Intrusion detection/prevention systems. The most obvious security technology for detecting DDoS attacks, which many banks already use, is the more generic intrusion detection system, software that monitors network traffic for potentially malicious behavior and alerts administrators to it. Its sister technology, the intrusion prevention system, blocks traffic from the "bad actor" IP addresses.
Who offers it: Cisco, McAfee, HP (Tipping Point), IBM, Intel (McAfee), Juniper.
Pros: It's effective for certain types of identified threats, such as a cybercriminal using a stolen IP address.
Cons: Most IDSs and IPSs aren't designed to deal with DDoS attacks. "They're meant to keep people from getting into your system, they're not necessarily for dealing with excessive traffic," Pascual says.
WHY HAS NONE OF THIS WORKED SO FAR?
One question we've been asking since these attacks began is, why aren't the technologies and services banks have in place effectively protecting them against the attacks. Experts give several reasons.
"The DDoS mitigation techniques are working," asserts Orans. However, when an attack is new and different, it takes longer to respond to and mitigate its effects. "That's why you sometimes see more pronounced outages."
"The true zero-day attack there's no perfect defense for," agrees Rich Bolstridge, chief strategist for financial services, Akamai Technologies. "When an attack does come in on one of our customer sites, we can apply a rule to our other customers. Some days, every 15 minutes an attack moves from one to another. Thursdays are usually the worst. Attackers sometimes vary their techniques within a day."
The high volumes are a big factor. "Most of banks' networks are capable of handling 10 gigs per second, but the level getting through to them in these attacks is 40-50 gigs," notes James Barnett, a retired Rear Admiral in the Navy who recently joined Washington, D.C. law firm Venable as a partner; he is the former Chief of the Public Safety and Homeland Security Bureau for the Federal Communications Commission.
A comparable example would be getting four to five million emails per second in your email inbox, he says. "That would be pretty hard to handle," he notes.
Litan argues that vendors are not yet able to distinguish good and bad traffic because they're being reactive instead of proactive. "They have to study the new attacks and then put in a new control to stop them," she says. What's needed is behavioral modeling of normal activity that will help show up anomalies that could indicate an attack. "The current technology is all old-fashioned, backward-looking and rules-based, which is true for security software generally."
There are several pre-made DDoS toolkits available as commercial products, which makes creating the attacks easier, points out John Linkous, security research fellow at eIQnetworks.
Part of the challenge comes from the need to keep website availability up and provide security at the same time. "You still want usability by customers, you still need to be able to conduct complex and secure transactions," Barnett points out. "So you have to have utility and functionality as well as that type of protection."
Signs are that banks are getting better and that online banking outages are getting shorter.
"For financial services at this time, the best answer out there is a layered answer, which is not something I would have said a year ago," says Vansevenant.
As with so many other areas of life, there's no single answer. "It's really about working together," Pasqual notes. "No one technology is perfect and the cost factor is significant if you're trying to take this on by yourself. It's like turning around the Titanic, it's not going to turn on a dime," Pascual says. "It's going to take time and resources. The more cooperation we have among institutions themselves, the better off everyone is going to be."
Future attacks may harness the 100 million mobile devices in the U.S., which tend to be left unprotected. "On their desktop PCs now everyone has anti malware software, but people are not familiar with securing mobile devices," Pascual says. "We see an exponential growth in mobile malware, and we're already starting to see programs that could be used for mobile devices." Some malware programs have "ddos" in their very name.
"It's just a matter of time. Consumers open themselves up with poor security habits, they download stuff off Google Play," Pascual says. "There's a lot out there that opens this up to being a potential issue. It's a horrible scenario. Imagine what happens if a million mobile devices all over the U.S. target one location?"