This morning a story caught my attention regarding the potential for another wave of DDoS attacks. The article
, by Tracy Kitten at Bank InfoSecurity, quotes researchers who see modifications being made to Brobot -- a favorite weapon in attacks against the banking sector.
Experts say distributed-denial-of-service attacks against U.S. banks are not over, despite what's now been a two-month cease-fire by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters. Security vendors tell me the group's botnet is growing. And when these attacks do resume, they won't be easy to fight. This next wave of DDoS attacks will be different from what we have seen in earlier waves of attacks, dating back to mid-September 2012, researchers believe. As a result, many of the mitigation strategies and defenses banks have in place could prove ineffective.
Fortunately, Kitten writes, information about new code added to Brobot is being shared behind the scenes among banking institutions. "Now," she says, "banks and DDoS-mitigation providers are just waiting for what will be the fourth phase of DDoS to strike."
Here in Akamai's InfoSec department, Brobot has taken up much time and attention. At SOURCE Boston in April, Senior Security Architect Eric Kobrin gave a detailed analysis of how Brobot operates and where the enabling vulnerabilities can be found.
He noted, among other things:
--The amount of bandwidth flooding websites was substantial. Akamai CSO Andy Ellis recently wrote that BroBot botnets are routinely tossing around 30 Gbps attacks, with peaks upwards of 80 Gbps.
--The DDoS attacks are crude, exploiting large networks of compromised machines to overwhelm a website with requests.
--The battle often comes down to the amount of bandwidth a banking site has and whether it is large enough to withstand traffic from the botnet and customers.
Kobrin said the compromised machines often get that way because attackers were able to own them through security holes in the online content management systems (CMS) content publishers take for granted. The Wordpress interface you use to blog? It could have been used to make your computer part of the botnet, and it's something you would not notice. That vanity email domain you opened for yourself? That's an easy target, too.
One of the problems is that the hosted service providers build sites to be as accessible as possible and to make them easy for Google to index. As you've heard by now, accessibility and security are often at odds.
"There is no single cause," Kobrin said. "A half a dozen failures have to happen along the way." One such failure is a lack of routine patching. Another failure is that admin access is often easy to get.
What to do about all this? Kobrin offered this advice:
--Banks can build a more defensible online infrastructure, get a better handle on all the apps in its system and build closer relationships with its hosting providers, since attacks usually come from trouble on the provider's side of the court.
--CMS users can be more diligent in adding patches as they're released, and remove unused plug-ins. The more customized your site is, the more plug-ins you probably have sitting there. Users can also add IDS and turn off unused sites.
--Hosting providers can set up safer defaults, offer automatic updates and offer a fully managed CMS.