How to clean up an attack like Wells Fargo

In late March, news broke that Wells Fargo’s consumer facing website had gone offline due to a distributed denial of service (DDoS) attack. News outlets reported that the attack was conducted by hacktivist group Izz ad-Din al-Qassam Cyber Fighters. The group performed these attacks because they were upset about an anti-Islamic YouTube video. The group also claims that they’ll be performing these types of attacks to other banks such as Chase, Citibank, and SunTrust in the future if the video is not taken down. James Dohnert of V3.co.uk writes in more detail about the attack here.

Organizations both big and small have suffered from DDoS attacks in the last few months. Although DDoS are pretty “old school,” they remain highly effective in bringing down websites and web-based applications. The methods behind these attacks have become more sophisticated, with much greater horsepower behind the attacks, and much more obfuscation as to the sources. But network monitoring and analysis are also rapidly improving, offering new strategies to both protect your network and clean up your network if an incident occurs. Below we detail how you can be both proactive in protection and also reactive if you fall victim.

How to Protect Yourself
DDoS attacks are designed to block network access for legitimate users. These attacks create extremely large volumes of useless traffic, causing various network resources to become saturated thereby blocking access for users and customers. The attacks predecessor, Denial of Service (DoS) attacks, affected servers by using up resources signaling the start of a conversation with no intention to converse. To mitigate these attacks, you could use ACLs (access control lists) or firewall rules to keep the attack traffic from reaching the server. But with DDoS attacks, the first “D,” or the distributed nature of the attack, makes blocking offending traffic extremely difficult, and it broadens the scale of the attack from a few machines to a widespread attack from machines worldwide that have been infected by bots.

With today’s DDoS attacks it really comes down to network protection. It is therefore very important to:

  • Use network analysis tools to capture all the data in one place, although attacks come from a large number of IP addresses, these attacks are fairly homogenous in the IP layer. If you can find a common behavior at the packet level then you can filter out this traffic.
  • Set up alerts to isolate questionable behavior. If you are experiencing a request that requires more data than normal, or the number of users accessing your website suddenly spikes, it might be the beginning of a DDoS attack.

How to Clean-Up the Mess
Having a network recorder with network forensics in place is key to helping you clean up your system. Network forensics is the process of capturing and storing data packet-level network data 24X7 for analysis if a problem occurs. This process gives you a complete picture of the problem and allows you to gain crucial information, including exactly where, and how, the attack was orchestrated. Armed with this knowledge, you can build new rules for intrusion detection and prevention systems (IDS/IPS), or new alarms for the network monitoring and analysis solution, so you’ll be notified at the first sign of a renewed attack. If you are interested in learning more about network forensics, check out this Rich Report podcast featuring Jay Botelho, Director of Product Management at WildPackets, here.

DDoS attacks are on the rise and even large banks like Wells Fargo have trouble protecting themselves and reacting to these attacks. To help mitigate some of the headaches, have a game plan in place both for proactively stopping these attacks and cleaning up after these attacks if you are targeted.

Leave a Reply