To cope with an increased number of large distributed denial of service
attacks, banks must not only have plans in place – they should consider
a broad set of defensive tools that combine on-premise technologies and
cloud-based scrubbing services.
Financial institutions have been battling waves of large distributed
denial of service (DDoS) attacks since early last year. Many of these
attacks have been the work of a group called the Qassam Cyber Fighters
(QCF), who until recently posted weekly updates on Pastebin reminding
readers of the reasons for their efforts and summarizing Operation
Ababil, their DDoS campaign.
Other Hacktivist groups have launched their own DDoS attacks and
targeted financial services institutions with focused attacks on web
forms and content. There have also been reports of
nation-state-organized cyber assaults on banks and government agencies,
along with complex, multi-vector efforts that have combined DDoS
attacks with online account tampering and even fraud.
The past year-and-a-half points to a state of hacking activity that
consistently increases in intensity and evolves regularly. The recent
incidents against all sizes of banks have shown that there are many
kinds of DDoS attacks. These have included traditional SYN and DNS
floods, as well as DNS amplification, application layer and content
targeted methods. Denial of Service (DoS) activities that have targeted
SSL-encrypted web page resources and content are an additional
challenge. In some instances, the adversaries have moved to a blended
form of attack that incorporates harder-to-stop application layer
methods alongside “cheap,” high-volume attacks that can be filtered and
blocked through simpler means.
To cope with this level of malicious activity, CIOs, CISOs, and their
teams need to have a plan in place and consider a broad set of
defensive tools that combine on-premise technologies and cloud-based
scrubbing services. They must also begin to explore and ultimately
implement intelligence gathering and distribution methodologies that
help lead to a comprehensive DoS mitigation strategy.
1. Have a scrubbing service or similar cleaning provider to handle
large volumetric attacks.
The volumes associated with DDoS activity have reached a level where 80
Gbps of DDoS traffic is a normal event. There are even reports of
attacks in the range of 300 Gbps. Few, if any, organizations can
maintain sufficient bandwidth to cope with attacks of this size. And,
when faced with DDoS incidents this large, the first thing an
organization needs to consider is the option to route its Internet
traffic through a dedicated cloud-based scrubbing provider that can
remove malicious packets from the stream. These providers are the first
line of defense for large volumetric attacks as they have the necessary
tools and bandwidth to clean network traffic so that DDoS packets are
stopped in the cloud and regular business as usual (BAU) traffic is
allowed through.
2. Have a dedicated DDoS mitigation appliance to identify, isolate, and
remediate attacks.
The complexity of DDoS attacks and the tendency to combine volumetric
and application methods require a combination of mitigation methods.
The most effective way to cope with the application and “low and slow”
elements of these multi-vector attacks is to leverage on-premise
dedicated appliances. Firewalls and intrusion-prevention systems are
critical to the mitigation effort, and DDoS security devices provide an
additional layer of defense through specialized technologies that
identify and block advanced DDoS activity in real-time. Administrators
can also configure their on-premise solutions to communicate with cloud
scrubbing service providers to enable automated route away during
attack.
3. Organizations need to tune the firewall to handle large connection
rates.
The firewall will also be an important piece of networking equipment
during DDoS attacks. Administrators should adjust their firewall
settings in order to recognize and handle volumetric and application
layer attacks. And, depending on the capabilities of the firewall,
protections can also be activated to block DDoS packets and improve
firewall performance while under attack.
4. Develop a methodology, or a strategy, to protect applications from
DDoS attacks.
Secure technologies can provide robust protections to DDoS activities.
But administrators should also think about tuning their web servers,
modifying their load balancing and content delivery strategies to
ensure the best possible uptime. Also relevant to such efforts are the
incorporation of safeguards against multiple log-in attempts. Another
interesting approach is to block machine-led, automated activities by
including web pages with offer details, such as opportunities for
interest rate reduction or information on new products, so that users
must click on “accept” or “no thanks” buttons in order to continue
deeper into website content. Additionally, content analysis is
important. Such efforts can be as simple as ensuring there are no large
PDF files hosted on high-value servers.
The above methods are crucial to any DDoS mitigation strategy.
Organizations must also reach out to service providers and ISPs and
work with them to identify novel mitigation techniques. ISPs must be
involved in mitigation strategies. DDoS attacks use the same Internet
as bank customers, and the ISPs carry both forms of traffic.
Of increasing importance is the need to investigate and implement
intelligence gathering and distribution strategies. Such efforts should
investigate data within company networks and expand to include other
companies that operate in the financial services industry.
Getting more information about who the actor is, motivations behind the
attack and methods used, helps administrators anticipate and
proactively architect around those attacks. Attack profile information
can range from the protocols used in the attack (SYN, DNS, HTTP), the
sources of attack packets, the command and control networks, and the
times of day during which attacks began and ended. While valuable in
mitigating attacks, there is no easy way to communicate this data, and
regulatory hurdles make it even more difficult to share attack
information.
Right now, information-sharing consists of friends talking to friends.
Information sharing needs to evolve into an automated system where
organizations can log in to a solution and see correlated and raw log
data that provide clues into attacks that have ended and that are in
progress. Such systems could also be used to share attack intelligence
and distribute protections. An industry information-sharing capability
would help elevate financial services companies’ abilities to cope with
DDoS activity and bring the industry as a whole to a new level of
preparedness.
Written by Avi Rembaum and Daniel Wiley
Avi Rembaum is director of 3D consulting and Daniel Wiley is a senior
security consultant at Check Point Software Technologies.