Credit Union Distributed Denial of Services – Mitigation Services – How do they Work?
If you work for a credit union or are concerned about a group of hackers targeting your company – you may be worried about Distributed Denial of Service Attacks. Recently – there seems to be growing concern about DDoS attacks against credit unions. Just in the last few weeks alone – there have been multiple attacks taking down credit union websites.
Denial of Service (DoS) attacks are nothing new, but given the explosive growth in worldwide network speeds and home computing (Especially outside of the US) DDoS has changed the game. The technical classification of DoS and DDoS attacks is a “Brute Force Attack.” This means that the attacking system(s) do their best to flood or crash your systems through a very large amount of basic, typical tasks. Think about ten people shouting at you all at the same time.
If you have heard all the buzz about DDoS (Distributed Denial of Service) attacks and began looking into mitigation solutions, this will be a good primer for you. DDoS Attacks have been pointed at everything from “The Dog Whisperer’s” website, to Video Game networks, to Credit Unions, and to the US Government.
The extra “D” exponentially increases the effectiveness & disruptiveness of attacks. The extra “D” (Distributed) refers to the spread out nature and quantity of attacking machines. Using networks of “slave machines” (Usually mal-ware infected PCs) from across the world all of those individual clients are pointed at your website with the goal of slowing to a crawl or crashing your web servers via endless, pointless network traffic and requests of your servers. Imagine as each additional person shouts at you – the more and more people shouting the harder and harder it is to understand what anyone is saying. Home football teams use this tactic all the time against the opposing offense.
DDoS Mitigation Tools
In their most simple form, DDoS mitigation tools are remote network traffic filters. Some are activated by an IT professional on the client side when they see something unusual, some automatically detect undesired traffic, and some services are just always on and constantly filtering all traffic. Obviously there are cost implications related to these three different scenarios, but at the end of the day, once an attack has been detected they will all do the same thing…prevent undesired traffic from hitting your network/servers.
There are basically two types of mitigation services. Appliance based and network based. Either way – the strategy is essentially the same – allow the volume to go into a black hole of some sort while filtering through the good traffic. Both types are pretty expensive (between $5 and $10k a month) based on the top providers. Ultimately what you need to look for is how much capacity the black hole (DDoS mitigation tool) has.
Challenges for Credit Unions
Capacity – The normal DDoS attack generates around 1 or 2 GB of traffic. Our experience is that the average credit union has about 20 to 100 mb of capacity. Obviously, having a solution that can consume and reroute 1 or 2 GB of traffic is the only thing that can really fix the problem quickly.
Expertise – Being able to quickly reroute and separate the good from bad traffic requires senior level network engineers and good plan. It also probably requires testing and creativity. Most credit unions in our experience can’t afford to have the expertise sitting around just in case.
DDoS is a hot topic in the IT world right now and we are going to continue discussing DDoS threats, solutions, best practices and what CUs can do about it.