November 2013
Managing the Risks of DDoS Attacks
Is Your Organization’s IT Department Prepared?
By Raj Chaudhary, CGEIT, CRISC, Matt E. Kelly, and Christopher R. Wilkinson,
CISSP, CRISC
Distributed denial-of-service (DDoS) attacks have
become the tools of choice for disrupting an organization.
An increase in scale and a decrease in complexity
have made DDoS attacks an inexpensive and effective
method for attackers to cripple an organization’s
Internet presence and affect the availability of its
mission-critical Web applications such as an Internet
banking platform. Minimizing the impact of a DDoS
attack through careful planning is critical to mitigating
the monetary and reputation risks of an organization.
A DDoS attack – typically defined as one that uses a network of many computers and
many Internet connections – has become a popular method for harming companies
and other organizations.
For less than $200 on the black market, an attacker – whether a group or one person –
can rent thousands of machines from an owner of a botnet (an Internet-based collection
of interacting applications) in an attempt to overwhelm an organization’s Web servers
and Internet connection with high volumes of traffic, thus causing applications to stop
responding and preventing legitimate users from accessing the organization’s websites.
More Frequent, More Powerful
DDoS attacks have become increasingly prevalent, and financial institutions have
become the most frequent targets (see sidebar, “Banks in the Crosshairs”). A series
of attacks in late 2012 and early 2013 took down the websites of more than a dozen
major U.S. banks. According to Reuters, critical systems were down for hours or even
days at a time – long enough to result in revenue loss and reputation damage.1 More
recently, PC World reported that at least three U.S. banks lost millions of dollars when
DDoS attacks were used to divert the attention of security personnel while fraudsters
gained control of wire transfer applications.
An unprecedented amount of traffic engendered by a DDoS attack of any organization
increases the difficulty of preventing and defending against it. According to one report,2 in
the second quarter of 2013, the average DDoS attack had grown to 49.24 gigabytes per
second and lasted an average of 38 hours. By comparison, even sophisticated companies
typically have Internet connections of only 500 megabits to 1 gigabyte per second.
www.crowehorwath.com
1
Crowe Horwath LLP
Planning for the Worst
DDoS attacks were once considered unlikely because they required a vast amount
of resources, but now they must be considered a likely means of attack – that is, a
viable attack vector. Therefore, the risk of DDoS attacks must be incorporated into an
organization’s enterprise risk management (ERM) program.
Organizations can take some specific actions to reduce the risk of being attacked and
to minimize the effects if an attack occurs. To be prepared, an organization should, at a
minimum, give careful consideration to taking the following actions before being attacked:
■■ Examine vendors. If websites or Internet banking services are hosted by a third
party, contact the third party to determine what infrastructure it has in place and to
find out about its DDoS-mitigation capabilities. Request testing documentation that
shows the third party is properly prepared.
■■ Explore service provider mitigation services. Consider purchasing service provider
agreements to detect and drop malicious DDoS traffic. Many Internet service providers
(ISPs) are responding to the increased threat of attacks by offering detective and
preventive solutions that recognize and deny potentially malicious traffic. Once this
solution is in place, consider doing functional testing during off-business hours.
■■ Consider vendor services. Research
and consider purchasing service-level
legal agreements with DDoS-mitigation
providers. Cloud-based providers can
leverage their robust infrastructure
designed to distribute traffic across
multiple systems in order to mitigate
the effects of an attack while allowing
the organization’s Internet services to
remain accessible.
■■ Expand infrastructure to prevent
attack. To withstand smallerscale DDoS attacks, expand the
organization’s infrastructure to include
load-balancing capabilities across
systems and data centers. These
include Web load balancers, domain
name system (DNS) round robins,
and border gateway protocol (BGP)
load sharing.
2
Monitor critical Internetaccessible services and
networking equipment for
malicious traffic.
Managing the Risks of DDoS Attacks:
Is Your Organization’s IT Department
Prepared?
Banks in the Crosshairs
In recent months, it has been widely reported that U.S. banks are falling
victim to DDoS. Although these attacks have been on the websites of large
U.S. banks, smaller retail financial institutions, which might not have the
necessary defenses in place, are also vulnerable targets. Hackers started
with the high-profile Bank of America and the New York Stock Exchange and
then mostly targeted large banks; they are now moving on to regional banks,
according to American Banker.3
One recent survey of retail banks found that the majority of respondents
had experienced a DDoS attack; 64 percent of respondents reported that
their organization had been attacked, often multiple times, in the previous 12
months. In fact, the researchers estimated that “on average the retail banks in
this study had 2.8 such attacks in the past 12 months.”4
In one dramatic example of a recent threat, on April 24, 2013, a list of 133
banks, credit unions, and other financial institutions was published on Pastebin.
com, along with a claim that these organizations were primary targets for DDoS
attacks planned for May 7, 2013. “We will now wipe you off the cyber map,”
read the post, signed by “N4M3LE55 CR3W.” “Do not take this as a warning.
You can not stop the internet hate machine from doxes, DNS attacks, defaces,
redirects, ddos attacks, database leaks, and admin take overs.”5
Probably part of an effort by the hacktivist group Anonymous, the threat put
the listed financial institutions on alert. However, apparently no nationwide
DDoS attacks materialized on May 7. At any rate, Crowe Horwath LLP clients
on the list were not attacked.
■■ Block access. Evaluate the option
of temporarily blocking inbound
geographical Internet protocols (IPs)
with the organization’s Internet firewall
in order to deny access to attacking
systems from other countries,
and evaluate the organization’s
capabilities for proactively blocking
malicious traffic.
■■ Monitor and log malicious traffic.
Consider assigning IT staff members
responsibilities for monitoring critical
Internet-accessible services and
networking equipment. Monitor for
known DDoS attack techniques
on the firewall and on the intrusion
detection and prevention system.
(Examples include SYN flooding,
DNS amplification attacks, and SSL
renegotiation attacks.) Confirm that
Internet logs capture time and source
IP address information, data will help
during the incident-response process.
In addition, verify that devices such as
the firewall, Web services, database
servers, and intrusion detection
systems have sufficient logging and
storage capability in the event the
organization starts receiving massive
amounts of Internet traffic.
■■ Implement a communication strategy. Provide marketing and customer service
representatives with guidance on the organization’s communication strategy in
the event of an attack. Have a plan in place that includes a customer notification
process that can be in effect both during and after an incident, especially at times
when customers cannot access the organization’s Web presence. Consider the
organization’s business continuity plan when developing this communication strategy.
■■ Prepare for reporting. Be able to notify the federal authorities promptly in the
event of an attack; have handy the contact information for the local Federal Bureau
of Investigation office.
www.crowehorwath.com
3
Beware of Concurrent Attacks
Contact Information
As previously mentioned, attackers might use the disruption caused by a DDoS attack
to mask or divert security’s attention from other types of malicious attacks – which
might involve exploiting weaknesses in Web applications, DNS hijacking, or using
social engineering techniques. Therefore, organizations should be ready to monitor the
following factors while a DDoS attack is taking place:
Raj Chaudhary is a principal with
Crowe Horwath LLP in the Chicago office.
He can be reached at 312.899.7008 or
[email protected].
■■ Web application exploits. Closely monitor databases, Web servers, and intrusion
detection and prevention systems for SQL injection and other attacks on Web
applications.
■■ DNS hijacking. Contact the domain register for the organization’s domain name.
Verify that the domain contact information is up to date and inquire about locking in
place the server associated with the domain name in order to prevent DNS hijacking
and social engineering attacks.
■■ Social engineering. If a DDoS attack occurs, communicate to employees that
social engineering attacks could intensify and urge them to be extra vigilant in
verifying the identity of callers and email correspondents.
Reducing the Threat
Today, DDoS attacks are a very real threat vector to organizations. Although activist
hackers – or “hacktivists” – have usually targeted financial institutions, a wide variety
of industries has been victimized to a lesser degree and probably will be in the future.
A DDoS attack is a federal crime in the United States, but perpetrators are notoriously
difficult to catch.
To protect against monetary loss and reputation damage, organizations need to
prepare for these attacks by having the appropriate controls built into their externalfacing infrastructure. Due to the scalability and potentially large impact of distributed
denial-of-service attacks, an organization that takes a layered approach to detective
and preventive controls and has a robust incident response plan in place will be better
prepared when and if it becomes a target.
Matt Kelly is with Crowe in the Chicago
office. He can be reached at 630.990.4467
or [email protected].
Chris Wilkinson is with Crowe in the Chicago
office. He can be reached at 219.308.8980 or
[email protected].
1
Joseph Menn, “Cyber Attacks Against Banks
More Severe Than Most Realize,” Reuters,
May 18, 2013, http://www.reuters.com/
article/2013/05/18/us-cyber-summit-banksidUSBRE94G0ZP20130518
2
Prolexic Technologies, “Prolexic Quarterly Global
DDoS Attack Report: Q2 2013,” http://www.
prolexic.com/knowledge-center/prolexic-download/
prolexic-quarterly-global-ddos-attackreport-q213-072513.html
3
Sean Sposito, “Future DDoS Attacks: Targeted and
Mobile Driven,” American Banker Bank Technology
News, April 30, 2013, http://www.americanbanker.
com/issues/178_83/future-ddos-attacks-targetedand-mobile-driven-1058740-1.html
4
“A Study of Retail Banks & DDoS Attacks,”
Ponemon Institute research report sponsored by
Corero Network Security, December 2012, http://
www.corero.com/resources/files/analyst-reports/
CNS_Report_Ponemon_Jan13.pdf
5
Pastebin.com; and Mathew J. Schwartz,
“Anonymous OpUSA Hackathon: Mostly Bluster,”
InformationWeek Security, May 7, 2013, http://www.
informationweek.com/security/attacks/anonymousopusa-hackathon-mostly-bluster/240154368
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity.
Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically
disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North
Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or
legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2013 Crowe Horwath LLP
RISK14925
www.crowehorwath.com
4