Not available. Why isn’t that considered a problem?
It would have been incredibly hard not to hear something this week about the ongoing DDoS attacks against banks. Many of the statements both this week and the previous weeks are consistent to: Distributed Denial of Service doesn’t mean that customer data is at risk. Banks should do a better job explaining this to customers. For me, these sound bytes somewhat miss the point. The security triad is Confidentiality, Integrity and Availability. The whole point of a Distributed Denial of Service (DDoS) is to remove Availability.
In an era where online banking and bill pay have become more prevalent, this actually does have the potential to cause real harm to customers. When trying to define the attributes of information security, the standard is Confidentiality, Integrity and Availability. I’ll use the SANS Glossary definition here:
Availability is the need to ensure that the business purpose of the system can be met and that it is accessible to those who need to use it.
If you need to pay your’ monthly housing bill; and can’t access your online payment system; it could be a problem. Sure, if you’re old school enough, you have physical paper checks lying around so you could make one of those out; or you could actually go to a branch and get a money order or bankers check – but if you’re young enough you may not actually know these things. If you’re older, you may not have time without failing your other commitments. Regardless, your preferred method of interacting with your money is unavailable.
Solving an availability problem isn’t easy however. If the attacker isn’t convenient enough to send all the requests from the same IP or block of IPs, or domain / domains – how do you filter legitimate requests from poor ones? It’s like trying to make out the few sane voices in a screaming mob. The alternate solution is usually to have so much overflow that you can handle all the requests; but this particular DDoS apparently has so much traffic that it’s not feasible to just pass all that additional traffic around.
Typical recommendations about Denial of Service or Distributed DoS attacks tends to focus on filtering out “easy” attacks, hardening the system, building fault tolerance into your configurations and planning for more capacity, through hot spares, or alternate systems. The volume and sophistication of the current attacks seems to be effective against these, based on it’s success in the banking sector; who also had warning this was coming.
Once we rule out that the existing guidance doesn’t appear to be sufficient, that still leaves a real problem. There are some real technical problems that can’t be easily solved today being surfaced as part of this attack. Maybe this is an argument for white listing; because if banks knew only to accept traffic from validated sources, it would be a lot harder to create this kind of extreme scale DDoS traffic on the second half of the connection (although it still requires all the initiation of connection work). Or maybe better multi-factor authentication – all inbound traffic is ignored until a second factor (something you are, have or know) is entered. Maybe groups should be able to share all the instant on redundancy / fail-over they have when it’s something targeted at a vertical. Or maybe, as with so many security problems, defense in depth is to start utilizing all three in some way. Either way, this is a conversation that would be good to have in the public eye. How we, as customers, can have more availability to our necessary resources; and what additional responsibilities we and the banks have to enable this.
Image courtesy of Abode of Chaos