Are DDoS Attacks Against Banks Over?
Experts Debate What Lull in Activity MeansDistributed-denial-of-service attacks against U.S. banks have been dormant for nearly four weeks, leading security experts to question when and if a new phase of attacks might emerge.
See Also: Gartner Guide for Digital Forensics and Incident Response
The hacktivist group Izz ad-Din al-Qassam Cyber Fighters, which since last September has taken credit for the hits against banks, claimed its attacks were in protest of a YouTube movie trailer deemed offensive to Muslims. But some observers have speculated that Iran was backing the DDoS strikes against banks as payback for cyber-espionage attacks, such as Stuxnet, Flame and Duqu, that have over the last three years affected Iranian computer systems.
Rodney Joffe, senior technologist for online security provider Neustar Inc., says the current lull could be a sign that the attacks waged by the hacktivist group are over. "It's a wild conjecture," Joffe says. "But we may have seen the end of them."
Joffe says indirect activity linked to the al-Qassam Cyber Fighters' botnet, known as Brobot, has continued. But there have been no direct attacks. And that lack of activity raises questions about whether al-Qassam will wage any more attacks, Joffe says.
"The botnet is no bigger than it was," he says. "We take [compromised] machines down and then new machines keep getting adding. I still have hope that the government will have some impact or effect, but don't know one way or the other."
The Federal Bureau of Investigation in April warned that Brobot had been modified, "in an attempt to increase the effectiveness with which the [botnet's] scripts evade detection." The FBI said the actors behind Brobot were changing their attack methodology to circumvent mitigation efforts put forth by U.S. banking institutions (see FBI: DDoS Botnet Has Been Modified).
The FBI also noted that as of April 10, 46 U.S. banking institutions had been targeted by more than 200 separate DDoS attacks of "various degrees of impact" since September.
Financial fraud expert Avivah Litan, an analyst at Gartner, says intervention from federal authorities may have spurred al-Qassam to halt its attacks. But, like Joffe, she says there is no way to be sure. "I do know the banks were trying to get the White House to do something politically, and that could be what's happened."
But other experts, such as Mike Smith of Web security provider Akamai Technologies, don't think there's been anything going on behind the scenes to keep the attacks from resuming.
Different Attack Actors
Other experts anticipate that another group could emerge to resume DDoS attacks against banks if Izz ad-Din al-Qassam Cyber Fighters ends its campaigns.
"There has been a lull in the al-Qassam-like attacks," says Scott Hammack, CEO of DDoS-mitigation provider Prolexic. "But I would definitely not misunderstand this lull as being an end to these types of attacks. The attacks will continue; it's really just a question of when, not if."
The current break comes after a third phase of hacktivist attacks, which kicked off in March. The latest campaign ran eight weeks, the longest-running so far.
The break from the third phase of attacks has lasted four weeks so far. By comparison the break between the first campaign, which began Sept. 18, and the second campaign, which kicked off Dec. 10, lasted six weeks. And the break between the second and third campaigns lasted five weeks.
Hammack, like Smith, says Brobot, as well as other botnets, continue to grow. In fact, over Memorial Day weekend, Prolexic helped to mitigate a 167-gigabyte DNS-reflection attack, the largest attack recorded to date, Hammack says. "The attack traffic was global and required us to use all four of our cloud-based scrubbing centers," he says.
DNS-reflection was the attack method used in Operation Stophaus, an attack waged in March by The Spamhaus Project, a Geneva-based not-for-profit organization dedicated to fighting Internet spam. And while it's not an extremely sophisticated type of attack, Hammack says these types of DDoS strikes are only going to become more prevalent.
"There are plenty of countries where rogue elements will continue to exist," he says. "You're never going to overcome that. I think, if anything, people should be taking advantage of this down time to fortify their infrastructures."
The application-layer attacks al-Qassam Cyber Fighters favored in its last two campaigns have remained inactive, despite that the group appears to continue efforts to grow and strengthen its botnet. "The botnets are out there," Hanmmack says. "We have between 15,000 and 100,000 compromised web servers out there that we know of. So the artillery is still out there to create these types of attacks. We just haven't seen any of the web server attacks for the last 30 days."
Why Have Attacks Stopped
So why have the hacktivists remained quiet for the last month?
On May 6, al-Qassam Cyber Fighters claimed on the open forum Pastebin that its attacks would cease for just a week, out of respect for OperationUSA, a separate hacktivist movement organized by Anonymous that proved unsuccessful (see OpUSA: A Lackluster DDoS Operation).
Many experts predicted the group's attacks against banks would resume by May 14. But they didn't.
Some have speculated that international law enforcement could be close to nailing members of the al-Qassam team. But Hammack says drawing conclusions based on the ebbs and flows of DDoS attacks is dangerous because hacktivists attack in waves.
"Certain attacks die down after certain periods," he says. "That doesn't mean, though, that the attacks are over."
Banking institution leaders say they've been advised by groups such as the Financial Services Information Sharing and Analysis Center not to lessen their DDoS mitigation efforts. Litan says banks are heeding that advice.
"The banks have more vendors involved now," she says. "I don't think they'll ever pull back. They have put a lot of systems in. They really can't go back now, and they shouldn't."