Distributed Denial of Service DDoS status update
DDoS defined: When criminals deliberately inundate computers and other systems that handle Internet traffic (Web servers, Internet banking servers, mail servers, etc.) with so many requests at the same time that they cause a financial institution system to crash for a few minutes or even days.
DDoS attacks have been in the news fairly regularly over the past 12 to 18 months as attackers have targeted larger organizations, including many financial institutions. An FBI update in April indicated that approximately 46 U.S. financial institutions have been targeted by more than 200 DDoS attacks. In April, there was widespread news indicating that large-scale attacks could be expected on May 7. The May 7 attack date came and went without any significant successful attacks; since May 7, DDoS attack news has been relatively quiet.
Does the relatively quiet period indicate that DDoS attacks are over? After all, DDoS activity has been relatively dormant for the past six to seven weeks. Perhaps the answer lies in an analysis of the past.
The DDoS attacks during the past 18 months or so have come in three primary campaigns:
The first campaign began on approximately Sept.18, 2012, and lasted until the end of October, then had a six-week lull in activity. The second campaign began on approximately Dec. 10, 2012, and lasted for about six weeks and was relatively quiet for about five weeks. The third campaign began in March and lasted for about eight weeks (the longest period of attacks) and a break in activity began at approximately the end of April and continues as of the second week of June. Does this mean the attacks are over?
It is unlikely that the attacks are over, botnets (essential for the DDoS attackers) continue to grow and even during the current quiet period, a global large-scale attack was made on an organization that successfully defended itself.
Regulators have issued various advisories related to these attacks; two of them are referenced here:
The advisories essentially define the steps that financial institutions should be taking to mitigate the effects of DDoS attacks on their systems. The basic major steps of these mitigation efforts are:
- Perform risk assessments to identify risks associated with DDoS attacks.
- Ensure that incident response programs include a DDoS attack scenario during testing and address activities before, during and after an attack.
- Perform ongoing third-party due diligence, in particular on Internet and Web-hosting service providers. Third-party service providers should identify risks and implement appropriate traffic management policies and controls.
- Financial institutions should voluntarily file a Suspicious Activity Report (SAR) if an attack impacts Internet service delivery, enables fraud or compromises member information.
The advisories do a nice job of identifying the mitigation efforts that financial institutions should take from a governance and policy perspective, but don't identify preventative technical measures that can be taken to address DDoS attacks.
From a technical perspective, there are four categories of preventative measures that can be taken to attempt to prevent an attack from affecting the financial institutions services. They are:
- DIY (Do It Yourself)
- Specialized on-premises equipment
- Using your Internet Service Provider (ISP)
- Using a specialized cloud DDoS mitigation provider
As the name implies, DIY is the simplest, least costly and also least-effective approach. It may involve leveraging an existing intrusion prevention system (IPS) or perhaps a specialized server with customized scripts to detect and deflect the attacks. These solutions may have been effective against some of the earlier and simpler forms of DoS attacks during the early days of the Internet, but their effectiveness against today's sophisticated DDoS is questionable.
Several vendors have come forward with revisions of existing systems or new systems that are designed to sit in the financial institution's data center and generally are placed in front of the very servers and devices the attackers are trying to crash. They are very expensive and difficult to operate effectively, meaning the financial institution will likely need to hire highly skilled network engineers or hire a consulting partner with the needed skillset. Another issue with trying to handle the DDoS attacks at the data center level is that they don't offer a solution for the very large attacks (huge volume of packet and data), and the bandwidth capacity of the Internet connections will be saturated effectively DDoS'ing the financial institution.
Another option is to work with the ISP to provide DDoS mitigation; large regional or national ISPs have significantly more bandwidth than a bank would have, which would help with the huge volume attacks that negatively impact the specialized on-premises equipment. A potential issue is whether or not a regional ISP would have the skills needed to effectively provide this service while the larger nationals all claim to have a solution. What is unclear, at this point, are the initial and ongoing costs related to the services.
DDoS protection in the cloud is now offered by several specialized providers. Generally, the cloud providers have multiple redundant high-capacity connections around the world from which they can filter traffic to remove and mitigate DDoS attacks. For some of the largest DDoS attacks, this might be the only solution that provides a reasonable level of attack mitigation.
To conclude, which solution is the best solution for a financial institution depends on many variables that are unique to each organization, but there are a few common important variables that need to be considered in the decision process.
- If the financial institution has chosen to self-host many of the Internet services (Internet banking, website and mail services, etc.), the specialized cloud DDoS protection may be your only effective option.
If the Internet services (Internet banking, website and mail services, etc.) are outsourced to service providers specialized in providing these services to financial institutions, specialized DDoS devices or utilizing an ISP's DDoS mitigation services may be sufficient. The service providers generally should have DDoS protection included in the design of their networks, and should be verified by the financial institutions through the vendor management program.
For additional information on this topic, contact Loras Even, Principal, McGladrey LLP.