If you don’t live in the Netherlands or don’t happen to have a Dutch bank account, you can certainly be forgiven for not having caught wind of the major banking woes that have been plaguing the Dutch. For weeks now, massive DDoS attacks (linked article in Dutch) have brought low the online services of several banks, interrupting mobile payments and slowing down overall online financial traffic. At the center of the digital storms is ING, which was hit first (Dutch) and is hit the most often (Dutch), but Rabobank, ABN AMRO and SNS Bank are also frequent targets. Dutch online payment system iDeal has also been attacked several times, impacting virtually all Dutch banks as well as the many online retailers that use it.
What the goal behind this wave of DDoS attacks is, is as yet unknown, but there are several possible motives at play. It could be simple vandalism, a rather hefty attempt at misdirection to cover up real hacking attempts, or it could have something to do with ING and ABN AMRO being implicated or involved with investigations into tax evasion through offshore banking by the ICIJ. The latter seems unlikely, as most of the DDoS traffic appears to be coming from Romania (according to hackers collective HacksIn – I had a link about that, but lost it somehow) and no motive has made itself known thus far. It was a matter of time until Anonymous came along to jump on the bandwagon, and indeed its Dutch chapter appears to have done so this week when someone posing as Anonymous posted a message on Pastebin. In it, they claim to know who is behind the DDoS attacks (a group of Muslim extremists called Izz al-Din al Qassam Cyber Fighters), and that the Dutch people should go out and collect their money from these banks because it is not safe there.
There are, however, some issues with this post on Pastebin. Firstly, the group they blame for the DDoS attacks is in fact the group responsible for attacks on US BANKS, and there is no discernible link between the US banks being hit or the Dutch banks currently under attack. The motive for the attack against US banks seems clear: Izz al-Din al Qassam demands the removal of the movie “Innocence of Muslims” from Youtube. Once the movie is removed the attacks will stop, they claim. To my knowledge, no such demands have been made here in the Netherlands.
The second issue is that the advice posed by Anonymous would, in fact, immediately collapse the Dutch financial market, as no Dutch bank is currently strong enough to survive such a proposed bank run. They simply don’t have sufficient cash in their vaults. In other words: this is a really bad idea.
So what now?
For starters, ING should hire someone who knows how to communicate during a crisis. Its obvious that they suck at it. They’ve finally stepped off their “Silence, Evade, Deny” strategy but its taken a while. All major companies should look into this, because they may very well be next. Second, major companies with a serious online presence should really start taking this stuff seriously. DDoS attacks are hardly new material to deal with, and proper impact negation tactics have been around for a while. If your income is dependant on online services and this income is significant, get a real ISP that understands this and has expertise in countering such digital vandalism such as Arbor Networks or Prolexic.
The bad news is that according to a recent Prolexic report, DDoS attacks are getting increasingly stronger. They have seen the first 130GB/s DDoS attack this year, and during the first quarter of this year the average attack bandwidth was 48.25GB/s, which signifies a whopping 718% increase over last year. The increase seems to come from a change of victims in the botnets (Dutch) they use. Apparently, they are now targeting web servers especially for their higher bandwidth capacity, which in turn increases overall attack bandwidth. On top of that, the DDoS attack seems to have regained its popularity because the targetlist is growing. Airlines such as KLM (Dutch) and Dutch authentication firm DigID (Dutch) have also recently been hit with massive attacks. In an effort to stave off this wave of disruptions, the Dutch National Cyber Security Center has been organising collective defense (Dutch) between Dutch banks, but it seems they may have to include firms from other walks of life as well. I think we can safely conclude that this avenue of attack is still very worthwhile and won’t be going away anytime soon.
In fact, things may get a lot worse if this newly discovered DDoS technique gets incorporated. Apparently Incapsula mitigated a small attack of 4GB/s recently, and they traced it back to a single source. Generating 8 million DNS queries per second, causing ALL of the 4 GB/s traffic by its lonesome, certainly qualifies it to be called a DDoS Cannon instead of a lowly bot. I don’t know if it is technically feasible, but imagine 100K+ systems doing this.
Wrapping up this piece, I would like to ask mainstream news reporters to please start learning some basic truths about information security. Stop referring to DDos attacks as “(sophisticated) cyber attacks”. They’re not. A DDoS attack is annoying, yes. But on the scale of sophistication they rate roughly as digital graffiti. Also, some major outages are caused by stupidity from the victim rather than an outside source. At least ONE major outage on april 4th of this year at ING was caused by someone messing up certain files that had to be read into a system. This caused a major outage and customers seeing the wrong amount on their bank accounts. This incident was also the most significant failure of ING’s webcare / crisis communication because they didn’t do anything until the problem was almost fixed (many hours later). Still, mainstream media fed the panic frenzy that it was an external “sophisticated cyber attack” until the absolute very end. Very poor reporting if you ask me. Proper reporting matters because your news is read by people who take it for immediate truth. You can, and do, cause panic and unrest when you blow things out of proportion, so please stop doing so. Thank you.