The recent DDoS attack against the Dyn DNS service resulted in major impact across the financial services industry, and provides us an example to better understand the technology risks and the lessons learned from this attack.
In the first of this two part blog, we will examine the impact that the attack had on banks, insurance companies, and other firms in the industry. In Part 2, we'll dig into some details to better understand the technology risks of financial services websites, and extract some lessons learned for the industry.
How were banks impacted by the attack?
Beginning in the morning of Friday, October 21, the Dyn DNS service was the victim of the DDoS attack. As was widely reported in the media, millions of users lost access to popular web sites such as Twitter, Spotify, CNN and hundreds more web sites. Until now, what has not been reported, is the impact and outages that occurred with banks and other financial services companies as a result of this attack.
An example of the impact to banks is shown in Figure 1 below. This chart was taken from the Dynatrace public benchmark tool, using the subscription data to produce this scatter plot.
For those of you not familiar with this tool, Dynatrace runs hundreds of synthetic scripts against thousands of companies in markets around the world, and publishes the results of these tests each month, free to the public, as a "rankings" report of the fastest and most reliable web sites in each market. At the end of each year, they hand out their "Dynatrace Best of the Web" gold, silver and bronze awards to each of the top firms. It's a highly coveted award for the digital teams and companies that care about the performance and reliability of their digital experience.
For the test against U.S. banks shown below, Dynatrace runs a test once per hour from twelve backbone agents across the U.S. against the home pages of dozens of banks. In addition to the free public rankings, Dynatrace offers a paid subscription which provides full details each individual test, showing response times, errors, city-level data, and complete waterfalls for each web page.
Each dot on the scatter plot in Figure 1 represents the home page test against one of the 42 banks included in this chart. With an average of over eight tests per minute (42 banks x 12 tests per hour = 504 samples per hour = 8 samples per minute), this report gives us a nice view of the overall health of online banking in the U.S.
1. The first impact is shown beginning at 7:10 AM EDT, with a drastic increase in page response times for a number banking home pages. This 7:10 mark matches the attack time of 11:10 UTC reported by Dyn.
2. The second major impact started at 11:50 AM EDT. This also matches the time of the second attack reported by Dyn.
3. There was residual impact late into the evening for a number of banks, again matching Dyn reports.
4. Some banks had complete failures of their home pages during this period.
5. Close examination shows that 28 of the 42 banks (2 out of 3) had impact due to this event on Oct. 21. (Please don't draw the conclusion that "two-thirds of the banks in the U.S. were impacted by the attack". We are only looking at 42 of the more than 6,000 banks on the FDIC list of banks in the U.S.)
This was not a typical DDoS attack. Banks are generally well prepared and well defended against DDoS attacks. Many of us remember very clearly the massive wave of attacks against the banks in 2012-2013 by the QCF as part of their Operation Ababil attacks. The sector invested heavily in DDoS protection at that time, and it's been well defended since.
But this Dyn attack was different. Instead of attacking a bank directly, the attack was directed to a service provider that was not a typical target for DDoS, and in many cases, not even used by the banks that were impacted. The result: if you work in technology risk for a bank, your job just got a lot harder.
We'll examine the lessons learned and recommendations in Part 2, but for now, what about the other segments of the industry?
Dynatrace includes 25 firms on their U.S. Auto & Property Insurance home page benchmark. The impact to this segment is very similar to that observed in the banking sector.
Similar story. 17 online brokers are included in the benchmark, and 12 had impact. There were no outright failures observed as in the banking and insurance segments. The red errors shown in Figure 3 are likely due to normal variations in the Dynatrace measurements, and occurred after the 4:00 PM market close.
There was impact to 6 of the 13 credit card home pages that are included in the benchmark, with less residual impact but with some clear failures.
Stay tuned for Part 2, as we dive deeper into the details, examine technology risk, and report some lessons learned for the industry from this attack. In the mean time I invite your comments or questions.
Rich Bolstridge is Chief Strategist, Financial Services at Akamai Technologies