US bank attacks prove that DDoS hits are getting much nastier. Businesses should be more than a little concerned, says Tom Brewster
When I said earlier this year that the DDoS explosion had only just begun, I didn’t expect to be proved so resoundingly right so soon. If you want proof that DDoS attacks are getting ever more dangerous, and that protecting against them is far from simple, just look across the pond. Banks, those bastions of online security, are being smashed offline by super-powered DDoS hits.
And the DDoSers aren’t going after small fry either. They’ve hit Wells Fargo, the biggest bank in the US in terms of market value. They’ve had a pop at J.P. Morgan Chase & Co too, one of the most influential organisations in the world. And Bank of America. Those are some significant scalps to have taken.
The attackers call themselves the Mrt. Izz ad-Din al-Qassam Cyber Fighters, and they claim to be crippling banks’ websites in retaliation for the portrayal of Muslims in “Innocence of Muslims”, which sparked such a furore in Middle Eastern nations and violent protests at US embassies. It’s clear that whatever their motive, they have some serious power.
These DDoS attacks should concern any organisation that does business online. If organisations of that calibre, with the masses they spend on IT security and infrastructure in general, are getting taken offline by DDoS hits, then is there any website in the world that can stand up to these attacks? Unlikely, which is bad news considering the monetary impact of a DDoS hit on organisations that handle thousands of transactions every hour. “Companies have been known to go down for 6 hours, and the losses are in the millions,” André Stewart, president international at Corero Network Security, told me earlier this year.
There are two main reasons why DDoS attacks have become so troublesome: diversity and volume. Long gone are the days when all DDoS attacks did was fill up the pipes and stop people accessing sites. That still happens, of course, but attackers have started using a variety of methods and tools to take down their targets.
There are SYN floods, where many half-open connections are set up to take up resources of web servers. There are application-layer attacks, which are becoming increasingly prevalent and work by sending endless partial requests to a web application. Then there are the charmingly named “smurf attacks”, in which poorly-configured network devices are exploited to send packets, via a broadcast address, to all computer hosts on a network, which ping back requests to overload the network. And there are many, many tools that make it easy for attackers to leverage such techniques.
As for volume, things have really escalated in 2012. The hits on US banks were reportedly coming in at 100Gbps and higher. A report released today from Prolexic Technologies found sustained floods peaking at 70 Gbps against some of its customers. And figures exclusively revealed to this publication earlier this year showed a 105 percent rise in the proportion of DDoS attacks measuring in at over 10Gbps. Between 2010 and 2011 that proportion had gone down 34 percent.
So what can organisations do? For the impecunious out there, there are some cheapish options – content delivery networks like those offered by CloudFlare and Akamai offer decent protection. For richer businesses, there are more bespoke services from the likes of Corero Networks and Arbor. But it’s clear from the US bank attacks that technology does not have all the answers. In some cases, organisations will just have to take the bullet and lie down until they can block off attacker IP addresses with the help of their ISP, or take whatever other mitigating steps they have in their locker.
One other good preventative measure is not to annoy or upset anyone who might DDoS you. But that’s not something banks are ever going to achieve.
Are you a security pro? Try our quiz!