Cisco Event Response: Distributed Denial of Service Attacks on Financial Institutions

Threat Summary: October 1, 2012

On September 19, 2012, the Financial Services Information Sharing and Analysis Center (FS-ISAC) raised its Financial Services Cyber Threat Level to High based on reported attacks against United States financial institutions. Multiple online groups have claimed responsibility for the attacks, which have continued for the past 2 weeks.

This malicious activity should be considered a high risk and a threat to other industries. Customers are strongly advised to follow best common practices (BCPs) for denial of service attacks. These BCPs are provided as links in this document.

Multiple attack-pattern profiles are being used in these distributed denial of service (DDoS) attacks. The patterns are described in the Cisco Security Intelligence Operations Analysis section of this document.

Threat Updates

December 19, 2012: Cisco Security Intelligence Operations (SIO) has included new countermeasure and control guidelines in this document, which include recommendations on network segmentation, baseline traffic profiles, packet scrubbing services, device capacity and performance, and additional resources.

October 25, 2012: Cisco SIO has included incident handling and response guidelines in this document. The guidelines should not replace your existing organizational policy, rather they should supplement your existing response procedures. See the Incident Handling and Response section for more information. Although it has been reported that the attacks will slow down, the Financial Services Information Sharing and Analysis Center (FS-ISAC) maintains its Financial Services Cyber Threat Level at High. Additional information has been added to the Attack Pattern Traffic Profiles table, Resources, and Related Cisco Products and Services.

October 3, 2012: Cisco SIO has published Intrusion Prevention System (IPS) signature 1493/0: Distributed Denial of Service on Financial Institutions in signature update package S672 to help provide identification and detection for these attacks.

Other countermeasures and controls may help identify and detect the attack pattern traffic profiles described in this document. See the Attack Pattern Traffic Profiles table for more information.

To better understand the methodology Cisco SIO uses to respond to this event and other similar events, please read the security blog post Distributed Denial of Service Attacks on Financial Institutions: A Cisco Security Intelligence Operations Perspective.

Cisco SIO will continue to monitor the threat landscape and provide additional analysis and updates when new information is available.

Cisco Security
Intelligence Operations

Event Intelligence

The following table identifies Cisco SIO content that is associated with this Event Response Page:

Threat Response	Cisco Applied Mitigation Bulletin	Cisco IntelliShield Alert	CWE ID	CAPEC
Financial Institution DDoS	Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions	Security Activity Bulletin: Financial Institution Websites Targeted by Distributed Denial of Service Attacks	CWE-400 CWE-770	CAPEC-119 CAPEC-125 CAPEC-227 CAPEC-343 CAPEC-469

Cisco Security Intelligence Operations Analysis

Cisco SIO has obtained the following network-based threat detection related to this DDoS attack:

The primary market segment from which Cisco SIO has observed denial of service attempts is Financial Services.

Recently published SIO Cyber Risk Reports (CRRs) for September 17–23, September 24–30, and December 10–16, 2012, include threat information, additional analysis, hyperlinks to media reporting, and advising to prepare and deploy countermeasures if an attack occurs.

DDoS attacks continue to evolve, and infrastructure managers are urged to plan for defense against these attacks well in advance of an active attack. Cisco SIO recommends that users work with their data providers to perform mitigations as close to the traffic source as possible to avoid services from becoming overwhelmed at the destination host and network. Cisco Internet Protocol Journal has published a white paper that provides strategies to protect against DDoS attacks.

Network-based indicators of these attacks are the following:

Attack Pattern Traffic Profiles

Protocol	Port	Payload	Notes	Cisco Mitigations
UDP (protocol 17)	53	"A" (hexadecimal value \x41)	The Data field, or payload, of the UDP message contains all As.	IPS Signature: 6910/0 - Net Flood UDP IPS Signature: 4002.0 - UDP Host Flood IPS Signature: 4004.0 - DNS Flood Attack Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM
UDP (protocol 17)	80	"/http1" (hexadecimal value \x2f\x68\x74\x74\x70\x31) "A" (hexadecimal value \x41)	The Data field, or payload, of the UDP message contains all /http1. The Data field, or payload, of the UDP message contains all /As.	IPS Signature: 6910/0 - Net Flood UDP IPS Signature: 4002.0 - UDP Host Flood Cisco IOS tACL Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM
TCP (protocol 06)	53	None	Flood of TCP SYN segments sent to TCP port 53	IPS Signature: 6009.0 - SYN Flood DOS IPS Signature: 6920.0 - Net Flood TCP Cisco IOS NetFlow
TCP (protocol 06)	80	None	Flood of TCP SYN segments sent to TCP port 80	IPS Signature: 6009.0 - SYN Flood DOS IPS Signature: 6920.0 - Net Flood TCP Cisco IOS NetFlow
TCP (protocol 06)	80	Varies	HTTP GET method requests using varying HTTP header values and URI requests. HTTP GET method requests are sent to root document web pages and nonroot document web pages.	IPS Signature: 1493/0 - Distributed Denial of Service on Financial Institutions IPS Signature: 6009.0 - SYN Flood DOS Cisco IOS NetFlow
TCP (protocol 06)	80	Varies	HTTP POST method using varying HTTP header values and submitted data. HTTP POST method sent to web pages expecting data input (for example, pages that require user login, contain forms, or expect user-submitted data).	IPS Signature: 6009.0 - SYN Flood DOS Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM
Internet Control Message Protocol (ICMP; protocol 01)	N/A	Varies	Flood of ICMP messages sent to the targeted/victim address. ICMP Type 8/Code 0 has been observed, but other ICMP types and codes could be used.	IPS Signature: 6902.0 - Net Flood ICMP Request IPS Signature: 6901.0 - Net Flood ICMP Reply IPS Signature: 6903.0 - Net Flood ICMP Any IPS Signature: 2152.0 - ICMP Flood Cisco IOS tACL Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM

Impact on Cisco Products

There are no specific Cisco vulnerabilities associated with this event. The attack attempts to saturate the bandwidth of the targeted network and exhaust resources on the targeted devices and devices in the path between the attacker and victim. If the Cisco Product Security Incident Response Team (PSIRT) discovers that a product is vulnerable to DDoS attacks because of a defect in software or hardware unrelated to memory or bandwidth saturation from a DDoS attack, information about affected products will be published at Cisco Security Advisories and Responses. As always, ensure that you monitor reports from Cisco PSIRT for any Cisco product-related vulnerabilities.

Countermeasures and Controls on Network Devices

Network Segmentation

Host Internet-accessible services and resources across different service providers and use an Anycast network addressing and routing solution when possible.
Do not host multiple Internet-accessible services and resources (for example, Domain Name Service (DNS), HTTP and HTTPS (web services), remote-access VPN, and e-mail) on the same Internet point of presence at the on-premise edge. Hosting multiple services and resources on the same Internet point of presence allows DDoS traffic to potentially impact all the Internet-accessible services and resources.
Separate services and resources used by internal corporate users and applications so they are not impacted if an Internet-accessible service or resource is affected by a DDoS attack.

Baseline Traffic Profiles

Use flow telemetry technologies (such as NetFlow) to collect and perform a traffic profile baseline for business, user, application, and other types of network traffic.
Ensure that you understand what is considered a normal traffic profile baseline.
This normal traffic profile baseline will help detect anomalies and assist in determining which traffic may be malicious, if any, during an attack.
Understand the impact of an increased volume of traffic on affected services and resources.

On-Premise and Upstream Scrubbing Services

Use products or services that have the capability to scrub anomalous and malicious traffic both at the on-premise edge and upstream at the provider edge. Ensure that you have already used a flow telemetry technology to collect and perform a traffic profile baseline.
Validate and test traffic redirection to the upstream scrubbing service and ensure that Internet-accessible services and resources meet an acceptable performance baseline.

Device Capacity and Performance

Ensure you understand device capabilities and limitations based on the following and their impact to device operations:

Which features are enabled (for example, NetFlow, syslog, and BGP peering receiving 400K prefixes) on the device
Volume of traffic that is being switched or forwarded by the device
What technique or solution (for example, Remotely Trigger Black Hole Routing, Unicast Reverse Path Forwarding [understanding, enhancements]) is implemented on the device

Network operators are encouraged to work with their data providers or applicable Cisco products and services.

Cisco SIO has performed attack analysis and published a Cisco Applied Mitigation Bulletin, Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions, which provides details about countermeasures and controls that can be used to identify and detect the Attack Pattern Traffic Profiles listed in the preceding table.

Incident Handling and Response

Coordinate Internal Response Teams

Incident response teams should identify the specific applications being flooded and the protocols and ports used in the flood. Packet captures can be saved as evidence and used by vendors.
Gather a response team that can make operational decisions concerning the DDoS event. Keep the team as small as possible without excluding other organizations. Consider adding the following groups: management, information assurance, IT support, legal, and public affairs.
Avoid staff burnout. Consider shift rotations and meal delivery. Document details about the incident as they happen and share those details with new shifts.

Sharing Information with Third Parties

The incident response team should comply with organization policies and procedures about media interaction and information disclosure.
The FBI Cyber Crime unit investigates crimes of this nature in the United States. Outside the United States, the Forum of Incident Response and Security Teams can help with contacting the appropriate law enforcement organization.
The Financial Services Information Sharing and Analysis Center can help financial institutions coordinate a response and provide detailed information about previous attacks.
Coordinate with your Internet Service Provider to implement traffic controls, such as rate limiting, source blocking, and packet scrubbing.
Identify the owners of the attacking addresses. Incident handlers may want to alert the owners of the IP addresses exhibiting the malicious behavior, and ask them to collect evidence and mitigate the attacking device.
Contact vendors as needed by the support teams (see "Resources") to quantify the DDoS traffic, collect evidence, etc.

Lessons Learned

After the incident has passed, conduct a lessons learned meeting with the parties involved to discuss what happened and the subsequent response. What worked well? What inhibited the recovery? What can help prevent similar actions in the future? How will the next response be handled?

Resources

Huffington Post - Izz Ad-Din Al-Qassam Cyber Fighters Group Takes Break From Hacking Banks To Celebrate Eid Al-Adha Holiday
Remotely Triggered Black Hole Filtering
Internet Service Provider Security Best Practices
Creating a Computer Security Incident Response Team
Financial Services - Information Sharing and Analysis Center (FS-ISAC)
Updated NIST Guide is a How-To for Dealing With Computer Security Incidents
Cisco Internet Protocol Journal: Distributed Denial of Service Attacks
Pastebin: Bank of America and New York Stock Exchange under attack
Softpedia: Izz ad-Din al-Qassam Hackers Attack Wells Fargo Website
IT-Networks: Anonymous Hackers Helped Izz ad-Din al-Qassam
Dancho Danchev: DDoS Attacks Crowdsourced
Threatpost: Historic DDoS attacks against banks continue
SecurityNewsDaily: The Bank Cyberattacks: Is Your Money Safe?
Digital Dao: Fact-checking the Iranian DDoS Attacks Against US Banks
US-CERT: Alert (TA12-024A) "Anonymous" DDoS Activity
Cyber Warfare Intelligence: DDoS attacks, so simple so dangerous
Akamai: Information, not Hope is the key to Surviving DDoS
Arbor Networks: DDoS security Reports
Symantec: Community Behavior of Botnets
Cyberattacks on US banks resume, aiming to block their websites
Detecting and Analyzing Network Threats with NetFlow
RFC 1546: Host Anycasting Service
RFC 4786: Operation of Anycast Services
Packet Clearing House (PCH) Papers: Anycast
PCH Papers: Anycast Performance
PCH Papers: Anycast Services
PCH Papers: IPv4 Anycast
Arbor Networks: Pravail Availability Protection System (APS)
Prolexic Technologies: DoS and DDoS Protection
AT&T Internet Protect: Distributed Denial of Service Defense
Verizon: DoS Defense Services

Related Cisco Products and Services

Configuring Threat Detection on Cisco ASA 5500
Performance of IPS 4500 and 4300 Series Sensors
Network Security Baseline
Configuring Connection Limits and Timeouts in Cisco ASA 5500
NetFlow Configuration Guide, Cisco IOS Release 12.4
Cisco IOS Flexible NetFlow Configuration Guide, Release 12.4T
Cisco Intrusion Prevention System
Cisco IOS IPS
Cisco IOS NetFlow
Cisco Web Security Appliance
Cisco Cloud Web Security
Cisco Services for IPS
Cisco Security IntelliShield Alert Manager Service
Cisco IPS Signature Downloads
Cisco IPS Signature Search Page

Return to Cisco Security Intelligence Operations