By Sam | April 8, 2013
DDoS Operation Ababil Phase 3 Attack Report

RadwareHave you heard about the DDoS attacks that have been happening lately? Here is a press release from Radware ERT describing the attacks in detail. 

Background

The week of March 11th, has started a new wave of DDoS attacks on banks and financial institutions. Qassam Cyber Fighters have launched the 3rd phase of Operation Ababil and  have updated their Pastebin page with new threat attacks. The targets of this attack are leading US banks including Bank of America, Chase Bank, PNC, Union Bank, BB&T, US Bank, Fifth Third Bank and Citibank. Since the launch of the attacks, many of the US banks find themselves under severe DDoS attacks that cause outages to their secured online services and websites.

OGO Credit Union View: While the main target appears to be large national banks, we know that there have been similar attacks in the Credit Union world. There is no evidence in either direction if the same group is responsible for them, but all financial institutions need to take steps to secure themselves against this threat.

Attack information

OGO Note: Get ready for some extremely technical information. Here is a non-technical explanation of DDoS if you don’t speak the language.

Radware ERT is actively involved in fighting and mitigating these attacks and found that these attacks are both sophisticated and contain multiple complicated attack vectors. For the first time in the prolonged Operation Ababil campaign, the attackers are launching encrypted attacks based on SSL protocol.

The first attack vector that the ERT identified is a SSL renegotiation attack using the infamous attack tool THC-SSL-DOS. THC-SSL-DOS initiates a regular SSL handshake between the attackers and the banks secured servers. It then immediately requests for the renegotiation of the encryption key, constantly repeating this server resource-intensive renegotiation request until all server resources have been exhausted. Similar to other “low and slow” attacks, THC-SSL-DOS does not require significant computing resources from the attacker and it does not generate volumetric DDoS flood attacks. As a result of this attack, banks online secured servers that are running the online banking services are becoming so busy handling the attackers’ requests, that they cannot serve legitimate users of the bank.

The second attack vector that is used in the bank attacks is a brute force attack, also on the online banking services. In the brute force attack, the attackers try to connect to the banks’ online user accounts by guessing the user name login. The objective of the attackers is not to get access to the accounts, which is a very difficult task, but to lockout the accounts, and prevent the banks’ customers from accessing their online banking services. The attackers launch thousands of requests to access the online accounts using random user names and passwords that the computer guesses. If the user name is correct and the password is wrong, the account will be locked after several attempts. In this method, the attackers manage to lockout thousands of bank accounts resulting in thousands of angry and panicked customers calling the bank support center complaining and fearing of fraud activity on their accounts.

There are simpler attack vectors that participate in the attacks, but the two aforementioned above are the most interesting, sophisticated ones.

Attack Mitigation

SSL based attacks are the Achilles heel of the banks cyber security defense and any other organization that utilize secured connections and secured payments. SSL based attacks are easy to launch and difficult to mitigate, making them an ideal choice for attackers while Radware observes a significant rise in the utilization of SSL based attack tools.

In order to mitigate SSL based attacks, the mitigation solution must first decrypt the encrypted SSL transaction in order to understand whether this is a malicious or a legitimate transaction.  However, this operation requires the SSL keys of the bank, which cannot be given to a third party vendor or MSSP. In addition, the decryption and the encryption of the transactions require significant computing resources, which is not available on the banks servers.

About Radware

Radware offers an industry unique solution for SSL based attacks that is utilizing special SSL accelerator hardware to handle the decryption of the transactions integrated with its Attack Mitigation System. Read more on the Radware solution for SSL based threats.

Related Content

DDoS: Be part of the solution – Part 1

DDoS: Be part of the solution – Part 2

Credit Union DDoS Series:

How do DDoS Mitigation Services Work?

WANT MORE INFO?  Fill out this form:

 

Posted in Cloud Topics, P3 - Plan, Prepare, Protect, Uncategorized and tagged , , , , ,

Cost-Effective Solutions for Your Credit Union

Simply fill out this form and select the topic(s) that you would like more information for, and our team will reach out shortly.

Medium

Role
I agree to receive marketing communications from Ongoing Operations regarding news, updates, products, etc.(Required)

modal close button

Welcome to the Ongoing Operations blog archive.

For our most up-to-date information, please visit ongoingoperations.com.

HOME