DDoS attacks on smaller credit unions

CU Insight

When it comes to specific DDos Attacks and whether they cause any implications for smaller FIs, the jury is still out.  However, it would appear that there are some megalomaniacs out there, in search of notoriety, and taking credit for things they didn’t even do.  Attacking a small credit union no one has heard of won’t get them in the major newspapers, so it’s highly unlikely they’ll do it; the only reason why they ever might would be to test some technique before unleashing it against bigger targets.  But that too is unlikely.

Nevertheless, DDoS seems to be all the rage of late, so it’s better to be prepared; because if it isn’t the ECA attacking you, it might be some bored hacker from half way across the world.  Whomever it is, you’re still at risk.

What defense do  you need?  First of all, allow me to tell you what you don’t need.  You do NOT need a very expensive, super beefed up IPS.  That type of DDoS protection is obsolete, because the kind of attacks it was built for is rarely used now.  They’re built to protect you from SYN FLOOD attacks.

The SYN FLOOD attack was invented several years ago.  The reason why DDoS has not been very “popular” among hackers until recently is that a SYN FLOOD is “expensive” for the hacker.  For every SYN packet you receive, one of the computers in the hacker’s botnet needs to have sent it.  This means that carrying on a SYN FLOOD attack requires very large botnets, which aren’t quite that easy to come by.  A SYN FLOOD is a layer 3 type of attack, going against your networking capabilities.  The way you defend against such an attack is by literally throwing hardware at it.  The larger the bandwidth and the more powerful your gateway defense, the larger the attack you can withstand before raising a white flag.

With bandwidth capabilities raising everywhere (in Houston you can purchase 100Mbps for less than $200/month and this is stillexpensive compared with countries where you can get 1Gbps for $20/month), carrying on a SYN FLOOD attack requires serious power, which is really not common, even for very large botnets.

Recent developments in the hackers’ world have changed the way attacks are carried on and the targets of these attacks.

Hackers have discovered that web servers are often very vulnerable and ill protected.  Many such servers are connected in the back end to a SQL database, and this makes them even more vulnerable if the application is not written to carefully verify the input.  They have also discovered that many DNS servers are poorly configured and allow query recursion from the internet – meaning, you can send them a query for a domain that has a very large configuration and does not really belong to that server, and they’ll reply to you from the internet.  Such recursion should only be opened to local machines if the server is in a LAN; it shouldn’t be opened at all if the server is a public one.  By exploiting this poor configuration hackers obtain what is called DNS amplification – they can send a query that costs them 100 bytes, and get the server to reply with maybe 100KB; the trick then is to fake the source address of the query, so the reply goes to the target of the attack and not back to the hacker.  This allows them to attack a target with very large amounts of traffic that was generated by servers they do not control – very inexpensive from the point of view of the resources the hacker needs to control.

Other attacks, in a way even more vicious than the first, target directly that SQL server is connected to your web application.  If the input isn’t properly verified, a single query can send your database in a loop (imagine a query that asks for the entire content of a very large table); do this a few times per minute, or maybe per second, and your web application stalls because the database server behind it is no longer able to keep up with the queries.  This type of attack, if properly crafted, requires very little resources from the hacker’s network.

Recently we’ve witnessed a new wave of attacks exploiting a vulnerability of the NTP protocol.  Apparently some people configure that port to be opened from the internet, though I don’t know why they would if they’re not an official NTP server for the internet.

It’s clear at this point that DDoS defense can no longer be just a very large IPS with a very large network bandwidth.  A true defense against modern DDoS attacks and web applications needs to be one that combines both protections and is able to fend off layer 7 attacks.

Will your web server be attacked?  Honestly, it’s no longer a question of IF these days but rather WHEN.  Fifteen years ago we were asking ourselves “will someone send me a virus”.  Today we ask “how many will I receive today”; the web application and DDoS attacks are already at the stage of certainty – they _will_ happen; it’s just a matter of when the hackers’ scanning devices will get to your IP and find your web server.  Oh, and changing the port your server uses from 80 to some random number?  That won’t help.  The scans recognize the protocol, not just the port itself.

So the protection you need is one which combines DDoS protection intelligence such as the ability to recognize an attack and dynamically blacklist the attacking addresses; combined with a strong WAF to protect your web servers from those attacks that can result in a DoS without flooding your bandwidth.

Stay safe.