Future DDoS Attacks: Targeted and Mobile-Driven

Everyone wants to talk about the big ones — the whales. The large, hellacious denial of service attacks that slow or stop a bank's web server and prevent customers from doing business.

And right now, while you're reading this, criminals may be bombarding your bank's website.

These attacks typically occur when cyber crooks flood a bank's web servers with traffic — enough to either shut it down or stop users from performing specific functions online, like making a payment or making good on a bill.

Sometimes this traffic comes from a one specific group of servers, in a denial of service (DOS) attack — think about it like one big computer constantly visiting, say, AmericanBanker.com millions of times within seconds. Other times the attack is launched from many computers in many different parts of the world (in what's called a distributed denial of service attack).

"In the past, there was an underground of attackers. The targets were smaller organizations and these were not very complex attacks," says Jason Malo, a research director at CEB TowerGroup, who specializes in security and fraud.

Since September, 46 U.S. financial institutions have been hit with more than 200 coordinated and timed DDoS attacks, according to a report issued by the FBI April 30.

Hackers started in earnest with Bank of America and the New York Stock Exchange, then targeted mostly large banks, and have moved down to regional banks.

In April, one hacktivist group posted four different announcements of fresh attacks.

Security folks talk about the events in awkward-sounding units called gigabits per second — a data transfer speed of a billion bits per second. Some of the largest attacks are 80 gigabits per second. Double that. Triple that.

Think about sending a month's worth of emails, attachments included, all in a second. That's roughly the equivalent of one gigabit per second.

A respectable attack will be between 10 to 15 gigabits per second, says Michael Smith, a customer security incident response team director at the Internet infrastructure firm Akamai Technologies Inc.

But Smith points out that some attacks are not targeting banks' web pages, but their applications. "Understanding that the overall trend is to use the minimum amount of force necessary, if you can do application attacks through SSL, you need less volume of attack traffic than you would trying to flood the network infrastructure."

Banks have spent so much time hardening their servers, focusing on security and authentication, that it takes less time to fell a bank's web servers than the ones behind a retailer's site.

Better security means it takes more computing power to do smaller tasks, making it easier for an attacker to overwhelm a target by just focusing on, say, username and password protocols - asking a website a million times if 'AAAAA's password is 'AAAAA.'

These attacks are becoming more sophisticated.

For instance, a bank's website can be jammed by an attack targeting just a specific service. Malo references Slowloris malware that allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

"Basically it sends information in packets, as slowly as possible," he says. "So we are speaking in a normal voice, but if I start... to... be... like... this... it makes it like we're still engaged in the conversation, but it exhausts the service sessions."

Malo adds that he'd expect these types of attacks to persist.

Indeed, the real danger of these attacks isn't just a disruption in a person's Internet banking — which costs banks cash because customers now have to be handled through a different, often more expensive channel.

In some cases, these attacks mask more serious intrusions that can compromise a bank's customer data.

While an attack is taking place, criminals could be attempting to extract financial information from a bank using a variety of techniques.

On Christmas Eve, thieves reportedly stole $900,000 from a Bank of the West customer under the guise of a DDoS attack. The news was first reported on the information security blog Krebs on Security.

In the future, some observers say, the attacks will inevitably come from mobile devices, as well as desktop computers and servers in data centers.

"This is eventually going to be an Android vs. iOS" battle, says Ken Baylor, a research vice president at the information security research and advisory company NSS Labs, alluding to the division between the tech giants, one of which polices all the apps its iPhone users download while the other does not.

DDoS attacks are commonly launched over infected devices that are enslaved and turned into botnets — collectives of connected machines linked by malicious software performing specific tasks, like bombarding a bank's website with traffic.

"So let's say I have built a botnet for Android. The idea there is if you get an app inside an app store, a botnet component hidden within that software could launch an attack against a site," says Baylor. "You might have a running app that could fuel an alarm clock that while it is running in the background logs into a site and sooner or later goes after Company X's website."

That type of attack is far off, though, says Smith. Today it would take more than 60,000 smartphones or tablets running malicious software to bring down a bank's servers. No one, to date, has done that successfully.

Still, the fact that the traffic is looking more and more legitimate could make these attacks harder to recognize when they're actually happening, says Robert E. Lee, a security researcher who works on authentication issues.

"These attacks are starting to more and more act and feel like regular users," he says. "It's becoming more and more difficult to distinguish an attacker's signature from a regular customer's signature."

DDoS protection companies, such as Prolexic and Akamai, have become adept at tuning out bad traffic and shunning certain IP addresses.

As the attacks become more diverse, more businesses will be affected by the mess — as will their Internet service providers.

"If everybody is on the same Internet highway, and I jackknife a truck into the highway, the bank's traffic is not getting through, but an e-commerce site is also not getting through," says Malo. "That becomes an issue for the guy trying to maintain that highway."

Denial of service attacks are not just a growing threat for banks. They're an exponentially disruptive threat for the Internet in which banks' websites live.

For reprint and licensing requests for this article, click here.
Bank technology Community banking
MORE FROM AMERICAN BANKER