DDoS Archive

Nearly two-thirds of companies have experienced at least three denial-of-service attacks in the past year, Ponemon study reports

Organizations are becoming increasingly concerned about system availability as they experience more and more distributed denial-of-service (DDoS) attacks, a new study says.

The study, conducted by the Ponemon Institute and sponsored by Radware, surveyed 705 IT security professionals on issues related to downtime and DDoS.

While security pros have traditionally been focused on preventing data theft or corruption, today’s professionals are more worried about system availability, the study says.

“DDoS attacks cost companies 3.5 million dollars every year,” Ponemon says. “Sixty-five percent reported experiencing an average of three DDoS attacks in the past 12 months, with an average downtime of 54 minutes per attack.

“With the cost for each minute of downtime amounting to as much as $100,000 per minute – including lost traffic, diminished end-user productivity and lost revenues – it is no surprise that respondents ranked availability as their top cyber security priority,” the study says.

Most organizations don’t have the ability to strike back at attackers, according to Ponemon. “While 60 percent say they want technology that slows down or even halts an attacker’s computer, the majority (63 percent) of respondents give their organizations an average or below average rating when it comes to their ability to launch counter measures,” the report states. Three-quarters of organizations still rely on antivirus and anti-malware to protect themselves from attacks, Ponemon says.

Source: http://www.darkreading.com/risk-management/167901115/security/vulnerabilities/240142111/most-organizations-unprepared-for-ddos-attacks-study-says.html

The news stories surrounding hacktivist groups like Anonymous might lead business professionals to think that cyber criminals focus their efforts on government agencies and multinational corporations, skipping smaller companies that receive minimal to no press.

Midsize businesses, however, are just as vulnerable to the ever-popular Distributed Denial of Service (DDoS) attacks hackers use to suspend the services associated with a particular target. Attackers don’t just DDoS targets as a way of voicing political or ideological opinions; dishonest business owners can employ the services of a third-party to cause harm to competitors via digital means.

According to a new report from HostExploit, a community organization that tracks cyber criminals who exploit hosts to deliver crimeware, hackers are using open Domain Name System (DNS) resolvers to launch DDoS attacks against their targets.

DNS servers are responsible for converting hostnames, or domain names, into Internet Protocol (IP) addresses. A DNS resolver searches through one or more name servers to locate the information needed to resolve a client’s request.
Hackers are using misconfigured resolvers, claim the authors of the latest edition of HostExploit’s World Hosts Report, to power a DDoS. According to the report, “an attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target’s IP address.” The resolver then responds to the victim’s IP, rather than sending the information to the IP address that submitted the original queries.

DDoS through DNS isn’t new–experts have been discussing it as a method of attack for a decade–but Neal Quinn, chief operating officer of Prolexic, told NetworkWorld, “We have seen [DDoS amplification] recently, and we see it increasing.”

DDoS attacks can have at least a moderate financial impact on a business, depending on how long the organization is affected. Outages can lead to increased operational costs–as loss of service must be addressed on top of other critical tasks–and lead to lost clients or customer refunds, harming revenue as a result. These attacks can also have a longer-lasting impact on a company’s reputation.

DDoS attacks are some of the most difficult to prevent, and common IT solutions–such as over-provisioning, in which an business provisions for several times the expected level of traffic during normal operation–won’t be as effective against efforts amplified using DNS resolvers. Even an Intrusion Detection System (IDS) won’t help as these devices tend to disregard valid packets.

IT departments can rely on a third-party DDoS solution designed specifically to detect and mitigate attacks. Midsize businesses, however, should weigh the risks against the return on investment before subscribing to such services.

Source: http://midsizeinsider.com/en-us/article/hackers-use-dns-resolvers-to-distribute

In the wake of recent distributed denial of service attacks against banks, most institutions are missing a prime opportunity to educate their customers about security, says Gregory Nowak of the Information Security Forum.

“They seem to be regarding [DDoS attacks] as a secret,” says Nowak, a principal research analyst with the ISF.

HSBC Holdings, BB&T Corp. and Capital One are the most recent victims of DDoS attacks. These incidents have spanned five weeks and targeted 10 U.S. banking institutions, including Bank of America, Chase Bank, Wells Fargo, PNC Bank, U.S. Bancorp, SunTrust and Regions Bank. All the attacks are believed to be connected to the hacktivist group Izz ad-Din al-Qassam, which has taken credit on the public online forum Pastebin.

Izz ad-din al-Qassam said it would continue to target U.S. institutions until a YouTube movie trailer believed by the group to be anti-Islamic is removed from the Internet.

After the initial wave of attacks, Nowak went through the affected banks’ websites and couldn’t find any relevant information about what happened, how customers can understand it, as well as the reassurance that their information is safe.

“[Banks} should be taking the opportunity to explain to their customers the difference between denial of service attacks and some sort of hacking attack that actually puts information at risk, because their customers are worried and they don’t need to be,” Nowak says in an interview with Information Security Media Group’s Tom Field [transcript below].

Outlining how organizations should respond to this new wave of hacktivist attacks, Nowak discusses:

Why these DDoS attacks are successful;
Flaws in institutions’ prevention and response plans;
How to properly manage the risks of hacktivism.

Also, don’t miss Nowak’s new webinar on hacktivist attacks: Hacktivism: How to Respond.

Nowak is a principal research analyst for the Information Security Forum, an independent authority on information security. He has worked on ISF research projects on hacktivism, cybercitizenship and securing mobile devices. He also is responsible for ISF’s Information Risk Analysis Methodology (IRAM).

TOM FIELD: For the people out there who aren’t familiar with the Information Security Forum, tell us a little bit about your role with the forum and the work that you folks are doing.

GREG NOWAK: The Information Security Forum is a not-for-profit membership organization with members at the organization level. We have both public and private-sector members and we provide research, tools and methodologies for information security, broadly understood both technical and operational, involving information systems as well as personnel.
Recent Bank Attacks

FIELD: A huge topic for the past week or so has been the series of distributed denial of service attacks against U.S. financial institutions. What are your observations on the attacks that we witnessed against the banks?

NOWAK: I think the first thing to notice is that these are sort of innocent by-stander attacks that have nothing to do with the activities of the bank. They’re motivated generally because the banks are seen as representatives of the United States, and we forget that when we think back to 9/11, the stated reasons for the attacks of 9/11 were actions of the U.S. government, but the stated reasons for the choice of targets was because the U.S. financial system represented America and the World Trade Center was chosen as a target. In the same sense, outside of the United States the distinction between public and private is blurred, and banks and financial institutions are seen as primary representatives of the American economy, the American way of life, and so they’re chosen as targets.
Communication Strategies

FIELD: What’s important for organizations to communicate to people that are hearing of these attacks through the media? And I ask that because I see that these have become very hot topics in the popular media, and everybody’s hearing about them and talking about them. Information about the attacks has been a little bit scant.

NOWAK: I have really been amazed at the nature of media coverage. For example, you referred to DDoS attacks. Everybody understands in the information security business that this is a distributed denial of service attack, and we know what that means. If you look at the mainstream media, they don’t use that term because they figure that most people don’t understand that so they refer to them as cyberattacks. That gets reinterpreted and when they talk about the actors, the actors are referred to as hackers or hacktivists, and then when the stories get quoted you hear stories like, “Major U.S. banks are hacked and your information may be at risk.” I find it surprising because somehow this notion that personal information has been put at risk by these attacks is being created in online discussions when that’s not part of the initial reporting.

The banks that have been affected are missing a great opportunity to communicate and educate their users. I tried visiting the sites, and there’s nothing on any of the bank sites that says, “Here’s what’s going on. Here’s how you can understand it. Your information is safe.” Sitedown.co has provided some up-to-date information about which sites are available, but the banks themselves are not doing a good job of communicating. They seem to be regarding it as a secret. They’re saying some people have access issues. People know they have access issues. They should be taking the opportunity to explain to their customers the difference between denial-of-service attacks and some sort of hacking attack that actually puts information at risk, because their customers are worried and they don’t need to be.

FIELD: Up to this point, only financial institutions seem to have been targeted, but we would be foolish to think that they would be the only targets. What would you say is the message to non-banking organizations that are watching this activity?

NOWAK: First of all, they should notice that the attacks have nothing to do specifically with activities to these banks. They were just chosen as representatives. They’re innocent bystanders in the whole story, and yet suddenly they have to deal with this situation that has taken them by surprise. I think the message is this can happen to any organization and they need to consider it as part of their risk management.
Defending against DDoS

FIELD: We’ve known about distributed denial-of-service attacks for years now. We know how to prevent them and how to protect against them. Why are these DDoS attacks so successful against these financial institutions?

NOWAK: First of all, there’s a matter of leverage. You can now rent botnets to conduct an attack, so it’s a low investment of financial resources, and it doesn’t take such a large number of individuals to coordinate this. If the initial money is available to rent the botnet and obtain the code, then almost anyone with the necessary amount of money can launch an attack. Someone who feels motivated to make some sort of public statement can do so easily on a large scale and take advantage of the reaction to the DDoS attacks to spread their message. People are gravitating towards these attacks because for a relatively small financial investment and investment of time, they can have a disproportionately large effect and get a lot of media attention.

FIELD: But shouldn’t an organization the size of a Chase Bank, PNC or U.S. Bank have the redundancy and the resources that their sites wouldn’t even be affected by this?

NOWAK: They should, and I’m surprised they don’t. One of the messages that I want to spread about this is that people should notice that the geographical distribution of legitimate clients online is different from the geographical distribution and therefore the IP-space distribution of malicious web traffic directed towards these sites. I think if banks and other organizations consider that a little more investment in intelligent routing and segmenting incoming traffic geographically and by IP sub-spaces was taken proactively, then they would be much less affected by these sorts of attacks because only the front-ends are devoted to certain subspaces of the IP space would be overloaded and they would have more capacity for the geography and the IP sub-net identified with most of their customers. And I don’t see that happening. I haven’t seen much discussion of it going on. People talk about adding capacity but I don’t see much use of intelligent routing to decrease the effects of botnet attacks.

FIELD: Is it fair to say from what we know that this is hacktivist activity that we’re seeing?

NOWAK: It’s definitely fair to say that, but my advice is always to not pay too much attention to the motivations of the attacks unless it helps you mount particular countermeasures. And in this case, we know the story leading up to these attacks and the banks, and there’s no way this could be foreseen. Even understanding the motivation of the attackers really doesn’t lead to any changes in the source of countermeasures you’d take for the proactive risk mitigation you’d want to put in place. I would advise people not to spend too much time thinking about the reasons for the attacks, but just thinking generically what they should be doing to prevent these kinds of attacks.

FIELD: If I could ask you this, what benefit do the hacktivist groups gain from attacks such as these? As you say, there’s not a breach involved. Information isn’t being taken as near as we can tell. It’s mischief.

NOWAK: It’s mischief, but also it’s in defense of an ideology, and people will do strange things and devote a lot of effort in defense of their ideologies, and they feel according to their own system of values that they have accomplished something by making a large public statement, again with a relatively small investment of money and time to advance their idea. And whether or not they achieve their end goal and change the world in the way they want to change or have a video removed from the Internet is less relevant than the fact that they see themselves as having accomplished something for spreading the message and making the attempt.
Proper Response

FIELD: We’ve talked about the poor response we’ve seen from organizations. From your perspective, for institutions that have been attacked, what would be the proper response?

NOWAK: First of all, they need to consider this as a significant risk to address in their risk management program. If someone told a retail business that a significant percentage of their physical locations would be blocked and customers who were trying to get access to these locations would not be able to enter the bank or other businesses for an entire day and this would be happening in multiple locations, they would regard that as a critical issue with an immediate response from the top levels of the organization. I’m surprised that the same level of urgency and seriousness of response isn’t occurring for these online attacks that just get as much media attention without as much messaging coming out of the organizations that say here’s what’s going on, here’s what we’re doing about it, your information is not at risk and this is just a traffic jam on the Internet. I think part of the problem is this word cyberattack, which is so vague and suggests that there’s hacking when in fact a more appropriate term in common language would be a traffic jam or slow down, something that communicates the idea that traffic’s being stopped but information itself is not being put at risk.
Preparation Tips

FIELD: For organizations that have not yet been attacked, what’s the proper preparation?

NOWAK: First of all, the Information Security Forum in it’s recent paper on hacktivism has advised our members to conduct simulation to identify what lines of communication the organization would use, to identify spokespeople and make sure there’s a proactive plan to address the media. They should also use all available lines of communication and explain what’s going on. There’s very little information coming out of the banks that have experienced these attacks. I’ve looked at some websites and they have their normal promotional materials there. They don’t have any banner headlines for more information about what has been going on lately, to “please read this.” That’s a missed opportunity for them. Communicating out to the public is important.

Also as I said there are technical measures that could be used and they do take some time and some investment to implement, but I think that it’s a worthwhile measure to take to mitigate the risk of a denial-of-service attack preventing access to the website. This is not something that people should wait for. They can take proactive measures. They shouldn’t look at it as something that they have no defenses against, and they should also make sure that they do have messaging in place and they’re prepared to communicate with the public and the media in advance so if it does happen to them, they’re not looking like they’re unprepared, which is the impression we now get from a lot of the responses we’ve seen.

FIELD: We’ve talked a good deal about external communication. How about internal? What do boards of directors and senior business leaders need to be hearing from their security leaders now?

NOWAK: The good news is that security departments are being taken more seriously and getting a seat at the table more often with the senior leadership, but I think the issue of denial-of-service attacks in particular is not high enough on the agenda. As I said earlier, if they were asked to consider what the level of criticality would be if a large percentage of physical locations for the business were blocked and customers couldn’t get access, they’d start to see how serious a problem this was and that it’s worth doing some proactive investing to mitigate the risk. And if the security folks can come forward and say, ‘Here are the things we need to do technically that will help us mitigate the risk, here is the kind of preparedness we need to have for messaging, here is how we need to cooperate with our legal department and our public relations department so we have something to say in the event this happens,” I think they will respond to this plan because my impression is that not much is happening because people have the general impression that there isn’t much that can be done. I think that with an organized plan that addresses both technical and communications issues, senior leadership could say, “Yes, this is worth investing in. We don’t want to be caught unprepared for this sort of thing.”

FIELD: We’re talking about banking institutions today. We could easily be talking about government organizations, healthcare organizations or universities tomorrow. For any organization concerned that it could be a target next, how would you boil down your advice to them?

NOWAK: It’s possible to be prepared. You should be prepared. You can’t tell when it’s going to happen, so you might as well start getting prepared now. Investigate technical measures that can reduce the risk. Know where your customer base is because it’s likely much more concentrated then the geographical and IP base of your attackers. You can defend against it. Prepare with your public relations and communications department to have messaging ready so if this happens to you, you can communicate clearly to the public and let them know what’s going on and what the actual risks are, because most members of the public think that their information is at risk just from DDoS attacks when in most cases it’s not.

Source: http://www.bankinfosecurity.com/ddos-attacks-what-to-tell-customers-a-5227/p-4

HSBC has restored its online banking services after a distributed denial of service (DDoS) attack.

HSBC said servers had come under a DDoS attack which affected HSBC websites around the world.

The DDoS attack on HSBC did not affect any customer data, but did prevent customers using HSBC online services, including internet banking.

“We are cooperating with the relevant authorities and will cooperate with other organisations that have been similarly affected by such criminal acts,” HSBC said.

In May, internet security firm Check Point said a survey of 2,500 IT professionals worldwide found DDoS attacks comprised one of the top risks to their networks.

Check Point said organisations need to be able to collaborate and share intelligence on emerging threats, so the severity of attacks can be mitigated or even blocked.

In April, a study revealed financial services firms were targeted by three times as many DDoS attacks in the first quarter of 2012 than in the previous three months.

This represented a 25% increase compared with the same period in 2011, according to the Q1 Global DDoS Attack Report from security firm Prolexic Technologies.

A report form the Ponemon Institute found DDoS attacks were among the most costly cyber attacks on UK organisations alongside those caused by malicious insiders and malicious code, according to the 2012 Cost of Cyber Crime study by the Ponemon Institute.

UK and Australian organisations were also found to be the most likely to experience DoS attacks, while  German companies were the least likely target.

Attackers commonly use DoS to blackmail large organisations that depend on online availability to conduct business.

In July, Chinese and Hong Kong Police arrested blackmailers threatening commodities and securities traders with DDoS attacks.

The gang had demanded £3,000 to £10,000 from 16 Hong Kong-based firms and threatened to cripple their online operations with DDoS attacks if they did not pay.

Source: http://www.computerweekly.com/news/2240167901/HSBC-back-online-after-DDoS-attack

Capital One confirms that its website had been hit by another distributed denial of service attack. This Oct. 16 incident was the second attack allegedly waged this month by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters against the $296.7 billion bank.

“Capital One is experiencing intermittent access to some online systems due to a denial of service attack,” bank spokeswoman Tatiana Stead said. “There was minimal impact to the majority of our customers.”

Also on Oct. 16, a post claiming to be from the Izz ad-Din al-Qassam Cyber Fighters appeared on the open Internet forum site Pastebin claiming new attacks against U.S. banks would be waged between Oct. 16 and Oct. 18. The group notes that this new wave of DDoS attacks is being initiated without advance warning. In earlier Pastebin posts, the group named the eight banks it eventually attacked.

The first attack against CapOne came Oct. 9, one day before the targeted attack against SunTrust Banks and two days before the attack against Regions Financial Corp..

Jason Malo, a financial fraud and security consultant with CEB TowerGroup, says the Oct. 9 attack against CapOne, appeared to be one of the most damaging. “With CapOne, they seemed to take a bigger hit than the others,” he says. “Other banks seemed to handle the attacks better.”

The first institution to take a DDoS hit was Bank of America on Sept. 18, followed by JPMorgan Chase on Sept. 19 (see High Risk: What Alert Means to Banks). Attacks against Wells Fargo, U.S. Bank and PNC hit the following week (see More U.S. Banks Report Online Woes).

Izz ad-din Al Qassam says it will continue to target U.S. institutions until a YouTube movie trailer believed by the group to be anti-Islam is removed from the Internet. Experts, however, question whether that outrage is just a front for some more nefarious motive.

Source: http://www.bankinfosecurity.com/capone-takes-second-ddos-hit-a-5203