DDoS Attacks on Financial Institutions Presentation By: Chandler Strouse
What is DDoS? DDoS stands for Distributed Denial of Service Attempts to make an online service unavailable by overwhelming it with traffic Different types of attacks: Volumetric Protocol (State-Exhaustion) Application-Layer
Volumetric Attack Most common form of DDoS Floods network layer with traffic that appears legitimate Examples of Volumetric attacks: UDP Flood ICMP (Ping) Flood
Volumetric Attack: UDP Flood Floods random ports on a remote host with a huge number of UDP packets Causes host to constantly check for application listening at the port No application is found, replies with “Destination Unreachable” packet
Volumetric Attack: ICMP (Ping) Flood Similar to UDP Flood Sends vast numbers of ping packets without waiting for reply Host attempts to respond to all pings, consuming both incoming and outgoing bandwidth
Protocol Attack Also called state exhaustion, targets connection state tables in firewalls, app servers, etc. Consumes server resources and works to exhaust the limited number of concurrent connections device can support Examples of Protocol Attacks: Ping of Death SYN Flood
Protocol Attack: Ping of Death Defragments large ping packet and sends to server as fast as possible Target reassembles packet, causing a buffer overload Target tries to respond to ping packet and crashes
Protocol Attack: SYN Flood Exploits weakness in TCP Connection TCP uses three-way handshake: Request Host ACK Requester ACK SYN Flood sends multiple requests but doesn’t respond to ACKs Host system waits for ACK, binding resources and blocking traffic
Application-Layer Attack Attack targets weaknesses in an application or server Attempts to monopolize its processes and transactions Hardest to detect Mimics human behavior Can originate from single machine, generating less traffic Examples of Application-layer attacks: HTTP Flood Slowloris
Application-Layer Attack: HTTP Flood Sends seemingly harmless HTTP GET or HTTP POST requests to app Huge volumes of requests are sent and as app responds to each, resources are consumed Ideally, application will be manipulated into using the maximum possible resources to respond to each request
Application-Layer Attack: Slowloris Attacker sends partial request to target, however request is never completed and false connection is kept open Eventually, max concurrent connection limit is reached Effective because partial packets are used, rather than malformed packets, making it harder to detect Can prevent creation of log files
Botnets DDoS attacks are more effective with more computers Botnets are an interconnected network of infected computers Can be used to send spam emails, transmit viruses, or join in DDoS attacks Can in size range from a couple of computers to hundreds of thousands
Why Do People Use DDoS Attacks? Most common reason is money Extortion Heist Bank of the West Sabotage Rival Competitors Also used as a form of protest Anonymous CIA, Vatican, ISIS
Why are Financial Institutions Targeted? They control large amounts of money Large user base Support entire economy, other companies rely on them
Why are DDoS attacks so common? Number and Severity of DDoS attacks been constantly rising over past couple years Availability of powerful, free tools requiring minimal computer knowledge HOIC Relative cheapness of botnets
DDoS Defense? Impossible to prevent DDoS attacks Mitigate effects Increase capabilities of system, Ex: more server processing power ISPs can provide “burst” bandwidth Configure router or switch to filter nonessential protocols and stop invalid IPs
DDoS Response Plan Preparation During attack Post-Attack Create a team Role’s for each team member during an attack Asses Risks and vulnerabilities that could be exploited During attack Analyze network to differentiate DDoS traffic from real users Respond to attack by configuring filters to discard incoming packets or avoid sending unnecessary response packets Post-Attack Analyze damages Adapt plan to better deal with next attack
Conclusion DDoS attacks are becoming more common and more severe Must prepare for attacks Response plan Many reasons for attacks, but money is the most common reason Because of this, Financial Institutions must take extra precaution to prepare for inevitable attacks