Why DDoS Should Worry UsAttacks Gaining Power, Likely Causing More Damage
How successful are these ongoing distributed-denial-of-service attacks against U.S. banks and credit unions? That's open for debate.
Everyone has a different opinion about how much of a threat these attacks really pose, but two things we all agree upon: The attacks can't be stopped, and we aren't likely to be told anytime soon who's behind them, even if certain intelligence has enough information to connect most of the dots.
It would be naive for any of us to think these cyberattacks will be waged in isolation.
We are now in the third phase - six months - of attacks that have pushed out DDoS strikes greater than any ever seen before. The length, sophistication and magnitude of these attacks proves the group taking credit for them - Izz ad-Din al-Qassam Cyber Fighters - is knowledgeable, trained and well-funded.
No doubt, DDoS will be a primary focus in 2013, and not just for banking institutions and government. Other critical industries, such as oil and gas, telecommunications and healthcare are starting to take notice, as well they should. It would be naive for any of us to think these cyberattacks will be waged in isolation. The financial sector is just the first - a testing ground for the attackers' capabilities.
Why We Should Worry
I've been covering the DDoS hits against leading U.S. banking institutions since mid-September, when the so-called first campaign was launched. As time has gone on, these attacks have gotten more powerful because the hacktivists' botnet, known as Brobot, has grown. And since the beginning of the year, they've expanded their aim to target more institutions at the mid-tier level.
The hacktivists' attacks are cascading by exploiting applications hosted in the cloud, says Carl Herberger, vice president of security solutions for Radware, an anti-DDoS provider for enterprise management.
Brobot is attacking cloud-based servers, infecting the applications they host and then using those applications as conduits to infect the cloud providers' infrastructures.
But the bot has been architected to only affect the applications, not the providers' overall performance. Thus, application infections are not immediately detected, and the cloud providers don't have much incentive to take proactive steps to monitor for infections.
Here's the genius of it all: Because banks rely on these cloud-hosted applications, when they respond to a DDoS attack, they can't just block IP traffic that comes from infected applications. "In essence, doing so caused them to DDoS themselves during the early attacks," Herberger says.
When institutions blocked the bad traffic, they also blocked the applications they needed to run their sites and programs.
It's a problem that has yet to be resolved. Banks may have come up with workarounds, but as Brobot grows, more hosted servers in the cloud are being taken over, and more institutions that rely on those hosted services for online applications are being targeted.
"This is where we are, by and large, today," Herberger says. "The perpetrators know what they have set up has been very successful, and they know the defenses are problematic. They are infecting more servers and sites, so we're in a moment here where we know that IP blocking won't work, and the best solution we have right now is to use technologies that understand bad behavior."
But it's just a band-aid, he admits.
"The brilliance of this bot is that it's open code, and provides a tool and an attack technique that gives the perpetrators access to powerful servers and processors, and does it in a way that is fairly unnoticeable," Herberger says.
See the cascade?
What They Aren't Saying
On the record, experts talk about all of the improvements banking institutions have made in their defenses against these attacks, and there's no doubt these targeted institutions have made major improvements.
Off the record, security experts' perspective is less optimistic. We can't really defend against attacks that force us to cannibalize ourselves, and the attackers know it. This is why they continue to wage their strikes - because they are, at least in part, successful.
But what are the hacktivists really after? Are the attacks being aimed to poke holes in peripheral online defenses, a testing measure for stronger attacks to come? Are they being waged, as Izz ad-Din al-Qassam has repeatedly claimed, for political and social reasons? Or is there a criminal motivation behind them?
My take: The attacks are after data - intellectual property, access to sensitive systems and probably a few banking accounts. The attackers keep striking the same banks because they've found points of weakness, and now they're testing those weaknesses at other institutions.
If the banking industry - one of the most secure in the world - can be tested and exploited in this way, how can we expect other industries to fare? Not well. The U.S. financial infrastructure is heavily regulated, and its security is regularly assessed. The hacktivists have identified a weakness that even the financial infrastructure did not anticipate and has failed to address.
Brobot is growing, and some have speculated it could be sold or leased for hire. If that happens, rest assured we will see an obvious criminal element - and that time is probably already closer than we think.