DDoS On Dutch Bank

ComputerWorld has posted an article recently on a subject that I haven’t heard a lot about for the last year.  It seems a Dutch bank was the victim of a malicious Distributed Denial of Service (DDoS) attack.  I say malicious, as there have been instances where a bank was accidentally hit with a traffic flood due to misconfiguration of a common tool, and even some spotty attacks that were quickly detected and avoided.  But nothing that I can recall recently where a brazen attack was aimed squarely at a bank, and took them off the map for a couple of days.  Apparently, the Dutch Government has been detecting similar attacks on their networks.

In my work with the Canadian Financial Institution Computer Incident Response Team (CFI-CIRT), I examined and reported on DDoS avoidance and response practices on behalf of the Canadian banking community.  Not a lot had changed from the last time that I had looked at DDoS protection mechanisms several years prior.  The solutions were just as expensive, just as finicky, and just as hard to justify to management without a direct attack to show losses against.  Your choices seemed to be (pick any 3):

  • Over provision your bandwidth.
  • Keep a second provider as a disaster recovery / incident response alternate.
  • Add an appliance or three to your architecture to examine and scrub the data stream.
  • Subscribe to a third-party service that filters the data stream.
  • Subscribe to a third-party service that provides redundant routes to the nth degree.
  • Convince your ISP to provide filtering services on demand as part of your incident response plan.
  • Build an internal response plan that engages the right folks to escalate the response externally.

Has anyone looked into DDoS solutions lately?  Have there been any improvements in the choices and offerings available to large and small businesses?


Threat Landscape Shifts

I have watched the vulnerability exploitation window move down over the years, from 1 year in the ’90s, to 3 months in 2000, and more recently to just under 30 days.  This is the amount of time that it takes for an attacker to develop working, weaponized exploit code for execution in the wild.  This development window is for privately reported vulnerabilities, and does not consider the zero-day threat where a “researcher” discovers a vulnerability and publicly discloses the details, or simply starts exploiting it.

Fortinet, a network security and unified threat management (UTM) solutions provider reveals a 61% exploitation rate of new vulnerabilities discovered in January in its January 2011 Threat Landscape report.  Fortinet says that during a typical month, exploit activity falls between 30% and 40%.  Half of new critical rated vulnerabilities were targeted, offering arbitrary code execution by an attacker on a target machine. 

In order to pull this accelleration off, they have been reverse engineering patches released by the vendors, identifying the differences between the patched and unpatched files, and then targeting their research on the changes being made to develop their exploit code.  SecurityWeek

InformationWeek is reporting that Distributed denial of service (DDoS) attacks, the bane of all online services, have broken the 100 Gbps barrier, increasing in bandwidth by 102% over the past year, and by 1000% since 2005.   This finding comes from an infrastructure security report, released on Tuesday by Arbor Networks.  The company surveyed 111 IP network operators from around the world, and found the volume and severity of attacks continues to increase.

The attacks appear to be driven by the spread of botnet malware agents that allow an attacker to use compromised computers to launch coordinated and focused attacks.  This has led to rapidly escalating DDoS attack size, frequency, and sophistication.  “Adding to the challenges facing operators is the increasing number of attack vectors, including applications and services, not to mention the proliferation of mobile devices” according to Roland Dobbins, a solutions architect at Arbor Networks.

Dealing with DDoS has been a major challenge for businesses of all size.  Solutions have been targeted at ISPs and very, very large enterprises, but have had very low adoption rates becaused of cost limitations.  ISPs can’t generally justify the expense without some sort of return on investment, and protection against a threat that may or may not materialize is a very tough sell as a value added proposition and justify in the boardroom.

WikiLeaks Site Attacked Again

Wikileaks has been hit by a second distributed denial of service attack.  The renewed DDoS attack followed attempts to knock the site off the web on Sunday night as it prepared to release the controversial hundreds of thousands of US diplomatic cables.

According to The Register, the site confirmed the latest attack on its Twitter feed Tuesday afternoon.  Analysis of the first attack by experts Arbor Networks shows that the attack threw a relatively modest 2-4Gbps at the site for several hours.  Modest by the standards of other similar attacks this year, it was severe enough for Wikileaks to move its systems back into Amazon’s cloud infrastructure to seek shelter from the onslaught.

Country of Myanmar DDoS

I skimmed an article on this earlier today, and didn’t pay much attention to it, thinking “eh, some tin-pot in another far-flung dictatorship’s up for “re-election” and wants to insulate the country from the rest of the world so his influence peddaling goes un-noticed”.  When my boss comes up to me and asks if I’m aware, I know that I had better be paying attention to more than whether we have an office there or not…

This is certainly a massive DDoS attack, estimated at between 10 – 15 Gigabytes per second of bandwidth being focused on the country’s Ministry of Post and Telecommunication, the main conduit for Internet traffic in and out of the authoritarian nation.  It has effectively cut Internet connectivity in Myanmar, just 3 days before the nation’s first election in 20 years.

Slow connections and occasional outages were being reported for more than a week, but today network traffic was completely halted, according to BBC reports.  Web service providers said outside attackers were to blame, but some residents suspect the military-ruled nation’s government is behind it all.

Britain, the United States and the European Union maintain long standing economic sanctions against Myanmar to pressure the military government to improve human rights and release over 2,000 political prisoners.  Foreign journalists have not been allowed into Myanmar to cover the polls, criticized by the west as a ploy to maintain the military’s control.  British ambassador Andrew Heyn said the vote was a “badly missed opportunity” offering no hope for democratic change.  With increasing tension, the government has canceled voting in 3,400 villages in ethnic areas and has increased its military presence throughout the countryside.

The military has ruled Myanmar, earlier known as Burma, since 1962, and the international community believes  that harsh restrictions on campaigning, the repression of opposition parties and the new constitution reflect the military’s intention to continue its commanding role.