Large scale, sophisticated distributed denial of service attacks – which have plagued the banking industry for months now – are finally subsiding. These attacks, which for the most part have been politically and socially motivated, have been cause for concern for security experts, government officials, and banks.
How It Started
Beginning in September 2012, large banking institutions; including Wells Fargo, Bank of America, PNC and JPMorgan Chase were at the receiving end of high level DDoS attacks – at times peaking between 60Gbps – 100Gbps. Comparatively speaking, most attacks are below 1Gbps. Thus, the cause for concern. Why were banks attacked? For some, the reason seems to be a little flimsy. Rumors circled that it was an Iran sponsored attack due to its sophistication and size, but an Iran hacker collective quelled these rumors by claiming full responsibility for the DDoS attacks and citing the Innocence of Muslims video as their motivation.
If you didn’t catch the headlines, the Innocence of Muslims video incensed the Muslim world because of its negative depiction of the Prophet Mohammad. Soon after clips of the video were released on YouTube, the hacker group Izz ad-din Al Qassam Cyber Fighters posted on Pastebin:
We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type.
And then the attacks started. The attacks lasted for months and are still a potential threat to banks. Here’s an infographic timeline of the series of DDoS attacks that took place.
How the ‘itsoknoproblembro’ Toolkit Works
The ‘itsoknoproblembro’ toolkit was the weapon of choice for the hackers that launched repeated attacks against banks. The tool is a hybrid DDoS attack tool that operates as a PHP-based suite. “itsoknoproblembro can launch multi-layered attack vectors by leveraging already compromised commercial machines, while at the same time, injecting malicious PHP scripts into popular content management systems – like WordPress and Joomla. This gives attackers the ability to scale up the size of an attack by converting machines into brobots,” says Todd Reagor, Chief Executive Officer of Rivalhost. Once compromised machines are under control of the attackers, it’s simply a matter of launching the attack.
Here’s how the itsoknoproblembro toolkit works:
- The toolkit attacks infrastructure and application layers simultaneously
- SYN floods are used to attack multiple network entry points on the target machine
- ICMP, UDP, and SSL encrypted attacks are implemented as well
- UDP packet floods are used to overwhelm the target DNS infrastructure
- Legitimate IP addresses are used that make detection difficult
How DDoS Protection Stops Attacks
- Monitor: Flow data from edge routers is pulled and analyzed. Potential attack patterns trigger an alert that notifies the team monitoring your server.
- Detection: Attacks are detected from dynamic profiling by comparing traffic deviations against an organizations normal patterns. Signature analysis
is also used to compare known attack triggers with the traffic on your
- Mitigation: Typically, malicious traffic is rerouted away from the victim and “scrubbed” by the mitigation company. Then, legitimate traffic is forwarded back to its original destination.