internet traffic through a dedicated cloud-based scrubbing provider that can remove malicious packets from the stream. These providers are the first line of defense for large volumetric attacks as they have the necessary tools and bandwidth to clean network traffic so that DDoS packets are stopped in the cloud and regular business as usual (BAU) traffic is allowed through.
2. Have a dedicated DDoS mitigation appliance to identify, isolate, and remediate attacks. The complexity of DDoS attacks and the tendency to combine volumetric and application methods require a combination of mitigation methods. The most effective way to cope with the application and “low and slow” elements of these multi-vector attacks is to leverage on-premise dedicated appliances. Firewalls and intrusion-prevention systems are critical to the mitigation effort, and DDoS security devices provide an additional layer of defense through specialized technologies that identify and block advanced DDoS activity in real-time. Administrators can also configure their on-premise solutions to communicate with cloud scrubbing service providers to enable automated route away during attack.