On September 19, 2012, the Financial Services Information Sharing and Analysis Center (FS-ISAC) raised its Financial Services Cyber Threat Level to High based on reported attacks against United States financial institutions. Multiple online groups have claimed responsibility for the attacks.
This malicious activity should be considered a high risk and a threat to other industries. Customers are strongly advised to follow best common practices (BCPs) for denial of service attacks. These BCPs are provided as links in this document.
Multiple attack-pattern profiles are being used in these distributed denial of service (DDoS) attacks. The patterns are described in the Cisco Security Intelligence Operations Analysis section of this document.
December 19, 2012: Cisco Security Intelligence Operations (SIO) has included new countermeasure and control guidelines in this document, which include recommendations on network segmentation, baseline traffic profiles, packet scrubbing services, device capacity and performance, and additional resources.
October 25, 2012: Cisco SIO has included incident handling and response guidelines in this document. The guidelines should not replace your existing organizational policy, rather they should supplement your existing response procedures. See the Incident Handling and Response section for more information. Although it has been reported that the attacks will slow down, the Financial Services Information Sharing and Analysis Center (FS-ISAC) maintains its Financial Services Cyber Threat Level at High. Additional information has been added to the Attack Pattern Traffic Profiles table, Resources, and Related Cisco Products and Services.
October 3, 2012: Cisco SIO has published Intrusion Prevention System (IPS) signature 1493/0: Distributed Denial of Service on Financial Institutions in signature update package S672 to help provide identification and detection for these attacks.
Other countermeasures and controls may help identify and detect the attack pattern traffic profiles described in this document. See the Attack Pattern Traffic Profiles table for more information.
Cisco SIO will continue to monitor the threat landscape and provide additional analysis and updates when new information is available.
The following table identifies Cisco SIO content that is associated with this Event Response Page:
Threat Response | Cisco Applied Mitigation Bulletin | Cisco IntelliShield Alert | CWE ID | CAPEC |
---|---|---|---|---|
Financial Institution DDoS |
Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions | Security Activity Bulletin: Financial Institution Websites Targeted by Distributed Denial of Service Attacks |
CWE-400
CWE-770 |
CAPEC-119
CAPEC-125 CAPEC-227 CAPEC-343 CAPEC-469 |
DDoS attacks continue to evolve, and infrastructure managers are urged to plan for defense against these attacks well in advance of an active attack. Cisco SIO recommends that users work with their data providers to perform mitigations as close to the traffic source as possible to avoid services from becoming overwhelmed at the destination host and network. Cisco Internet Protocol Journal has published a white paper in the December 2004 issue that provides strategies to protect against DDoS attacks.
Network-based indicators of these attacks are the following:
Protocol | Port | Payload | Notes | Cisco Mitigations |
---|---|---|---|---|
UDP (protocol 17) |
53 | "A" (hexadecimal value \x41) | The Data field, or payload, of the UDP message contains all As. | IPS Signature: 6910/0 - Net Flood UDP IPS Signature: 4002.0 - UDP Host Flood IPS Signature: 4004.0 - DNS Flood Attack Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM |
UDP (protocol 17) |
80 | "/http1" (hexadecimal value \x2f\x68\x74\x74\x70\x31) "A" (hexadecimal value \x41) |
The Data field, or payload, of the UDP message contains all /http1. The Data field, or payload, of the UDP message contains all /As. |
IPS Signature: 6910/0 - Net Flood UDP IPS Signature: 4002.0 - UDP Host Flood Cisco IOS tACL Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM |
TCP (protocol 06) |
53 | None | Flood of TCP SYN segments sent to TCP port 53 | IPS Signature: 6009.0 - SYN Flood DOS IPS Signature: 6920.0 - Net Flood TCP Cisco IOS NetFlow |
TCP (protocol 06) |
80 | None | Flood of TCP SYN segments sent to TCP port 80 | IPS Signature: 6009.0 - SYN Flood DOS IPS Signature: 6920.0 - Net Flood TCP Cisco IOS NetFlow |
TCP (protocol 06) |
80 | Varies | HTTP GET method requests using varying HTTP header values and URI requests. HTTP GET method requests are sent to root document web pages and nonroot document web pages. | IPS Signature: 1493/0 - Distributed Denial of Service on Financial Institutions IPS Signature: 6009.0 - SYN Flood DOS Cisco IOS NetFlow |
TCP (protocol 06) |
80 | Varies | HTTP POST method using varying HTTP header values and submitted data. HTTP POST method sent to web pages expecting data input (for example, pages that require user login, contain forms, or expect user-submitted data). | IPS Signature: 6009.0 - SYN Flood DOS Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM |
Internet Control Message Protocol (ICMP; protocol 01) |
N/A | Varies | Flood of ICMP messages sent to the targeted/victim address. ICMP Type 8/Code 0 has been observed, but other ICMP types and codes could be used. | IPS Signature: 6902.0 - Net Flood ICMP Request IPS Signature: 6901.0 - Net Flood ICMP Reply IPS Signature: 6903.0 - Net Flood ICMP Any IPS Signature: 2152.0 - ICMP Flood Cisco IOS tACL Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM |
There are no specific Cisco vulnerabilities associated with this event. The attack attempts to saturate the bandwidth of the targeted network and exhaust resources on the targeted devices and devices in the path between the attacker and victim. If the Cisco Product Security Incident Response Team (PSIRT) discovers that a product is vulnerable to DDoS attacks because of a defect in software or hardware unrelated to memory or bandwidth saturation from a DDoS attack, information about affected products will be published at Cisco Security Advisories and Responses. As always, ensure that you monitor reports from Cisco PSIRT for any Cisco product-related vulnerabilities.
Network operators are encouraged to work with their data providers or applicable Cisco products and services.
Cisco SIO has performed attack analysis and published a Cisco Applied Mitigation Bulletin, Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions, which provides details about countermeasures and controls that can be used to identify and detect the Attack Pattern Traffic Profiles listed in the preceding table.
A Cisco Guide to Defending Against Distributed Denial of Service Attacks
Huffington Post - Izz Ad-Din Al-Qassam Cyber Fighters Group Takes Break From Hacking Banks To Celebrate Eid Al-Adha Holiday
Remotely Triggered Black Hole Filtering
Internet Service Provider Security Best Practices
Creating a Computer Security Incident Response Team
Financial Services - Information Sharing and Analysis Center (FS-ISAC)
Updated NIST Guide is a How-To for Dealing With Computer Security Incidents
Softpedia: Izz ad-Din al-Qassam Hackers Attack Wells Fargo Website
Dancho Danchev: DDoS Attacks Crowdsourced
Threatpost: Historic DDoS attacks against banks continue>
Digital Dao: Fact-checking the Iranian DDoS Attacks Against US Banks
US-CERT: Alert (TA12-024A) "Anonymous" DDoS Activity
Cyber Warfare Intelligence: DDoS attacks, so simple so dangerous
Akamai: Information, not Hope is the key to Surviving DDoS
Cyberattacks on US banks resume, aiming to block their websites
Detecting and Analyzing Network Threats with NetFlow
RFC 1546: Host Anycasting Service
RFC 4786: Operation of Anycast Services
Packet Clearing House (PCH) Papers: Anycast
PCH Papers: Anycast Performance
PCH Papers: Anycast Services
PCH Papers: IPv4 Anycast
Arbor Networks: Pravail Availability Protection System (APS)
Prolexic Technologies: DoS and DDoS Protection
AT&T Internet Protect: Distributed Denial of Service Defense
Verizon: DoS Defense Services
ASA Threat Detection Functionality and Configuration
Network Security Baseline
Cisco ASA Series CLI Configuration Guide, 9.0
NetFlow Configuration Guide, Cisco IOS Release 15M&T
Cisco Flexible NetFlow Configuration Guide
Cisco Next-Generation Intrusion Prevention System
Cisco IOS IPS
Cisco IOS NetFlow
Cisco Web Security Appliance
Cisco IPS Signature Downloads
Cisco IPS Signature Search Page
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.