DDoS Attacks: Worst Yet to Come?

Phase 3 Attacks Reveal More Power, New Tools

Industry observers say distributed-denial-of-service attacks against U.S. banking institutions are likely to get more intense, as hacktivists' third phase of attacks now enters its fourth week.

See Also: Navigating the Cybercrime Landscape

The attackers' so-called Brobot, which on March 12 struck six banks, is growing, experts say. And so far, they add, attackers have only used a fraction of their botnet's capabilities.

In its latest attack update, the hacktivist group Izz ad-Din al-Qassam Cyber Fighters does not divulge new targets, but names five institutions - PNC Financial Services Group, BB&T, JPMorgan Chase & Co., Union Bank and Capital One - among those allegedly hit last week.

Those institutions have declined to comment about the hacktivists' claims.

DDoS experts aren't talking about specific institutions, either, but they are in agreement that this third phase of attacks has been more targeted, more sophisticated and more diverse than the attacks banking institutions saw during the fall and early part of winter.

In fact, financial fraud expert Avivah Litan, a distinguished analyst for security consultancy Gartner, says the attacks waged during this third campaign have only used about one-third of Brobot's available bandwidth.

Last week, strikes waged against U.S. banking institutions revealed Brobot is now a 9,000-bot botnet, Litan says, based on information gathered from targeted institutions with which she's spoken, as well as other industry experts.

Other experts, such as Dan Holden, the director of ASERT for Arbor Networks, a DDoS solutions provider, estimate Brobot's size is close to Litan's 9,000-bot estimate, but none would offer any specific figure.

"That number is fairly close," Holden says. "I don't know that they have necessarily built up the botnet for stronger attacks. I think it might be more about having the ability to hit multiple targets more than just larger bandwidth."

Izz ad-Din al-Qassam Cyber Fighters says attacks are in protest of a YouTube movie trailer deemed offensive to Muslims, but security and DDoS experts continue to question the video as the real motivation.

New Attack Tools

Holden says Brobot's increasing size has fueled more dynamic attacks, allowing the hacktivists to launch multiple attacks against different financial institutions simultaneously.

"The randomization of the attacks is something we've seen in the third phase," Holden says. "They have introduced new tools, and as they go along, they are learning more and more about the websites they are targeting."

Holden would not offer any details about the new tools being used, but said the attacks are much more diverse now than they were during the first and second DDoS campaigns.

"In the first two campaigns, they were hitting all of the sites with the same tools," he says. "Now they have different tools for different targets. So, now, three different banks could be hit in the same day, and you could potentially see three different tools used."

Using different tools in different attacks has forced banking institutions to constantly change their defensive techniques, Holden adds.

"Any time the attackers try something new, whether it works or not, they are learning, and this tells them about the banks' defensive capabilities," he says. "Every time they poke, they are able to learn a little bit more and that compounds over time."

Attack Patterns Support Botnet Growth

Mike Smith, a security evangelist and DDoS specialist for Web security provider Akamai Technologies, says about two-thirds of last week's DDoS traffic used against banking institutions came from previously unseen Internet protocol addresses. "It could be a sign that Brobot is getting bigger," he says. "But there is a certain amount of churn in the nodes they use."

Marty Meyer, president of DDoS-prevention provider Corero Network Security, says the fact that the attacks are never sustained for more than a day suggests the attackers are constantly rebuilding their bot network. "This is most likely due to a combination of keeping their originating sources clandestine, or because those compromised resources are black-hole-routed to mitigate the effects of the current attack," he says.

Beyond Hacktivism: DDoS Motives

Litan says different groups are waging attacks for different purposes, and that not all DDoS attacks against banking institutions are related to Brobot.

"There are different bot armies out there, and there are two dimensions of attacks," she says. "One is a fraud issue, which has been linked to a lower-grade attack. And one is a national security issue, which has been linked to the 9,000 bots" used by Izz ad-Din al-Qassam.

Both dimensions, however, are concerning, Litan says. Low-grade attacks are being waged as tools of distraction after a fraud event, such as the one that hit Bank of the West, she says, based on her own observations and discussions she's had with targeted institutions.

Izz ad-Din al-Qassam Cyber Fighters' attacks have not been linked directly to fraud. But the banking industry is concerned about what the implications of this hacktivist group's actions could be long-term, especially if major U.S. banks are taken offline for significant periods of time.