Bank DDoS Strikes Could Presage Armageddon Attacks

Who Is Hacking U.S. Banks? 8 Facts

Who Is Hacking U.S. Banks? 8 Facts(click image for larger view and for slideshow)

Individual distributed denial-of-service (DDoS) attacks could soon take down not just one site, but any intervening service providers.

The warning over the feasibility of this type of so-called DDoS "Armageddon attack," that could "not only overwhelm the end victim but also all the Internet providers in between," comes via Carlos Morales, VP for global sales engineering and operations at Arbor Networks. His analysis is based on the characteristics of the DDoS attacks launched against U.S. banks in September and October of this year.

What's alarming is that even though the attackers announced the exact date and time that they would be launching their attacks, as well as their targets, the targeted financial institutions were unable to prevent their websites from being disrupted.

Bank officials and DDoS experts have both said that the sheer scale of the attacks was to blame. Attackers had apparently compromised servers -- most likely at service providers -- that were able to support high-bandwidth attacks. Together with blended attack techniques, attackers overwhelmed every one of their targets.

In part, that's thanks to the "itsoknoproblembro" DDoS toolkit also used in some of the attacks, which maintained sustained packet floods peaking at 70 Gbps and 30 million packets per second, reported Prolexic Technologies. As a result, even financial institutions with state-of-the art networks couldn't maintain site availability. "Most enterprise and government data centers have no more than 10 Gbps [of bottleneck] with some ranging slightly higher than this," said Morales in a blog post.

Thankfully, the bank attacks have ceased, and the group claiming responsibility -- the Cyber fighters of Izz ad-din Al qassam, has been silent since October 23, 2012, when it announced that it was planning a break in honor of the Muslim Eid al-Adha holiday.

Still, the effectiveness of those banking website disruptions has many government officials spooked. Last month, notably, Secretary of Defense Leon Panetta pointed to the DDoS attacks as evidence that the nation's critical infrastructure remains all too vulnerable to being hacked. "In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called 'distributed denial-of-service' attacks," he said. "These attacks delayed or disrupted services on customer websites. While this kind of tactic isn't new, the scale and speed was unprecedented."

According to Arbor Networks, however, larger attacks have been seen -- both this year and last. Compared with the 70-Gbps peaks in the bank attacks, Arbor reported seeing 101.4 Gbps (in 2011) and 100.8 Gbps (in 2012) attacks. Furthermore, in comparison to the bank attacks peaking at 30 million packets per second, Arbor has seen attacks of 139.7 million (2011) and 82.4 million (2012) packets per second.

As that suggests, the difficulty of generating large-scale attacks has been decreasing. Again, the bank attackers used compromised, high-bandwidth servers -- but botnets are another possibility. For example, Morales said that some botnets have one million infected -- a.k.a. zombie -- PCs at their disposal. "Assuming an average of 1 Mbps worth of upstream access per host, a conservative estimate -- based on the number of broadband subscribers, 4G and 3G users deployed [around] the world -- [means] a 1-million-host botnet could generate an attack of 1 Tbps. Now, what if this botnet and multiple other large botnets attack at the same time?"

The attack volumes theoretically now available would make it possible for attackers to disrupt not just their targets, but every service provider in between. "Service providers have a lot of bandwidth throughout their network, but there are limits to how much traffic they can handle," said Morales. "Attacks of that magnitude described would have profound effect on the Internet as a whole, exploiting bottlenecks in many places simultaneously. No single service provider, even the largest tier ones, would be able to handle all this traffic without adversely affecting their user base."

Thankfully, however, no such attacks have been seen. "Is this possible? It certainly seems so," said Morales. "Is it likely? It doesn't seem so since it would affect everyone on the Internet and not just a single victim. That said, many attacks that didn't seem likely before are now becoming commonplace as motivations have shifted."