Capital One and SunTrust came under attack this week using denial-of-service techniques that are evading defenses meant to blunt such attacks.
Capitol One and SunTrust Banks have become the latest targets of hackers who have leveled attacks at U.S. financial institutions in alleged retaliation for the posting of a movie on YouTube that has offended some Muslims.
On Oct. 8, a group calling itself the Izz ad-Din al-Qassam Cyber Fighters posted a message on Pastebin stating that Capital One, SunTrust Banks and Regions Financial would each suffer an eight-hour attack starting with Capital One the next day. Even with the advanced warning, the financial institutions suffered outages, with Capital One's site frequently inaccessible during the eight-hour period.
"Some Capital One customers experienced intermittent online access due to a large volume of traffic going to the Website and servers," the bank said in a statement posted to its Web site. "Other banks have experienced similar issues in recent weeks due to targeted efforts designed to flood online systems, also known as a distributed denial-of-service attack."
On Oct. 10, SunTrust Banks suffered some performance issues, as did Regions Financial the next day, according to media reports.
The attacks are the latest data floods in a campaign that started in mid-September. Under the name "Operation Ababil," a group of alleged Iranian protestors called for supporters to attack the Bank of America, JPMorgan, Citigroup and Wells Fargo.
Yet the crowd-sourced hacktivism effort caused little damage. Instead, a second attack coming from hundreds—or at most, thousands—of compromised servers made up the most effective part of the data flood. Using compromised servers and customized malware, the attackers have hit targeted sites with between 70G bps and 100G bps of peak traffic, according to experts.
The attacks—launched from servers used to publish corporate Websites and blogs but running vulnerable content management software—sent packets of data crafted to evade typical defenses, even those specifically designed to curtail denial-of-service (DoS) attacks.
"They had far fewer machines involved and with much larger bandwidth," Dan Holden, director of security for network-protection firm Arbor Networks, said of the earlier attacks. "These are Web or hosting servers that have been compromised and are obviously poorly administered."
Typical defenses against distributed denial-of-service attacks attempt to minimize the impact of an attack by intercepting the request as far away from the target Website as possible. By blocking attacks in other networks, the customer is not impacted by a massive influx of data.
However, the latest attacks are using evasion techniques to get around standard denial-of-service defenses, said Phil Lerner, vice president of technology at security firm Stonesoft. By crafting the data to look like valid encrypted Web requests, the network packets are allowed to get through to the customers' own computers to decipher the information. Even if that system blocks the request as invalid, the avalanche of data buries the computer, which can't keep up.
"DDoS [distributed denial-of-service] mitigation is not a cure-all," Learner said. "You don't have enough protocol decoding capabilities, and you are only doing partial defenses, or none at all, on the evasion detection."
Companies need to adopt security defenses that handle such evasion techniques, he said. In July, a researcher at cloud-security firm Qualys demonstrated that evasion techniques can cause problems for Web application firewalls (WAFs) as well. A variety of tricks, sometimes just adding a single character, could bypass the security offered by WAFs, according to the research.