High-Bandwidth DDoS Attacks as Much About Cyber-Crime as 'Hacktivism'

Criminals looking to extort money from financial institutions continue to hit firms. Even the "hacktivists" have questionable motives, say security firms.

In late 2011, trading services firm Henyep Capital Markets came under a distributed denial-of-service (DDoS) attack that disrupted many of the company's service portals. With the attack came a demand for ransom.

The flood of packets that hit the company's trading services topped 35M bps, combining a variety of network traffic types and focusing on both overwhelming the network and overtaxing the firm's application servers.

Rather than acquiesce to the criminals' demands, Henyep hired a mitigation firm and blunted the attack, according to an account of the attacks, which defensive firm Prolexic made public Jan 24.

"Financial services companies like Henyep, and their mission-critical online services continues to be a favorite target of DDoS attackers," Prolexic CEO Stuart Scholly said in a statement.

More than a year later, attacks have topped an average 1G bps, many with peak bandwidths of 50G bps. While news reports have focused on the operations that appear to come from claimed "hacktivists" known as the Izz ad-Din al-Qassam Cyber Fighters, security firms stress that a large number of denial-of-service attacks continue to be criminal, not political.

A Web server used in attacks against a financial institution, for example, was also used in criminal attacks against an e-commerce server, according to an analysis by Web security firm Incapsula. Prolexic saw the same Web-server botnet that leveled multi-gigabit-per-second attacks against banks, hit e-commerce and software as a service (SaaS) firms the next day, according to its recent fourth-quarter attack report.

Even the claimed hacktivist attacks are likely nothing of the sort. Despite the assertions of the Cyber Fighters, their attacks do not fit the profile of past hacktivist attacks, according to a state of the Internet report from the 2012 third quarter from content-distribution network Akamai.

"While the attackers claimed to be hacktivists protesting a movie, the attack traffic seen by Akamai is inconsistent with this claim," the company stated. "The amount of attack traffic that was seen during these attacks was roughly 60 times larger than the greatest amount of traffic that Akamai had previously seen from other activist-related attacks."

Yet, no matter the reasons for the attacks, the biggest change is that the al-Qassam Cyber Fighters (QCF) are a persistent threat, says Martin McKeay, security evangelist for Akamai.

"QCF is the single biggest security concern that we have had in a long time," he said, "because it shows a very distinct change from patterns that other attackers had before."

Rather than attack targets of opportunity and move on if the victims prove difficult to crack, the Cyber Fighters keep focusing on their victims until they affect their operations, he said. The run-of-the-mill opportunistic hackers will move on to other potential victims, if their current target proves too difficult.

The attackers have continued to keep up the pressure on Henyep, according to Prolexic, with the last attempt to flood the trading service's sites in October.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...