Distributed Denial of Service Attacks (DDoS)

Issue

Financial institutions have recently and increasingly been targeted in distributed denial of service (DDoS) attacks. The purpose of these attacks is to disrupt the bank’s processes by overwhelming their computer and/or telecommunications networks with massive amounts of server and data requests. The end result is typically the degradation of the customers’ experience through slower or unavailable access to their online banking accounts.

If your institution has experienced, or is currently experiencing a DDoS attack:

ABA Resources

Industry News and Resources

DDOS Mitigation

The United States Computer Emergency Readiness Team (US-CERT) recommends that companies prepare for potential DDoS attacks by:

  • Developing a checklist or standard operating procedure (SOP) to follow in the event of a DDoS attack. One critical item in a checklist or SOP is having contact information for your ISP and hosting providers. Identify who should be contacted during a DDoS, what processes should be followed, what information is needed, and what actions will be taken during the attack with each entity.
  • Ensuring that your staff is aware whether your ISP or hosting provider provides DDoS mitigation services and that they understand the provisions of your service level agreement (SLA) with these providers.
    Maintaining contact information for firewall teams, IDS teams, and network teams, and ensure that it is current and readily available.
  • Identifying critical services that must be maintained during an attack, as well as their priority. Prioritize services beforehand to identify what resources can be turned off or blocked as needed to limit the effects of the attack. Also, ensure that critical systems have sufficient capacity to withstand a DDoS attack.
  • Having current network diagrams, IT infrastructure details, and asset inventories. They will help you determine actions and priorities as the attack progresses.
  • Understanding your current environment, and have a baseline of the daily volume, type, and performance of network traffic. This will allow staff to better identify the type of attack, the point of attack, and the attack vector used. Also, identify any existing bottlenecks and remediation actions if required.
  • Hardening the configuration settings of your network, operating systems, and applications by disabling services and applications not required for a system to perform its intended function.
  • Implementing a bogon block list at the network boundary.
  • Employ service screening on edge routers wherever possible in order to decrease the load on stateful security devices such as firewalls.
  • Separating or compartmentalizing critical services:
  • Separate public and private services.
  • Separate intranet, extranet, and internet services.
  • Create single-purpose servers for each service such as HTTP, FTP, and DNS.

In addition, Prolexic recommends the following practices for DDoS mitigation service testing and validation:

  • With the DDoS mitigation service active, verify that all applications are performing properly.
  • Verify that all routing and DNS is working.
  • In partnership with your mitigation service provider, generate a few gigabits of controlled traffic to validate the alerting, activation and mitigation features of the service.
  • Test small levels of traffic without scrubbing and without any DDoS protection to validate that your on-premise monitoring systems are functioning correctly. This action will also help you identify the stress points on your network.
  • Conduct baseline testing and calibrate systems to remediate any network vulnerabilities.
  • Schedule validation tests on a regular basis (yearly or quarterly) with your DDoS mitigation service provider to validate that the service configuration is still working correctly – and eliminate the risk of network element failures due to DDoS. If network issues arise during testing, your service provider may need to make modifications based on recent changes to your network, such as modified firewall rules, firmware updates and router reconfiguration.

For more information, see the US-CERT Cyber Security Tip Understanding Denial-of-Service Attacks.

​Please contact Heather Wyson with questions or requests for assistance.