The Fraud Blog with Tracy Kitten

Wikileaks' Defense: The DDoS Attack

Easiest Attack to Launch, Hardest to Fight
Wikileaks' Defense: The DDoS Attack

From MasterCard and Visa to PayPal and Amazon, the cyberworld's WikiLeaks supporter known as Anonymous is lashing out against companies that have pulled support for WikiLeaks.

Anonymous' Operation Payback -- just follow #Payback or Twitter handles @Anon_Operation and @Op_Payback for background -- also took down the website of Swiss bank PostFinance, where WikiLeaks founder Julian Assange once banked. PostFinance closed Assange's account, claiming Assange provided a false address when he signed up with the bank.

The main line of defense is not something you can do internally, and that's part of the issue. 

I suspect Twitter and Facebook, now that both have closed Operation Payback's accounts, will be next on the attack list. We will just have to wait and see.

A WikiLeaks Primer

A little background about WikiLeaks, just in case some of you remain unclear about its origin.

WikiLeaks is a whistleblower site. It's been around for a while, but the site flew relatively under the radar until it released leaked cables from American embassies and diplomats. Now that WikiLeaks is on the radar, it's getting quite a bit of heated attention from the government, media, business and general public. In response, WikiLeaks avengers have launched several distributed denial of service, DDoS, attacks on those who have refused to support WikiLeaks.

DDoS is Easy

A DDoS is the easiest attack to launch and one of the most difficult to thwart. A form of cyber terrorism, a DDoS attack is concerted effort to make a computer resource (like a website) unavailable to users. The modes of attack can vary, but in general comprise efforts to prevent a website or service from functioning.

"In essence, the person or group carrying out the attack creates or modifies a Trojan or malware to take control of thousands or tens of thousands of computers globally," says independent financial-services consultant Jerry Silva. "The affected computers, sometimes called 'zombies,' are instructed to load pages from the target site, all at once, and typically download Web pages that are graphically intensive, so that the target system is overwhelmed by the sheer number of requests. The target servers become so busy that legitimate visitors of the site cannot get through."

Those DDoS attacks violate the Internet Architecture Board's Internet proper-use policy, but as Alan Paller, executive director of the SANS Institute points out, violation-enforcement is tough, and DDoS attacks are more common, especially among financial institutions, than anyone in the industry wants to admit.

"Banks are already being subjected to extortion using similar denial of service attacks -- attacks that would prevent me (as a customer) from doing online banking," he says.

Here's the primary problem: Though DDoS attacks are pretty easy to launch, they're not so easy to combat. "The software for these attacks is available for rent or stealing, and it's a very profitable line of business for organized crime groups," Paller says. Most companies, like online gambling sites -- not legal in the United States -- just pay for the extortion.

But banks and businesses cannot do much to protect themselves either, since attacks hit at the Internet level, Paller says. That means protection has to come from the Internet service provider. "The main line of defense is not something you can do internally, and that's part of the issue," he says. The sheer volume and variety of DDoS attacks makes them hard to identify and, thus, block.

"These are open TCP attacks," Paller says. "Those attacks can be blocked by the ISP, but many companies don't buy the special blocks." Besides, blocking any transaction runs the risk of blocking something legitimate, and what bank or business wants to do that?

As Silva points out, "This kind of attack is akin to preparing the institution for a natural disaster. You never know if or when you'll be hit; but a DDoS should be an event included in the bank's disaster recovery or business contingency plans."

So, where does that leave us? Well, the ISPs can provide protection, within reason. But as attacks get more sophisticated, there's only so much transaction and request blocking an ISP can do.

A more likely scenario of vigilante defeat? Vigilantes attacking each other, like those who have waged counterattacks on Operation Payback. Maybe there is such a thing as codes of ethics among cybercriminals.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.