Distributed Denial of Service Attacks (DDoS)

Issue

Financial institutions have recently and increasingly been targeted in distributed denial of service (DDoS) attacks. The purpose of these attacks is to disrupt the bank’s processes by overwhelming their computer and/or telecommunications networks with massive amounts of server and data requests. The end result is typically the degradation of the customers’ experience through slower or unavailable access to their online banking accounts.

If your institution has experienced, or is currently experiencing a DDoS attack:

July 2015

On July 31, the Internet Crime Complaint Center issued an alert regarding the increase in extortion campaigns targeting businesses. According to the alert, an email is sent to the business threatening a DDoS attack to their Website unless a ransom is paid.

March 2015

On March 30, the FBI issued a Private Industry Notifcation (PIN) regarding a pending anti-Israeli hacktivist operation that could potentially impact US systems. FBI and private cybersecurity industry analysis of previous extremist hacker campaigns and operations indicate two extremist hacking groups are capable of low-level Distributed Denial of Service (DDoS)1 attacks and Web site defacements.

November 2014

On Nov. 26, the FBI issued a Private Industry Notification (PIN) regarding distributed denial of service (DDoS) attacks launched against financial institutions by a group associated with Anonymous.  According to the alert multiple financial institions experienced attacks, which caused disruption of normal business operations.

April 2014

FFIEC Warns on ATM, DDoS Attacks
On April 2, 2014, the Federal Financial Institutions Examination Council agencies issued warnings to the institutions they supervise about the risks of cyber attacks on ATMs and card authorization systems, as well as the continued threat of distributed denial of service, or DDoS, attacks. The agencies said they expect institutions to take steps to prepare for and respond to these kind of attacks.

FFIEC noted a recent increase in cash-out fraud via attempts to access small and medium-sized institutions’ web-based ATM control panels.

For both kinds of attacks, FFIEC encouraged banks to maintain adequate monitoring, have an effective response plan in place and share information with law enforcement and industry, through the Financial Services Information Sharing and Analysis Center, for example.

Read FFIEC’s statement on ATM fraud.
Read FFIEC’s statement on DDoS attacks.
Read FS-ISAC tips on ATM cash-out fraud. Members Only
Read ABA tips on DDoS attacks. Members Only

August 2013

FBI Warns of OpUSA Cyber Attacks
On August 30, the FBI warned financial institutions to take precautionary measures in anticipation of distributed denial of service attacks, or DDoS, that criminal hackers have planned for this month. Most of the targets of the attacks, which are expected to comprise Phase I of an effort known as “OpUSA,” are U.S. government agencies and financial institutions.

A Tunisian hacktivist website shows that Phase I, which began Sept. 1, will consist of 10 days of DDoS attacks against a specific bank each day, the FBI said in an alert shared with ABA. Phase II will commence on Sept. 11 and feature a more widespread attack.
The FBI said precautionary measures include implementing a data back-up and recovery plan; readying a DDoS mitigation strategy; regularly mirroring and maintaining an image of critical system files; and scrutinizing links contained in email attachments.

Read the FBI alert.Members Only


On August 5, the criminal hackers associated with OpUSA created a new Pastebin post identifying new targets, mostly U.S. government agencies and financial institutions, for their next attack slated for September 11. OpUSA is the group behind the distributed denial of service (DDoS) attacks launched against financial institutions in May 2013 which were deemed to be poorly coordinated and resulting in little to no impact to the sector. Per an alert from the Financial Services Information Sharing and Analysis Center (FS-ISAC), the latest OpUSA campaign most likely will rely on commercial tools to exploit known vulnerabilities, rather than developing custom tools or exploits. This suggests some of the participants possess rudimentary hacking skills capable of causing only temporary disruptions of targeted websites.

See the FS-ISAC announcement. Members Only

If you experience activity related to OpUsa, please contact the FS-ISAC SOC.

  • Review current DDoS mitigation controls, ensure response procedures and plans are active and updated.
  • Ensure the correct DDoS mitigation contact information for your Internet Service Provider is included in your response plans.
  • Review any search, login or user interaction pages the attackers may attempt to post garbage data in, in order to cause disruption.
  • Rate limit GET/POST requests per IP, identify large documents that could be targeted for malicious GET traffic.
  • Review recently reported DDoS attack types seen and ensure you have staged identified IP addresses for monitoring & potential blacklisting. Legitimate IPs may leak into the list so please validate before taking action.
  • Ensure that the most current version of CMS (Content Management System) or other publically accessible software is used and all vendor recommend patches and updates are installed.
  • Ensure that all anti‐virus and anti‐malware systems are at the most current version and patch levels.
  • Ensure that all IDS/IPS (Intrusion Detection Systems / Intrusion Prevention Systems) and web site monitoring software be checked and kept current.

FS-ISAC members may refer to the FS-ISAC Risk Mitigation Toolkit - OpUSA (Documents tab, Risk Mitigation Toolkit/OpUSA folder) for best practices and mitigation strategies related to OpUSA.

July 2013

Alert: DDoS Attacks May Resume this Week. The Qassam Cyber Fighters (QCF), the group responsible for previous distributed denial of service (DDoS) attacks against financial institutions, have created a new Pastebin post, “Phase 4, Operation Ababil.” The post announced the end of the recent break in attacks against the U.S. financial sector and the corresponding start of Phase 4 of the operation. The group did not provide any specific targets for Phase 4 and only states that attacks will be renewed in “coming days” and that the new phase will be “a bit different.”

For more information, download the FS-ISAC paper, Threat Intelligence Committee Threat Viewpoint: Distributed Denial Service (DDoS) Attacks. Members Only

More information will be provided as it becomes available.

The ABA is actively involved in industry-level discussions on responding to this threat and we will continue to relay your concerns to government and law enforcement and provide you with pertinent  information about these and other cybersecurity threats. We have created and will continue to update this page to inform about attack trends and methodologies and provide information on ways to identify and mitigate the impact of DDoS attacks.

June 2013

In a June webinar for national banks and federal thrifts, panelists from the Office of the Comptroller of the Currency (OCC) identified current and potential cyber threats and vulnerabilities; outlined they and other government entities are working together to address these threats; and provided practical advice for community bankers on protecting their banks and customers.

During the webinar, ―The Evolving Cyber Landscape: Awareness, Preparedness and Strategy for Community Banks", OCC panelists emphasized that cybersecurity risk is no longer a “big bank issue” and that there is heightened concern that community banks may be targeted by cyber attackers due to a perception that they may not necessarily have the same level resources and expertise as their larger counterparts. They encouraged banks to:
  • Consider cyber threats and vulnerabilities as part of operational risk that and can lead to other risks.
  • Set the tone from the top that security and risk management is everyone‘s responsibility, not just an IT issue.
  • Be proactive in communicating with customers and other stakeholders, such as third party providers, examiners, law enforcement.
  • Consider risks from cyber threats as part of your strategic risk management discussions.
  • Conduct risk assessments and understand the bank‘s risk profile (threats and vulnerabilities).
  • Maintain a defense-in-depth of layered sustainable controls. Test controls regularly, and make adjustments when needed based on evolving environment.
  • Plan and practice incident response, involve third parties in these efforts.
  • Get engaged in the financial sector‘s public-private partnership; consider joining the FS-ISAC, leverage trade associations to get involved in the FSSCC..

The OCC is not issuing specific guidance at this time; however, regulators noted that examiners will be looking closely at institution‘s existing risk management and controls as well as incident response plans. They will also focus on ensuring that institutions‘ individual risk assessments are integrated throughout their program to determine the bank‘s ability to prepare for and handle cyber attacks. Read more.

May 2013

Anonymous announced it will conduct a coordinated online attack, deemed OperationUSA, against banking and government websites on May 7, 2013.

In addition to providing the above threat briefing, the FS-ISAC created an OpUSA Risk Mitigation Toolkit that contains a set of cyber security best practices and mitigation strategies to help member firms prepare for potential cyber attacks. The toolkit contains resources for:

  • Defending Against Compromised Certificates;
  • Preventing exploits through use of Data Execution Prevention (DEP);
  • Hardening authentication;
  • Defending against drive-by downloads; and more.
FS-ISAC Members can find the OpUSA Risk Mitigation Toolkit on the FS-ISAC Member Portal in the Document library.

The Federal Bureau of Investigation (FBI) issued an alert regarding the modification of Brobot attack script, as used for recent DDoS attacks, to increase the effectiveness with which the scripts evade detection and mitigation efforts implemented by financial institutions.

 March 2013

The Financial Services Information Sharing and Analysis Center (FS-ISAC) issued an alert warning that the scope of distributed denial of service (DDoS) attacks against the U.S. financial services sector has changed to include credit card issuers, financial service suppliers, broker/dealers, investment advisors, and smaller financial institutions.

This alert is classified as "Amber", meaning the contents are sensitive and intended only for members with a need-to-know basis.  The information cannot be shared outside of your institution or posted in an insecure manner.  By accessing this document, you agree to adhere to these guidelines.

January 2013

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has issued a proprietary alert regarding the recent and increased distributed denial of service (DDoS) attacks launched against multiple and smaller financial institutions. For more information, please see the following:

December 2012

The Office of the Comptroller of the Currency (OCC) issued an advisory for financial institutions and technology service providers, describing the attacks and outlining recommended mitigation efforts and responses. The advisory also reiterates warnings that these attacks could be used in conjunction with attacks designed to facilitate fraudulent wire transfers.

DDOS Mitigation

The United States Computer Emergency Readiness Team (US-CERT) recommends that companies prepare for potential DDoS attacks by:

  • Developing a checklist or standard operating procedure (SOP) to follow in the event of a DDoS attack. One critical item in a checklist or SOP is having contact information for your ISP and hosting providers. Identify who should be contacted during a DDoS, what processes should be followed, what information is needed, and what actions will be taken during the attack with each entity.
  • Ensuring that your staff is aware whether your ISP or hosting provider provides DDoS mitigation services and that they understand the provisions of your service level agreement (SLA) with these providers.
    Maintaining contact information for firewall teams, IDS teams, and network teams, and ensure that it is current and readily available.
  • Identifying critical services that must be maintained during an attack, as well as their priority. Prioritize services beforehand to identify what resources can be turned off or blocked as needed to limit the effects of the attack. Also, ensure that critical systems have sufficient capacity to withstand a DDoS attack.
  • Having current network diagrams, IT infrastructure details, and asset inventories. They will help you determine actions and priorities as the attack progresses.
  • Understanding your current environment, and have a baseline of the daily volume, type, and performance of network traffic. This will allow staff to better identify the type of attack, the point of attack, and the attack vector used. Also, identify any existing bottlenecks and remediation actions if required.
  • Hardening the configuration settings of your network, operating systems, and applications by disabling services and applications not required for a system to perform its intended function.
  • Implementing a bogon block list at the network boundary.
  • Employ service screening on edge routers wherever possible in order to decrease the load on stateful security devices such as firewalls.
  • Separating or compartmentalizing critical services:
  • Separate public and private services.
  • Separate intranet, extranet, and internet services.
  • Create single-purpose servers for each service such as HTTP, FTP, and DNS.

In addition, Prolexic recommends the following practices for DDoS mitigation service testing and validation:

  • With the DDoS mitigation service active, verify that all applications are performing properly.
  • Verify that all routing and DNS is working.
  • In partnership with your mitigation service provider, generate a few gigabits of controlled traffic to validate the alerting, activation and mitigation features of the service.
  • Test small levels of traffic without scrubbing and without any DDoS protection to validate that your on-premise monitoring systems are functioning correctly. This action will also help you identify the stress points on your network.
  • Conduct baseline testing and calibrate systems to remediate any network vulnerabilities.
  • Schedule validation tests on a regular basis (yearly or quarterly) with your DDoS mitigation service provider to validate that the service configuration is still working correctly – and eliminate the risk of network element failures due to DDoS. If network issues arise during testing, your service provider may need to make modifications based on recent changes to your network, such as modified firewall rules, firmware updates and router reconfiguration.

For more information, see the US-CERT Cyber Security Tip Understanding Denial-of-Service Attacks.

​ 

​Please contact Doug Johnson or Heather Wyson with questions or requests for assistance.