Denial of Service Attacks
Targeting U.S. Financial
January 2013
What is DDoS
Who’s Behind the Attacks and Why
Timeline of the Attacks
What Do the Attacks Look Like
How are the Attacks Changing
What are Banks Doing About It
Types of DoS Attacks
ICMP Flood (Ping) – AKA Smurf
Teardrop Attacks
Unforeseen outages due to unplanned events, such as power failure, hardware/software bugs, or a sites sudden enormous spike in popularity.
Compromised computers are directed to launch intermittent and short-lived flooding's of victim websites to slow it down rather than crashing it.
Sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet protocol spoofing, the source
address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.
Multiple systems flood the bandwidth or resources of a targeted system.
Old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a
modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.
Damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the distributed denial-of-service attack, a PDoS attack
exploits security flaws which allow remote administration on the management interfaces of the victim's hardware, usually messing with firmware to
render it inoperable.
No botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a 'puppet master,' instructing clients of
large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim’s website instead.
Permanent Denial of Service – AKA Phlashing
Older attack that sends mangled IP fragments with overlapping, over-sized payloads to the target machine. This can crash various older operating systems
due to a bug in their TCP/IP fragmentation re-assembly code.
Peer-to-Peer Attacks
Relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the
network, rather than a specific machine. The network then serves as a smurf amplifier.
Attacker must be able to receive traffic from the victim, then the attacker must either subvert the routing fabric or use the attacker's own IP address.
Attacker uses a forged IP addresses, making it extremely difficult for the victim to filter out those packets. The TCP SYN flood attack is an example of a
blind attack.
Level II
Cause a launching of a defense mechanism which blocks the network segment from which the attack originated.
What is a DDoS?
Denial of
Service (DDoS)
How DDoS Looks Through
the Eyes of Your Technology
DDoS Threat is not Temporary…
• Thanks to the increasing availability of custom
coded DDoS modules within popular malware
and crimeware releases, opportunistic
cybercriminals are easily developing managed
DDoS for hire, also known as “rent a botnet”
services, next to orchestrating largely underreported DDoS extortion campaigns against
financial institutions and online gambling web
Mainstream: Rent a BotNet
The Attacks: The “Who” is Important
• The ancient Chinese warrior Sun Tzu taught his men to
"know your enemy" before going into battle.
– If "you know your enemy and know yourself," he wrote, "you
need not fear the result of a hundred battles."
– But, "If you know yourself but not the enemy, for every victory
gained you will also suffer a defeat."
• Understand your opponent;
– Funding
– Techniques
– Capabilities
• Weapons
• Scale
– Focus/Drivers
• Why
• When have you “Won”?
Who and Why?
• Izz ad-Din al-Qassam Cyber Fighters
– Pastebin Post - protest against the “Innocence of
Muslims” trailer that ridiculed the Prophet
Mohammad. (Available on MetaTube)
“Insult to a prophet is not acceptable especially
when it is the Last prophet Muhammad”
– http://pastebin.com/yftgau9w
Attackers Country Affiliation
NOT Proven to be State sponsored at this time.
Interesting statement in a recent post says “..continue to insult Muslim saints” may
provide a better understanding of the source.
• Likely indicates Shia Muslim origin. Research indicates that the vast majority of Muslims are
Sunni (85%), who vehemently reject the concept of sainthood, while the Shia accept this term.
• Previous posts implied all Muslims are offended and participating in these attacks. This new
term indicates only a small geographic region, centered on Iran, may be offended.
• Previous guesses at attribution have indicated Iran with no evidence to support those claims.
One could presume that the pastebin posts and the translation are under the control of the
originator (as they use it as an official channel), so this is not a mistake.
Shia Muslims believe that an Imam (Islamic
leadership position) is sinless by nature, and that his
authority is infallible as it comes directly from God.
Therefore, Shia Muslims often honor the Imams as
saints and perform pilgrimages to their tombs and
shrines in the hopes of divine intercession.
Sunni Muslims counter that there is no basis in Islam
for a hereditary privileged class of spiritual leaders,
and certainly no basis for the veneration or
intercession of saints. Sunni Muslims contend that
leadership of the community is not a birthright, but a
trust that is earned and which may be given or taken
away by the people themselves.
Public Reaction
• OMG… What are we going to do?
• ….Where’d they go?
• OMG… There Back…
Who Has Been Targeted?
Timeline of Attacks Targeting US
Financial Institutions (Americans)
January 3-6, 2012
Muslim Cyber Fighters Announce attacks against
JPMorgan Chase, Bank of America, Citibank, Wells Fargo,
US Banc, PNC Financial Services Group, BB&T, SunTrust
and Regions
September 18, 2012
Muslim Cyber Fighters claim responsibility
for BoA, CITI, and NYSE Hack in retaliation
for the Innocence of Muslim Movie
September 19, 2012
Muslim Cyber Fighters Attack Chase Bank
December 19-20, 2012
Muslim Cyber Fighters target BB&T, US
Bank, and PNC
September 27, 2012
Muslim Cyber Fighters Attack Wells Fargo
and US Bank
September 28, 2012
Muslim Cyber Fighters Attack PNC
December 11-14, 2012
Muslim Cyber Fighters Announce PHASE 2
targeting U.S. Bancorp, JP Morgan Chase,
Bank of America, PNC, and SunTrust Banks
November, 2012
Muslim Cyber Fighters acquire different
infrastructure and enhances tools used
October 9 -11, 2012
Muslim Cyber Fighters Attack CapitalOne,
SunTrust and Regions
Late October, 2012
Muslim Cyber Fighters infrastructure taken down
by US Law Enforcement, Carriers, and Private
What do the Attacks Look Like?
• Up to 80GBps
• The attacks started with HTTP and HTTPS traffic targeting
the institutions public websites
• Followed by attacks against the customer login site which
caused a significant spike in the firewall state tables.
• Next wave of attacks changed over to DNS server over
• Next the logic and database layers are attacked by
performing many large full site searches.
• If more is needed, targeting of the download of large files
is used.
Impact from the Attacks
• Local Internet Services around FI Datacenters
• Customer Impacts
– Nothing/Slow/Down
• Retail Online Banking
• WWW Site (Login Page?)
– Reduced Website Functionality
• Mobile Not Targeted (Yet)
• Call Center DDoS
• Alternate Communication Channels
– Social Media
Wave One Attack GEO Sources
Tools are They Using
• LOIC (Low Orbit Ion Cannon)
– Open source network stress testing and denial-of-service attack
application. LOIC was initially developed by Praetox
Technologies for the purposes of network load testing, but was
later released into the public domain.
• itsoknoproblembro – AKA brobot
– Designed and implemented as a general purpose PHP script
injected into a victim’s machine allowing the attacker to upload
and execute arbitrary Perl scripts on the target’s machine. It
injects an encrypted payload, in order to bypass IPS and
Malware gateways into the website main file index.php,
allowing the attacker to upload new Perl scripts at any time.
Initial server infection is usually done by using the well known
Remote File Inclusion (RFI) technique.
Sophistication is Changing
• Initially
Targets Announced
Scheduled and Automated
Same Attack for all FI’s
Finger Printed User Agent String
Invalid Keep Alive (= 0)
• Recent
Attacks target specific likely site weaknesses
Long Lasting / No Schedule
Hashing (masking) Uniquely Identifiable Information
What are Banks Doing About It?
• Acquire / Refine Current Mitigation
– Cloud Service Providers
• DDoS Mitigation (BlackHole)
• DNS Outsourcing
• Content Delivery Networks (CDN’s)
– Premise Technology
• Firewalls and Intrusion Prevention Systems to Block bad
• Turn off/down non mission critical services (Search, File
Downloading, etc…)
• Add more capacity (Internet, Servers, Network)
• Mitigation Testing
• Incident Management Exercising
• Communication Plans
Final Thought: Remember it’s
Mitigation NOT Elimination
Related flashcards
Create Flashcards