Since last fall, several waves of distributed denial of service (DDoS) attacks have targeted major players in the U.S. banking industry. Eventually, the top-50 institutions found themselves in the crosshairs. Websites crashed, customers couldn't connect to make transactions and banks scrambled to get back online -- and stay there as long as they could. In the months to come, security experts would praise the banks' collective response, from heightened DDoS protection to candid customer communications. While the danger is hardly over, these larger institutions have learned some painful lessons that smaller firms might heed as they seek to minimize risks. This two-part series will discuss just how smaller financial institutions can stay ahead of DDoS attackers
DDoS Attackers Are Fast Learners
The attacks on banks are the work of the Cyber Fighters of Izz ad-din Al Qassam, a group claiming to protest an anti-Moslem video, though many observers believe a nation-state, possibly Iran, is responsible. To date, the attackers haven't stolen customer data or siphoned off funds, being content to disrupt operations and get the industry's attention.
In doing this, they've launched some of the largest DDoS attacks ever, up to 150Gbps. Even more sobering, as banks have fortified defenses and sharpened DDoS responses, the attackers too have made adjustments to stay a step ahead. For example, after banks got better at defending their websites and DNS, attackers began to focus their attention on ISPs. Some attacks zeroed in on email servers and VPNs. Another adjustment: Initially, al Qassam made voluminous requests for super-sized files like annual reports, brochures and loan applications. At 4-5 Mbps, these assets devoured outbound bandwidth. When some banks removed the files or switched to a CDN, the attackers started probing other cracks in the wall.
The bad guys have also seen how application-layer attacks drain human as well as computing resources, creating all-hands-on-deck emergencies, some lasting days or weeks. Code-red situations aren't ideal for deploying anything, including DDoS protection hardware and mitigation procedures. The larger banks already had certain defenses in place. Smaller banks and credit unions with little or no protection would be even more hard pressed to keep pace under duress.
Al Qassam Has Provided a Template Your Adversaries Might Use
The very first DDoS attacks occurred in 2001, aimed at e-commerce sites like eBay and Yahoo. The tactics were later refined by the Russian Mafia, other criminal gangs and socio-political protesters, all of whom turned DDoS attacks into a kind of art form. Now Al Qassam has raised the bar again.
DDoS attackers form a nefarious community of learners, taking notes and sharing tips via, what else, the Internet. While a nation-state, for example, may not target local credit unions or regional banks, good old-fashioned cyber thieves do it every day. The scenario that worries security pros: DDoS as a distraction for payroll theft and more, used in tandem with malware like SpyEye, Zeus and Citadel. Again, the al Qassam attackers haven't tried to steal, but their goal is political influence, not financial gain. Criminals hitting businesses that use small to mid-sized banks, however, now have a way to distract their victims for hours on end. Imagine a DDoS attack on a bank in Somewhere, Kansas, timed for 4:45 on a Friday afternoon -- just as payroll funds are whizzing through cyber-space. Sophisticated crooks are hard enough to catch when you're focused. When you can't confirm wire transfers because your bank's gone dark, your chances of being defrauded increase dramatically.
With bigger and more successful attacks than anyone else to date, al Qassam has drawn the blueprints for the ultimate cover-and-delay.
This is the first article of a two-part series on what smaller institutions can learn from DDoS attacks on big banks. Part 2 will cover how smaller banks can properly plan and develop responses through smart technology investments.
Rodney Joffe is Senior Vice President and Senior Technologist of Neustar, Inc. He oversees and guides the technical direction of the company's Neusentry security offering as well as heading the company's cyber-security initiatives.