Last week, the Federal Financial Institutions Examination Council (FFIEC) came out with a notice to the US banking sector to put in place a six-step DDoS mitigation program. Without doubt, this has resulted from the spate of attacks on the US banking sector over the last year.
This could not have come more timely. The banking sector is already subject to various compliances, including PCI DSS. However, the technical scope of PCI DSS addresses more of the data breach vector rather than the service unavailable (DDoS) threat. Primarily, the PCI DSS was a self-preservation measure from the credit card companies to offload part of the fraud liability on to the banks and retailers in the case of a breach.
The rationale behind this new directive is not hard to imagine:
- Large scale DDoS attacks targeting the breadth of the US banking sector have the potential to bring the US economy (or any economy for that matter) to it’s knees. As widely reported, the DDoS attacks of last year emanated from Iran, possibly as a reaction to Stuxnet and other cyber attacks. Maybe these DDoS were not as clinical as the Stuxnet or FLAME attacks, but the damage they inflict is certainly no less. Estimates from Forrester, IDC, and the Yankee Group predict the cost of a 24-hour outage for a large e-commerce company would approach US$30 million, but for several large banks the combined figure could easily snowball into billions.
- DDoS attacks are also being widely used as a cover for fraud or data breach attacks. Gartner analyst Avivah Litan highlighted this in a blog post last year, where hackers used persistent DDoS as a cover to take over the master wire payments application at at least 3 US banks, transferring huge amounts of money at will.
According to Reuters, what was alarming during these attacks was the rapid changes in website functions targeted by the machines, including the secure-communications protocols (e.g. SSL).
Coming back the FFIEC directive, it outlines six steps for mitigating DDoS including programs, controls, incident response plans, staffing and knowledge sharing. For technology specifics, it defers to the DHS publication DDoS Quick Guide (pdf), published in January, 2014. This document identifies the DDoS threat at each OSI layer and the respective mitigation options. It explicitly calls out the need for an application delivery platform that has full visibility and control of the application layer so as to be able to deal with Layer 5-7 DDoS attacks:
A Layer 7 DDoS attack is an attack structured to overload specific elements of an application server infrastructure. Layer 7 attacks are especially complex, stealthy, and difficult to detect because they resemble legitimate website traffic. Even simple Layer 7 attacks — for example those targeting login pages with random user IDs and passwords, or repetitive random searches on dynamic websites – can critically overload CPUs and databases. Also, DDoS attackers can randomize or repeatedly change the signatures of a Layer 7 attack, making it more difficult to detect and mitigate.
From a technology perspective, we recommend a multilayer strategy to combat the threat of DDoS.
First, employ DDoS protection offerings such as traffic scrubbing, etc from ISPs or Cloud Service Providers. These can help clean the Internet pipes coming in to the organization. Of late, attacks have crossed 100 Gbps in volume. Such volume can completely choke the ingress pipes, so on-premise security will be of little use. However, attackers have learned to bypass these using application layer attacks such as slowloris, RUDY, HTTP GET/POST floods, LOIC, malformed SSL requests, etc.. As outlined in one of our blog post earlier, attacking the application layer has become the #1 trick in DDoS toolkits, since it has become a soft spot which is easy to exploit.
For on-premise DDoS defense, Barracuda offers a comprehensive solution set that includes:
- Barracuda NG Firewall is a DDoS aware, next-generation network firewall that can protect layer 3 and 4 against DDoS attacks, such as ICMP, TCP, UDP floods and provide packet rate limiting. It provides intelligent ISP link management and failover, keeping site-to-site and Internet connectivity operational when one or more ISP is saturated or slow. It also performs anomaly based detection, e.g. DNS block-listing and other techniques to alert when the network may have been compromised by banking trojans.
- Barracuda Web Application Firewall and Barracuda Load Balancer ADC provide application proxies that offload computationally expensive processing like SSL and shield the vulnerable server stacks with a hardened platform. They provide strong defense against layer 5-7 DDoS using multiple techniques such as IP Reputation, Geo-awareness, Application request throttling, Application Session Tracking, BruteForce prevention, Client Fingerprinting, CAPTCHA challenges and many more. See our DDoS prevention white paper for more details.
For additional details on how we can help, please contact your local sales representative.