Protecting Financial Institutions from Distributed Denial of Service Attacks

By Spencer Young, regional vice president of EMEA at Imperva 

Distributed-Denial-of-Service (DDoS) attacks are a primary concern for many businesses and have recently been responsible for taking some of the most security-savvy organisations offline and therefore unable to conduct operations.

In February, attackers used DDoS as their weapon-of-choice to launch attacks on a number of Dutch banks and government agencies, and only a month later GitHub was brought to its knees after cybercriminals launched the world’s largest DDoS attack on its website.

DDoS attacks are powerful, and they continue to be a major threat to businesses and administrative agencies across the internet. However, for financial institutions, the need to protect themselves from the security issues present in DDoS attacks is a critical business requirement.Financial services organisations are a key target for DDoS attacks and in Q4 2017, financial services took the fourth spot on the list of most attacked industries according to the number of targets.

Targeted and botnet attacks cause slow website response times and prevent customers from accessing their online banking and trading websites. The attacks also serve as a diversionary tactic by criminals looking for ways to compromise sensitive data, commit fraud and steal private and financial data.

Even though the threat of DDoS attacks on websites and network server resources persists, there are a number of ways that financial institutions can block and mitigate these attacks.

Over-provision bandwidth to absorb DDoS bandwidth peaks 

Over-provisioning bandwidth is one of the most common measures to alleviate DDoS attacks, but it is also probably the most expensive, especially since DDoS attack traffic can be much greater than standard Internet traffic levels. An alternative to overprovisioning Internet bandwidth is to use a security service that is designed not only to absorb and filter DDoS traffic but also to stop massive attacks without burdening businesses’ Internet connections.

Monitor application and network traffic 

The best way to detect an attack is by monitoring application and network traffic. Then, you can determine if poor application performance is due to service provider outages or a DDoS attack. Monitoring traffic also allows organizations to differentiate legitimate traffic from attacks. Ideally, security administrators should review traffic levels, application performance, anomalous behaviour, protocol violations, and web server error codes. Since DDoS attacks are almost always executed by botnets, application tools should be able to differentiate between legitimate users and bot traffic. Monitoring application and network traffic provides IT security administrators with instant visibility into DDoS attack status.

Detect and Stop Malicious Users

There are two primary methods to identify DDoS attack traffic: identify malicious users and identify malicious requests. For application DDoS traffic, often identifying malicious users can be the most effective way to mitigate attacks. Malicious users can be detected using the following measures:

  • Recognize known attack sources, such as malicious IP addresses that are actively attacking other sites and identifying anonymous proxies and TOR networks: Known attack sources account for a large percentage of all DDoS attacks. However, because malicious sources constantly change, organizations should have an up-to-date list of active attack sources.
  • Identify known bot agents: DDoS attacks are almost always performed by an automated client. Many of these clients or bot agents have unique characteristics that differentiate them from regular web browser agents. Tools that recognize bot agents can immediately stop many types of DDoS sources.
  • Perform validation tests to determine whether the web visitor is a human or a bot: For example, if the visitor’s browser can accept cookies, perform JavaScript calculations or understand HTTP redirects, then it is most likely a real browser and not a bot script.
  • Restrict access by geographic location: For some DDoS attacks, the majority of attack traffic may originate from one country or a specific region of the world. Blocking requests from undesirable countries can be a simple way to stop the vast majority of DDoS attack traffic.

Detect and Stop Malicious Requests 

Because application DDoS attacks mimic regular web application traffic, they can be difficult to detect through typical network DDoS techniques. However, using a combination of application-level controls and anomaly detection, organizations can identify and stop malicious traffic. Measures include:

  • Detect an excessive number of requests from a single source or user session: Automated attack sources almost always request web pages more rapidly than legitimate users.
  • Prevent known network and application level DDoS attacks: Many types of DDoS attacks rely on simple network techniques like fragmented packets, spoofing, or not completing TCP handshakes. More advanced attacks, typically application-level attacks, attempt to overwhelm server resources. These attacks can be detected through unusual user activity and known application attack signatures.
  • Distinguish the attributes, and the aftermath, of a malicious request: Some DDoS attacks can be detected through known attack patterns or signatures. The HTTP requests for many DDoS attacks do not conform to HTTP protocol standards. The Slowloris attack, for example, includes redundant HTTP headers. In addition, DDoS clients may request web pages that do not exist. Attacks may also generate web server errors or slow web server response time.

DDoS attacks pose a significant threat to financial organisations; however, there are ways to minimise and mitigate the risk. By following the above steps, organisations will find it easier to identify legitimate DDoS attacks and stop them before any real damage is done.