The resumption this week of distributed denial of service attacks against major U.S. banks brought not only more cost and disruption to financial institutions trying keep online services available, but it also raised new questions about the funding and true motives behind the attacks.

A number of service disruptions were reported this week as Izz ad-Din al-Qassam Cyber Fighters lived up to their promise on Pastebin to kick off a third round of DDoS attacks in protest of the continued availability of the movie “Innocence of Muslims” on YouTube. These attacks, however, are much different than the one-and-done types of DDoS attacks preferred by other socially and politically motivated groups.

Banks are no stranger to DDoS attacks, but since September, these attacks in particular have been noteworthy for the amount of traffic generated toward the banks, as well as for their targeting of applications and specific features available on the banking sites, the steady growth in the number of web servers used in the attacks, and the automated tools being used. Add it all up and it equals some hefty funding and know-how, either hackers bred in-house, or contracted from the outside.

“There’s no doubt in my mind that this is well funded at some level,” said Arbor Networks director of security research Dan Holden. “There’s no way this can go on for this long and with this type of investment without someone caring. Historically, if you look at hacktivism, it’s been driven by some sort of incident and usually they can’t drive an operation for this long. Usually they just lose interest.”

Attribution is always challenging in any kind of attack and it’s premature to call these attacks state-sponsored, but there has been skepticism from the outset about this particular campaign. Dmitri Alperovich, cofounder and CTO of security company CrowdStrike, told Threatpost in September the protestations over the movie were a red herring.

“I don’t buy that their motivation is in response to the video; this group has been carrying out attacks for months,” he said. “Their motivation is to send a message that this is what they’re capable of.” Alperovich said the group’s name is the same as the military wing of Hamas and it claims to have a Jihadist cause, he said. “If a terrorist group is interested in sending a message to us, this is one way of doing so. It’s relatively inexpensive and powerful message.”

The group behind these attacks has evolved its capabilities and is using a number of automated toolkits, including Brobot and itsoknoproblembro to carry out not only high-volume attacks of upwards of 70-100 GBps, but they’re able to do so against simultaneous targets. And this is more than just pinging a banking site with hundreds of thousands of synflood calls; the attacks are also application centric. In some cases, they’re going after application log-ins or trying to continuously download large files such as user agreements, policy statements and more.

The attackers are also using compromised web servers to fire off these requests, and according to experts, seem to be using simple Google searches to find vulnerable servers with PHP vulnerabilities or other flaws that are easily exploitable. Web servers have a lot more bandwidth than a compromised home machine, for example, thousands of which make up traditional botnets used in DDoS campaigns. Owning a web server, very much an old-school method of DDoS attacks against targets, is much more efficient for the attacker than waiting for clients to become infected with a Java exploit and malware, for example.

“The average home user has 10 MBps capabilities with broadband, with an upload speed of 1.5 MBps. To use that as a tool to attack the banks, to get 70 GBps, I would need 70,000 users,” said Barry Shteiman, senior security strategist at Imperva. “Web servers by designed are supposed to serve a large amount of users with half or 1 GBps of upload speed. I would need only 70 to 150 servers to get the same result.”

Taking this approach, Shteiman said, keeps costs down for an attacker. Using a Google search can render a long list of vulnerable web servers that are easy to find and difficult to patch. This is much simpler than writing or buying an exploit that bypasses a lot of client-side protections.

“If I know it’s going to take a lot of effort and money and bypass protections on user platforms, I need to find the best vector,” Shteiman said. “On websites, a lot of vulnerabilities are far less patched; we know most organizations are not covering Web threats.”

The banks, meanwhile, are defending well against these attacks, experts said, though they too have to spend more and evolve as attacks do.

“The attackers’ focus on a particular site is increasing because the banks’ defenses are so good at this point,” Arbor’s Holden said. “DDoS is not a set-and-forget type of defense. Because these attacks are so targeted a lot of people are no doubt still involved in defending against them; a lot of folks are not sleeping right now.”

Holden said he’s not surprised given the presumed funding, that the attacks and capabilities have grown.

“They have to in order to keep the campaign growing,” he said. “I expect to see further tool development, possibly targeted tools depending on how a bank website is built and structured. They’re learning about defenses for each particular site. Based on what they learned and what’s working, they are able to create tools with a particular site in mind.”


JEA’s website has been hit by a “denial of service attack,” knocking out the company’s website and payment system.

The Jacksonville-based utility told our news partner Action News Jax that is being “inundated with data,” starting overnight Sunday.

As of 2:15 p.m. Tuesday, the site was still down.

The problem is a “corporate internet connectivity event,” JEA said, and is impacting payments through its automatic phone system.

Payments made through third parties, such as Winn-Dixie and the tax collector, are being processed. Payments are still being taken at JEA’s Downtown office and requests for stop/start and reconnect orders are working as well.

There is no timeline for a fix, Action News Jax reports.

Attacks on large company’s websites and servers has been frequent in recent months. SunTrust was hit by a cyber attack in October 2012 and Bank of America, Chase and Citi were attacked by Iranian hackers the month before.

The attacks led to several of the major banks to ask the government for help to block the Iranian attacks.

JEA is the seventh-largest community-owned electric utility in the United States and one of the largest water and sewer utilities in the nation providing electric, water and sewer service to residents and businesses in northeast Florida.


Cloud providers face increasing number of DDoS attacks, as private data centers already deal with today

The eighth annual Worldwide Infrastructure Security Report, from security provider Arbor Networks, reveals how both cloud service providers and traditional data centers are under attack. The report examined a 12-month period and asked 200 security-based questions of 130 enterprise and network operations professionals. The key findings follow:

  • 94 percent of data center managers reported some type of security attacks
  • 76 percent had to deal with distributed denial-of-service (DDoS) attacks on their customers
  • 43 percent had partial or total infrastructure outages due to DDoS
  • 14 percent had to deal with attacks targeting a cloud service

The report concluded that cloud services are very tempting for DDoS attackers, who now focus mainly on private data centers. It’s safe to assume that, as more cloud services come into use, DDoS attacks on them will become more commonplace.

Arbor Networks is not the only company that cites the rise of DDoS attacks on cloud computing. Stratsec, in a report published last year, stated that some cloud providers are being infiltrated in botnet-style attacks.

This should not surprise anyone. In my days as CTO and CEO of cloud providers, these kinds of attacks were commonplace. Indeed, it became a game of whack-a-mole to keep them at bay, which was also the case at other cloud providers that suffered daily attacks.

The bitter reality is that for cloud computing to be useful, it has to be exposed on public networks. Moreover, cloud services’ presence is advertised and the interfaces well-defined. You can count on unauthorized parties to access those services, with ensuing shenanigans.

The only defense is to use automated tools to spot and defend the core cloud services from such attacks. Over time, the approaches and tools will become better, hopefully to a point where the attacks are more of a nuisance than a threat.

The larger cloud providers, such as Amazon Web Services, Hewlett-Packard, Microsoft, and Rackspace, already have good practices and technology in place to lower the risk that these attacks will hinder customer production. However, the smaller cloud providers may not have the resources to mount a suitable defense. Unfortunately, I suspect they will make them the primary targets.


As the threat landscape continues to evolve, one malicious tactic has stood the test of time: distributed denial-of-service attacks (DDoS). They carry on as a preferred means of assault on networks around the world, and they’re getting more prevalent and sophisticated.

According to a recent report from Prolexic, a security firm that specializes in DDoS protection, there was an 88 percent increase in the total number of DDoS attacks in the third quarter of this year compared to the same period last year.

The common method associated with this threat involves an attacker pummeling a target with illegitimate traffic through the use of botnets – to the point where its online services are unavailable. While it may seem like a mere nuisance, an attack of this nature is detrimental to any enterprise that relies on a majority of its revenue to be generated online.

The recent attacks that downed the websites of major financial institutions, such as Bank of America and JP Morgan Chase, have proved that DDoS is evolving. Rather than opting for a botnet’s army of zombie computers, the perpetrators leveraged a slew of compromised servers to launch their attacks, which flooded networks with up to 60 gigabits per second of traffic coming from each infected server.

A DDoS service toolkit known as “itsoknoproblembro” was believed to be the weapon behind the financial assaults. Capable of attacking several layers of a website’s networking stack, according to Prolexic, any mitigation provider would struggle dealing with this type of strike.

And, the prevalence and advancements of these malicious DDoS methods may be bolstered by the overall decrease in spam. As spam filters have gotten better, botnet masters have found that DDoS attacks are a worthy replacement to ensure they continue to see a high return on investment, said Matthew Prince, CEO and founder of CloudFlare, a web performance and security firm.

Motives surrounding DDoS attacks vary, from cyber warfare to hacktivism, but the one constant is that their maturation is what makes them difficult to defend against, said Dan Holden, director of Arbor Network’s Security Engineering and Response Team. And further complicating matters is that whether they are using a service provider or a hybrid cloud partner, many enterprises simply don’t own or have full visibility into their own network. “Fundamentally the internet is just a different place,” Holden said.

For DDoS protection against your eCommerce site click here.


Nearly two-thirds of companies have experienced at least three denial-of-service attacks in the past year, Ponemon study reports

Organizations are becoming increasingly concerned about system availability as they experience more and more distributed denial-of-service (DDoS) attacks, a new study says.

The study, conducted by the Ponemon Institute and sponsored by Radware, surveyed 705 IT security professionals on issues related to downtime and DDoS.

While security pros have traditionally been focused on preventing data theft or corruption, today’s professionals are more worried about system availability, the study says.

“DDoS attacks cost companies 3.5 million dollars every year,” Ponemon says. “Sixty-five percent reported experiencing an average of three DDoS attacks in the past 12 months, with an average downtime of 54 minutes per attack.

“With the cost for each minute of downtime amounting to as much as $100,000 per minute – including lost traffic, diminished end-user productivity and lost revenues – it is no surprise that respondents ranked availability as their top cyber security priority,” the study says.

Most organizations don’t have the ability to strike back at attackers, according to Ponemon. “While 60 percent say they want technology that slows down or even halts an attacker’s computer, the majority (63 percent) of respondents give their organizations an average or below average rating when it comes to their ability to launch counter measures,” the report states. Three-quarters of organizations still rely on antivirus and anti-malware to protect themselves from attacks, Ponemon says.