Cisco Event Response: Distributed Denial of Service Attacks on Financial Institutions

Threat Summary: October 1, 2012

On September 19, 2012, the Financial Services Information Sharing and Analysis Center (FS-ISAC) raised its Financial Services Cyber Threat Level to High based on reported attacks against United States financial institutions. Multiple online groups have claimed responsibility for the attacks, which have continued for the past 2 weeks.

This malicious activity should be considered a high risk and a threat to other industries. Customers are strongly advised to follow best common practices (BCPs) for denial of service attacks. These BCPs are provided as links in this document.

Multiple attack-pattern profiles are being used in these distributed denial of service (DDoS) attacks. The patterns are described in the Cisco Security Intelligence Operations Analysis section of this document.

Threat Updates

December 19, 2012: Cisco Security Intelligence Operations (SIO) has included new countermeasure and control guidelines in this document, which include recommendations on network segmentation, baseline traffic profiles, packet scrubbing services, device capacity and performance, and additional resources.

October 25, 2012: Cisco SIO has included incident handling and response guidelines in this document. The guidelines should not replace your existing organizational policy, rather they should supplement your existing response procedures. See the Incident Handling and Response section for more information. Although it has been reported that the attacks will slow down, the Financial Services Information Sharing and Analysis Center (FS-ISAC) maintains its Financial Services Cyber Threat Level at High. Additional information has been added to the Attack Pattern Traffic Profiles table, Resources, and Related Cisco Products and Services.

October 3, 2012: Cisco SIO has published Intrusion Prevention System (IPS) signature 1493/0: Distributed Denial of Service on Financial Institutions in signature update package S672 to help provide identification and detection for these attacks.

Other countermeasures and controls may help identify and detect the attack pattern traffic profiles described in this document. See the Attack Pattern Traffic Profiles table for more information.

To better understand the methodology Cisco SIO uses to respond to this event and other similar events, please read the security blog post Distributed Denial of Service Attacks on Financial Institutions: A Cisco Security Intelligence Operations Perspective.

Cisco SIO will continue to monitor the threat landscape and provide additional analysis and updates when new information is available.

 

Event Intelligence

The following table identifies Cisco SIO content that is associated with this Event Response Page:

Threat Response Cisco Applied Mitigation Bulletin Cisco IntelliShield Alert
CWE ID
CWE
CAPEC
CAPEC

Financial Institution DDoS

Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions Security Activity Bulletin:
Financial Institution Websites Targeted by Distributed Denial of Service Attacks

Cisco Security Intelligence Operations Analysis

Cisco SIO has obtained the following network-based threat detection related to this DDoS attack:

The primary market segment from which Cisco SIO has observed denial of service attempts is Financial Services.

Recently published SIO Cyber Risk Reports (CRRs) for September 17–23, September 24–30, and December 10–16, 2012, include threat information, additional analysis, hyperlinks to media reporting, and advising to prepare and deploy countermeasures if an attack occurs.

DDoS attacks continue to evolve, and infrastructure managers are urged to plan for defense against these attacks well in advance of an active attack. Cisco SIO recommends that users work with their data providers to perform mitigations as close to the traffic source as possible to avoid services from becoming overwhelmed at the destination host and network. Cisco Internet Protocol Journal has published a white paper that provides strategies to protect against DDoS attacks.

Network-based indicators of these attacks are the following:

Attack Pattern Traffic Profiles

Protocol Port Payload Notes Cisco Mitigations
UDP
(protocol 17)
53 "A" (hexadecimal value \x41) The Data field, or payload, of the UDP message contains all As. IPS Signature: 6910/0 - Net Flood UDP
IPS Signature: 4002.0 - UDP Host Flood
IPS Signature: 4004.0 - DNS Flood Attack
Cisco IOS NetFlow
Cisco ASA/ASA-SM/FWSM
UDP
(protocol 17)
80 "/http1" (hexadecimal value \x2f\x68\x74\x74\x70\x31)
"A" (hexadecimal value \x41)
The Data field, or payload, of the UDP message contains all /http1.
The Data field, or payload, of the UDP message contains all /As.
IPS Signature: 6910/0 - Net Flood UDP
IPS Signature: 4002.0 - UDP Host Flood
Cisco IOS tACL
Cisco IOS NetFlow
Cisco ASA/ASA-SM/FWSM
TCP
(protocol 06)
53 None Flood of TCP SYN segments sent to TCP port 53 IPS Signature: 6009.0 - SYN Flood DOS
IPS Signature: 6920.0 - Net Flood TCP
Cisco IOS NetFlow
TCP
(protocol 06)
80 None Flood of TCP SYN segments sent to TCP port 80 IPS Signature: 6009.0 - SYN Flood DOS
IPS Signature: 6920.0 - Net Flood TCP
Cisco IOS NetFlow
TCP
(protocol 06)
80 Varies HTTP GET method requests using varying HTTP header values and URI requests. HTTP GET method requests are sent to root document web pages and nonroot document web pages. IPS Signature: 1493/0 - Distributed Denial of Service on Financial Institutions
IPS Signature: 6009.0 - SYN Flood DOS
Cisco IOS NetFlow
TCP
(protocol 06)
80 Varies HTTP POST method using varying HTTP header values and submitted data. HTTP POST method sent to web pages expecting data input (for example, pages that require user login, contain forms, or expect user-submitted data). IPS Signature: 6009.0 - SYN Flood DOS
Cisco IOS NetFlow
Cisco ASA/ASA-SM/FWSM
Internet Control Message Protocol
(ICMP; protocol 01)
N/A Varies Flood of ICMP messages sent to the targeted/victim address. ICMP Type 8/Code 0 has been observed, but other ICMP types and codes could be used. IPS Signature: 6902.0 - Net Flood ICMP Request
IPS Signature: 6901.0 - Net Flood ICMP Reply
IPS Signature: 6903.0 - Net Flood ICMP Any
IPS Signature: 2152.0 - ICMP Flood
Cisco IOS tACL
Cisco IOS NetFlow
Cisco ASA/ASA-SM/FWSM

Impact on Cisco Products

There are no specific Cisco vulnerabilities associated with this event. The attack attempts to saturate the bandwidth of the targeted network and exhaust resources on the targeted devices and devices in the path between the attacker and victim. If the Cisco Product Security Incident Response Team (PSIRT) discovers that a product is vulnerable to DDoS attacks because of a defect in software or hardware unrelated to memory or bandwidth saturation from a DDoS attack, information about affected products will be published at Cisco Security Advisories and Responses. As always, ensure that you monitor reports from Cisco PSIRT for any Cisco product-related vulnerabilities.

Countermeasures and Controls on Network Devices

Network Segmentation

  • Host Internet-accessible services and resources across different service providers and use an Anycast network addressing and routing solution when possible.
  • Do not host multiple Internet-accessible services and resources (for example, Domain Name Service (DNS), HTTP and HTTPS (web services), remote-access VPN, and e-mail) on the same Internet point of presence at the on-premise edge. Hosting multiple services and resources on the same Internet point of presence allows DDoS traffic to potentially impact all the Internet-accessible services and resources.
  • Separate services and resources used by internal corporate users and applications so they are not impacted if an Internet-accessible service or resource is affected by a DDoS attack.

Baseline Traffic Profiles

  • Use flow telemetry technologies (such as NetFlow) to collect and perform a traffic profile baseline for business, user, application, and other types of network traffic.
  • Ensure that you understand what is considered a normal traffic profile baseline.
  • This normal traffic profile baseline will help detect anomalies and assist in determining which traffic may be malicious, if any, during an attack.
  • Understand the impact of an increased volume of traffic on affected services and resources.

On-Premise and Upstream Scrubbing Services

  • Use products or services that have the capability to scrub anomalous and malicious traffic both at the on-premise edge and upstream at the provider edge. Ensure that you have already used a flow telemetry technology to collect and perform a traffic profile baseline.
  • Validate and test traffic redirection to the upstream scrubbing service and ensure that Internet-accessible services and resources meet an acceptable performance baseline.

Device Capacity and Performance

  • Ensure you understand device capabilities and limitations based on the following and their impact to device operations:
    • Which features are enabled (for example, NetFlow, syslog, and BGP peering receiving 400K prefixes) on the device
    • Volume of traffic that is being switched or forwarded by the device
    • What technique or solution (for example, Remotely Trigger Black Hole Routing, Unicast Reverse Path Forwarding [understanding, enhancements]) is implemented on the device

Network operators are encouraged to work with their data providers or applicable Cisco products and services.

Cisco SIO has performed attack analysis and published a Cisco Applied Mitigation Bulletin, Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions, which provides details about countermeasures and controls that can be used to identify and detect the Attack Pattern Traffic Profiles listed in the preceding table.

Incident Handling and Response


Coordinate Internal Response Teams

  • Incident response teams should identify the specific applications being flooded and the protocols and ports used in the flood. Packet captures can be saved as evidence and used by vendors.

  • Gather a response team that can make operational decisions concerning the DDoS event. Keep the team as small as possible without excluding other organizations. Consider adding the following groups: management, information assurance, IT support, legal, and public affairs.

  • Avoid staff burnout. Consider shift rotations and meal delivery. Document details about the incident as they happen and share those details with new shifts.

Sharing Information with Third Parties

  • The incident response team should comply with organization policies and procedures about media interaction and information disclosure.

  • The FBI Cyber Crime unit investigates crimes of this nature in the United States. Outside the United States, the Forum of Incident Response and Security Teams can help with contacting the appropriate law enforcement organization.

  • The Financial Services Information Sharing and Analysis Center can help financial institutions coordinate a response and provide detailed information about previous attacks.

  • Coordinate with your Internet Service Provider to implement traffic controls, such as rate limiting, source blocking, and packet scrubbing.

  • Identify the owners of the attacking addresses. Incident handlers may want to alert the owners of the IP addresses exhibiting the malicious behavior, and ask them to collect evidence and mitigate the attacking device.

  • Contact vendors as needed by the support teams (see "Resources") to quantify the DDoS traffic, collect evidence, etc.

Lessons Learned

  • After the incident has passed, conduct a lessons learned meeting with the parties involved to discuss what happened and the subsequent response. What worked well? What inhibited the recovery? What can help prevent similar actions in the future? How will the next response be handled?

Resources

Huffington Post - Izz Ad-Din Al-Qassam Cyber Fighters Group Takes Break From Hacking Banks To Celebrate Eid Al-Adha Holiday
Remotely Triggered Black Hole Filtering
Internet Service Provider Security Best Practices
Creating a Computer Security Incident Response Team
Financial Services - Information Sharing and Analysis Center (FS-ISAC)
Updated NIST Guide is a How-To for Dealing With Computer Security Incidents
Cisco Internet Protocol Journal: Distributed Denial of Service Attacks
Pastebin: Bank of America and New York Stock Exchange under attack
Softpedia: Izz ad-Din al-Qassam Hackers Attack Wells Fargo Website
IT-Networks: Anonymous Hackers Helped Izz ad-Din al-Qassam
Dancho Danchev: DDoS Attacks Crowdsourced
Threatpost: Historic DDoS attacks against banks continue
SecurityNewsDaily: The Bank Cyberattacks: Is Your Money Safe?
Digital Dao: Fact-checking the Iranian DDoS Attacks Against US Banks
US-CERT: Alert (TA12-024A) "Anonymous" DDoS Activity
Cyber Warfare Intelligence: DDoS attacks, so simple so dangerous
Akamai: Information, not Hope is the key to Surviving DDoS
Arbor Networks: DDoS security Reports
Symantec: Community Behavior of Botnets
Cyberattacks on US banks resume, aiming to block their websites
Detecting and Analyzing Network Threats with NetFlow
RFC 1546: Host Anycasting Service
RFC 4786: Operation of Anycast Services
Packet Clearing House (PCH) Papers: Anycast
PCH Papers: Anycast Performance
PCH Papers: Anycast Services
PCH Papers: IPv4 Anycast
Arbor Networks: Pravail Availability Protection System (APS)
Prolexic Technologies: DoS and DDoS Protection
AT&T Internet Protect: Distributed Denial of Service Defense
Verizon: DoS Defense Services