News & Commentary

00:02 AM
Rodney Joffe, Neustar
Rodney Joffe, Neustar

Financial Security: Learning From DDoS Attacks (Part 2)

With more 7,000 distributed denial of service attacks daily, it’s only a matter of time before even smaller banks and credit unions are targeted. Here are more lessons smaller institutions learn from the big banks.

Exactly how big are distributed denial of service (DDoS) attacks in mid-2013? "Just big enough" is what most attackers would say. The Cyber Fighters of Izz ad-din Al Qassam, a group claiming to protest an anti-Moslem video and considered by many experts to be the perpetrators of the attacks, have shown a knack for ratcheting up the volume as banks invest in greater DDoS mitigation bandwidth. The al Qassam template hasn't gone unnoticed. In the cyber underground, criminal gangs have chatted about the group's favorite weapon, the "itsoknoproblembro" DDoS toolkit, which hits various parts of a web site at the same time and floods servers with traffic up to 70Gbps.

[Read Part 1 of this special report on dealing with DDos Attacks: What Smaller Financial Institutions Can Learn From DDoS Attacks on Big Banks]

The al Qassam botnet -- dubbed the "brobot" -- is striking too. Instead of marshaling tens of thousands of infected home computers, it uses hosting providers' or business' commercial content servers, which offer fatter pipes and bandwidth galore. The same tactics are available to those whose motive is greed, with the Internet itself serving as their weapons storehouse. Since they never pay for those high-capacity servers and all that power, what's to stop attackers from using as much as they want? Though an attack of less than 2Gbps can take down many sites, attackers want to be sure your site is down throughout the world. In fact, they use free web monitoring services to make sure that folks in Chicago and Paris can't reach you. If the attack isn't working globally, the attackers up the ante. Just figuratively, though--humongous attacks cost no more than surgical strikes.

If this is bad news for top-tier banks, it's potentially disastrous for smaller institutions lacking the budget and expertise to handle attacks themselves. Fortunately, a little planning and preparation can make a big difference.

"Does This Hardware Make Me Look Fat?" It Pays To Be Less Attractive To Attackers.

Short of making arrests, the good guys can't stop the bad guys from launching DDoS attacks. So increasingly, larger banks have taken steps to become less-appealing targets -- less likely to go offline for long periods of time and more likely to retain customers thanks to helpful communications.

Best practice number one: Distribute your Internet infrastructure. Separate your DNS, e-commerce, payment gateways and VPNs. If everything's on the same infrastructure and you're socked with a DDoS attack, the damage is more widespread and the attackers win. Say your DNS is hit. Not good, but if your VPN, for instance, is on a different circuit (either real or virtual), your staff has backdoor access to email and other functions. Because you've segregated your private- and public-facing systems, business doesn't grind to a complete halt. To accomplish this, find a trusted third party to manage infrastructure like DNS. Or at least have a Plan B, enabling you to park your DNS, VPN or web service somewhere else until the attack ends. By lining up a willing provider well in advance, you'll spare yourself some agony when the dirt hits the fan.

It's also smart to assume that someday you're going to be hit. To paraphrase Trotsky, you may not be interested in DDoS, but DDoS is interested in you. With over 7,000 attacks daily, it's only a matter of time, so more banks and credit unions are crafting emergency plans. Like natural disaster planning or certain business recovery efforts, these preparations go far beyond technical responses. It starts with being ready to do business, gasp, offline. If your credit union site is down, you may decide to extend your regular business hours, which in turn might require extra tellers and call center operators, or even coffee and cookies for customers in long lines. You'll also need to let people know about any such contingencies.

Be ready to communicate with customers quickly and reassuringly. Email may not be an option, so consider radio announcements or other media outlets, including a company web page separate from the one that's under attack. Also think about a toll-free number your customers can call. How much detail should you reveal about the impact of an attack? That's up to you, of course. Some financial institutions have chosen to say as little as possible, for fear of feeding attackers valuable information. Others have been more transparent, betting they'll reap the reward in customer gratitude and fewer account defections.

Whatever procedures you develop, be sure to practice them. You'll never be ready for everything, but executing the basics well can help enormously. Again, the throes of a crisis aren't the best time to white-board responses. Run drills of your emergency plan and you'll likely accomplish two things: more effective DDoS mitigation and better core service, the latter tending to slip when attacks are all-consuming.

While al Qassam is a role model for cyber miscreants, the major banks are a more positive one in the DDoS protection arena. Smaller banks and credit unions don't have the same deep pockets, but they can still make plans, develop responses and make smart technology investments. Inertia is the one thing they truly can't afford.

Rodney Joffe is Senior Vice President and Senior Technologist of Neustar, Inc. In this role, he oversees and guides the technical direction of the company's Neusentry security offering as well as heading the company's cyber-security initiatives.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.