What's Next for DDoS Attacks?Sizing Up Trends on Anniversary of al-Qassam's DDoS Strikes
Sept. 18 marks the one-year anniversary of Izz ad-Din al-Qassam Cyber Fighters' first announcement about distributed-denial-of-service attacks to be waged against the U.S. financial services industry (see Alert: Banks at High Risk of Attack).
See Also: The SOAR Buyer's Guide
This self-proclaimed hacktivist group, which U.S. government officials have suggested is being backed by the Iranian government, has for the last 12 months targeted the online banking platforms of nearly every top 100 U.S. banking institution. The group has claimed it's attacking U.S. banks because of outrage over a YouTube movie trailer deemed offensive to Muslims.
The group's attacks against banks for the last several months have been unsuccessful at taking sites down. And its Phase 4 campaign is in a lull. Still, experts caution banking institutions against letting their guards down. And they warn that the government, media, healthcare and energy sectors could be among the next targets. That's because banking institutions have enhanced their defenses, so other sectors are easier targets.
Some experts, including McAfee Labs and Arbor Networks, expect that al-Qassam could join forces with the Syrian Electronic Army, a collective of attackers that supports Syrian President Bashar al-Assad, to attack a variety of U.S. websites. Experts urge organizations to update their DDoS defenses.
Botnet Remains Strong
Scott Hammack CEO of DDoS-mitigation provider Prolexic, says that despite the recent lull in al-Qassam's attacks, there's no indication that the group's botnet, known as Brobot, is waning."We have validated thousands of infected web servers that can potentially participate in future campaigns. We still don't see the scale of the attacks we saw five months ago, but we are definitely seeing a lot of probing," he says, which suggests more attacks are on the way.
DDoS attacks over the last five months have not been as large, but that should not be misinterpreted to mean Brobot has been retired, Hammack says. "Maybe Iran, with their new leaders, are saying 'Cool off a little bit.' But the gun is still loaded. They still have the arsenal at their disposal; they just haven't fired it in a while."
If al-Qassam were to unite with other cybergroups, such as the Syrian Electronic Army, it could mark a new era of cyberwarfare against the U.S., experts say.
"We have to realize this is cyberterrorism," says Ashley Stephenson, CEO of Corero Network Security. "The disruption, the publicity, the nuisance, the investment these banks have to make ... the success of terrorism is not just the act itself, but the amount it costs the victims [for defenses]," he says.
Banking institutions and those in other sectors have to continually enhance and update their DDoS defenses, he says, "so that no one needs to panic on the day of an attack" (see Lessons Learned From Bank DDoS Attacks).
al-Qassam's attacks have served as a training ground for other attackers, says Dan Holden of DDoS-mitigation firm Arbor Networks.
"In terms of DDoS in general, we will see more DNS amplification attacks. It's not that difficult," he says.
A DNS amplification attack relies on a much larger list of DNS servers to amplify the attack. "The attackers are going to have to get better and bigger to take anyone down," Holden says.
That's because DDoS defenses have improved across the board, although some industries, such as banking, are further along in their mitigation strategies than others, Holden explains.
The real question about al-Qassam's future is not how its attacks might be waged, but rather who will be the target, he says.
Holden says he doesn't see the attacks themselves changing; but the targets will change. "I would be surprised if they continue attacking the banks," he says. "At this point, what is the point? Something's got to change."
Because the Syrian Electronic Army and al-Qassam both have waged DDoS attacks to gain attention for their social and political causes, some experts expect them to join forces.
While al-Qassam has focused on banks, the SEA's primary targets have been media and government sites, according to McAfee Labs.
Now, DDoS experts, including McAfee Labs, argue both groups have similar interests in taking down U.S. sites, and by joining forces, they could use Brobot for a renewed purpose.
One industry expert, who asked not to be named, says the distinction between the SEA and al-Qassam has increasingly blurred.
"Isn't the Syrian Army likely the same guys as al-Qassam? And if you look at the geopolitical stuff, the two align," this expert says. "They're holding off attacks because they're waiting to see what happens with Syria, frankly. And the banks are defending well, so they will move on to a new target. Besides, using the movie as an excuse for attacks is not effective or really being believed anymore."
"The Syrian Electronic Army has said quite clearly that if the U.S. does anything [as far as military strikes] they are coming after us," Arbor Networks' Holden says. "And if there is any sympathy for that, it's a great excuse for QCF [al-Qassam Cyber Fighters] to repurpose and retool their botnet for something else. They could jump onboard there. This is the perfect excuse to change the story about attacking because of the video. This is the perfect cover."
If forces do unite, Holden says other critical infrastructure sectors, beyond banking, will likely be targeted, possibly defense contractors, rather than government itself.
"I don't foresee government being a target, but, instead, a weaker vertical," Holden says. "If anything government-focused were to be attacked, I would think it would be government contractors that would be somehow associated with Syria."
Holden says e-commerce sites also could be prime targets. "[Those sites] are obviously related to capitalism, like the banks, and the money lost would be huge," he says. "The impact would be very real, given how much commerce occurs over the Internet."
Media sites could be another target, Holden says.
Because of ongoing DDoS threats, more regulatory and legislative oversight related to how critical infrastructure industries address DDoS risks is likely on the way, says Corero's Stephenson.
"The attacks have heightened the need for guidance or legislation, whether that's from the SEC [Securities and Exchange Commission] or an international agency like the European Commission," he says. The need for more regulation and cross-industry collaboration has been highlighted by al-Qassam's attacks, Stephenson adds.
DDoS attacks have become a part of everyday business, and all sectors should be sharing threat intelligence, Stephenson says (see Banks' Leadership in DDoS Fight).
"One of the things I took away from this last year is that the banks really have learned a lot," he says. "This type of cyberthreat is now business as usual. This is going to be a continuous threat and an ongoing risk of doing business online, and I don't think we're going to win here by keeping attack information secret."
The more organizations disclose about the attacks they suffer, the stronger defenses can be built, Stephenson says. "That's where the vendors come in," he says. "When they have an attack that is defeated, they can put the information together and pass that on to the authorities. A year ago, that wasn't happening like it is today," and there's always room for improvement.