Clearing the Smoke: The Distraction of DDoS Attacks

By: (CISA, CISSP)

Publication: The Colorado Banker , July/August 2015

 CBAJulyAug2015When was the last time your kitchen was filled with smoke? Burned toast? Food spills burned in the oven? Sauté resulted in a burnt offering? Whenever it was, after any fire danger was over, you probably started opening windows and doors to clear the smoke.

Are you also ready to clear “cyber smoke?” Often Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks create smokescreens as distractions to conceal the real exploits of malware insertion, unauthorized data access, or fraud. If successful, both attacks create the same problem, a disruption of service. DDoS is more powerful and is harder to control as it enlists hundreds or thousands of captured computers in its attacking army.

In a way, denial of service is like a phone busy signal, but on the Internet. It is when an IP address (which could be the website of a bank or a bank service-provider) is flooded with Internet traffic which overwhelms the connection and disrupts all Internet service. During a denial of service attack, all customer, vendor, and Internet connections get a “busy signal” and cannot connect to the attacked IP address.

At first glance, denial of service may not seem to be a significant risk. Perhaps just a nuisance, or a little inconvenience. But what if, during an attack, miscreants successfully executed fraudulent ACH and wire transactions stealing thousands or millions of dollars from your bank? The denial of service was a smokescreen to hide the theft.

Over 10 years ago, denial of service was one of the tactics used in an exploit which resulted in a bank losing more than $10 million. Denial of service capabilities have grown since then. A report from Verisign[1] indicates the size of traffic used in attacks grew 245% from 2013 to 2014. Most Internet service is measured in megabits-per-second and one of the largest attacks, a 2013 protest against SpamHaus.com, was enacted using as much as 400 gigabits-per-second of malicious traffic.

Along with bigger attacks, the number of attacks has also increased. This is because it is easier than ever to use denial of service. You don’t have to be a computer wizard anymore. DoS software can be purchased or, even easier, it is available for-hire. For as little as $2 an hour (the cheapest price listed in Verisign’s report) you can hire a denial of service attacker.

The FFIEC recognizes the increasing risk of DDoS attacks and released a joint statement[2]. The statement explains the risk of DDoS and outlines six steps needed to mitigate the risk.

One of the steps requires incident response plans and notification of service-providers. To prevent loss, you should contact service-providers (wire/ACH/card processors) as soon as a DDoS attack is suspected. The immediacy is vital because while your bank’s Internet connection is jammed, attackers posing as the bank can be issuing fraudulent transaction instructions to your service-providers. The DDoS smokescreen can hide the fraud from the bank. The best plan is to notify all service-providers of your outage and require they request out-of-band[3] authorization from the bank for any transaction orders they receive via the Internet.

And keep all controls in place until the smoke clears.


[1] Verisign DDoS Trend Report, Issue 4 - 4th Quarter 2014

[2] Distributed Denial of Service(DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, April 2, 2014

[3] Out-of-band authorization is two-factor authentication using a separate communication channel and predetermined PINs or passwords