Four steps for denying DDoS attacks
How should banks and financial institutions deal with increasing numbers of large-scale denial of service attacks?
By Avi Rembaum and Daniel Wiley.
Financial institutions have been battling waves of large distributed denial of service (DDoS) attacks since early 2012. Many of these attacks have been the work of a group calling itself the Qassam Cyber Fighters (QCF), who until recently posted weekly updates on Pastebin about their reasons behind their attacks, and summarising Operation Ababil, their DDoS campaign.
Other hacktivist groups have launched their own DDoS attacks and targeted financial services institutions with focused attacks on web forms and content. There have also been reports of nation-state organized cyber assaults on banks and government agencies, along with complex, multi-vector efforts that have combined DDoS attacks with online account tampering and fraud.
These incidents against all sizes of banks have shown that there are many kinds of DDoS attacks, including traditional SYN and DNS floods, as well as DNS amplification, application layer and content targeted methods. Denial of service (DoS) activities that have targeted SSL encrypted webpage resources and content are an additional challenge. In some instances, the adversaries have moved to a blended form of attack that incorporates harder-to-stop application layer methods alongside ‘cheap’, high-volume attacks that can be filtered and blocked through simpler means.
To cope with this level of malicious activity, CIOs, CISOs, and their teams need to have a plan in place, and consider a set of defensive tools that combine on-premise technologies and cloud-based scrubbing services. They should also begin to explore and ultimately implement intelligence gathering and distribution methodologies that help lead to a comprehensive DoS mitigation strategy.
Here are four steps to help in devising that strategy:
Have a scrubbing service or ‘cleaning provider’ to handle large volumetric attacks
Use a dedicated DDoS mitigation appliance to isolate, and remediate attacks
Tuning firewalls to handle large connection rates
Develop a strategy to protect applications from DDoS attacks
The above methods are crucial to any DDoS mitigation strategy.
Organizations must also reach out to service providers and ISPs and work with them to identify novel mitigation techniques. After all, DDoS attacks use the same Internet routes as bank customers, and ISPs carry both forms of traffic.
Getting more information about who the attacking agent is, the motivations behind the attack, and methods used, helps administrators anticipate and proactively architect around those attacks. Attack profile information can range from the protocols used in the attack (SYN, DNS, HTTP), the sources of attack packets, the command and control networks, and the times of day during which attacks began and ended. While valuable in mitigating attacks, there is no easy way to communicate this data, and regulatory hurdles make it even more difficult to share attack information.
Right now, information-sharing consists of friends talking to friends. Information sharing needs to evolve into an automated system where multiple organizations can log in to a solution and see correlated and raw log data that provide clues about current and older attacks. Such systems could also be used to share attack intelligence and distribute protections. An industry information sharing capability would help elevate financial services companies’ abilities to cope with DDoS activity and bring the industry as a whole to a new level of preparedness.
•Date: 23rd August 2013 • World •Type: Article • Topic: ISM