DDoS Attacks Relentless so far in 2013

Jun 4, 2013 8:00am

Life hasn’t been easy for security professionals since the first quarter of 2013.  We’re now in phase three of a series of concerted attacks against banks and other financial institutions.  These have included  Regions Bank, M&T Bancorp, Union Bank, Principal Financial Group, Ameriprise Financial, State Street Corp., RBS Citizens Financial Group Inc. [dba Citizens Bank] and Wells Fargo & Co.  One of the latest victims was  Charles Schwab n April 23, when customer access to the site was blocked for two hours. 

Top-tier institutions, such as JPMorgan Chase & Co. and Bank of America, were targeted last fall and the attacks started hitting mid-tier banks and some credit unions during the winter months.  Then in  March, security vendor Prolexic deflected a  DDoS attack against a major financial institution.  The traffic directed at the target was measured at 160 gigabytes-per-second, 120 million-packet-per-second onslaught -- the largest, most intense DDoS attack Prolexic has observed in 10 years of operation.

However, these are just the larger attacks.   In the annual DDoS Threat and Impact Survey published by DDoS mitigation vendor Neustar, 44 percent of the companies in the financial sector participating in the survey were attacked in 2012.  This was an increase of 32 percent in 2011.  The costs to these companies during outages were on average $50,000 per attack per hour.  Overall, 41 percent of the attacks originated in China, with 10 percent of the attacks originating from within The United States, according to Akamai. 

Traditional forms of protection are proving ineffective.  Relying on the standard firewall, IDS/IPV solutions, businesses may have to look at a DDoS and other types of attacks are becoming a business.  Attackers can now easily acquire DDoS tools on the black market. 

Old school DDoS attacks came from a single computer.  This then evolved to the bad guy compromising some sort of connection with a lot of bandwidth, from a university, for example.  Today, the bad guys can rent a botnet by the hour.  The zombie computers on the botnet will then attack the website simultaneously.  Some security experts  believe the hacktivists' botnet   Brobot was used during the first phase of attacks  may have been leased out to another group during the second phase when three online role-playing game sites were hit by Brobot, You have to love free enterprise.  

While banks and other financial institutions are in tight competition for customers, they are pretty united when it comes to defending themselves from cybercriminals. 

According to Greg Garcia, cyber-attack adviser and spokesman for the Financial Services Information Sharing and Analysis Center, “Members of the financial sector also share information robustly in our community, and we're deploying our best tools, expertise, and collaboration to anticipate incoming attacks and stop them before they occur.  Some attacks succeed; many do not; and we're working every day to raise our success rate and lower theirs. Organizations in the past have been overly confident about protecting themselves from old school  DDoS attacks.  A typical solution was to  have secured their key services against attacks by deploying firewalls in front of their servers.  They may set up something that cuts off traffic when it is above some arbitrary number.  This doesn’t show a lot of intelligence, can cut off traffic that should be getting through, and can create false positives when a “good” site is sending an unusually high volume of traffic to the we web site

 “Firewalls, routers, and switches can protect against intrusive attacks at Layer 3 (to some extent) but compound the effects of DDoS attacks by bottlenecking traffic,” concluded  Neustar in their 2012 Annual DDoS Threat and Impact Survey.  The report also stated that the use of IDS could actually cause bottlenecks.

 Richard Martinez, network security analyst at Frost & Sullivan, concurs with the Neustar report, “A common response by many administrators to the challenges of DDoS is the belief that their firewall and IPS infrastructure will protect them from attack.  Unfortunately, this is not true.  Firewalls and IPS devices, while critical to network protection, are not adequate to protect against complex DDoS attacks." 

Intrusion Prevention Systems (IPS) are a step improved from old school techniques.  IPS solutions are limited in the number of concurrent sessions they can support.  They are designed to identify harmful packets by matching signatures against a database of known threats.  This is similar to how firewalls operate.  Because many DDoS attacks involve valid requests, the IPS cannot dependably protect against this type of attack simply by applying a static, signature-based technology.

Protecting against these more sophisticated  attacks is daunting.  A multi-layered approach is needed, requiring security controls deployed at various points within the application flow.

A traditional threshold-based protection feature is helpful.  This mitigation method is effective against simple packet flooding attacks.  However, it runs the risk of false-positives.

It is important that your DDoS security layer allows for legitimate transactions and sustained service continuity; it needs to be able to accurately recognize “good” traffic rather than simply blocking suspicious requests that may result in false-positives.  As a countermeasure to this paradigm shift, AhnLab DPS has layered multiple mitigation filters to enforce traffic authentication.

There has to be self-learning thresholds that are unique to specific IP addresses.  The DDoS appliance should be able automatically calculate an appropriate threshold and define the most adequate protection policy based on the result.  This helps insure that good traffic can get through.  

Large institutions should install DDoS devices with clustering capability.  This way trusted IP addresses can be synchronized with all the devices within the cluster.  This will help ensure that legitimate traffic can get through under a DDoS attack.

The following is a bit of a checklist, but a good one.  Institutions looking to upgrade their protection from DDoS attacks need to make sure the solution they’re evaluating can provide-protection from network to application (HTTP), Source IP based protection and spoofed IP protection, protection from

TCP Flooding , TCP session based protection, Low Bandwidth TCP Session Flooding, HTTP based protection: HTTP Get Flooding, Redirect Bypass Flooding, SQL Query based HTTP attack.

As always, during attacks, firms have to be cognizant of the fact that one attack may serve as a decoy for the cyber criminals to break into the system another way.