DDoS Preparedness for Credit Unions
So, a week ago, on May 6th 2013, the world came to an end! Anonymous attacked us left and right, and everything came to a screeching halt because internet connections were lost! Or not!
CUNA and many other agencies, and all the F.I. auditors I know, felt compelled to warn everybody that Anonymous was about to attack them, causing panic and gaining nothing positive. Now that we know none of this actually happened, we can state with more force what I told all my CU customers who were panicking and asking us what we could do to protect them.
A DDoS attack to a CU is indeed possible; a DDoS attack on a small F.I. from Anonymous, highly unlikely. Why? Because Anonymous seeks notoriety, and attacking a $500M CU isn’t going to gain them any notice let alone the media ink they crave. Their targets are big targets, US government interests, large banks, infrastructure. They seek to be noticed; who would notice them if they attacked a small CU in rural Texas with 40 employees and 200 million dollars in assets? It might make the local news, but that’s just about it. So, worry not – Anonymous is not after you, unless you’re Bank of America; Chase or the likes.
In fact, Anonymous didn’t even need to unleash the threatened attack; the sheer fact that they said it created widespread panic causing them to be all over the news within hours; they did nothing yet got into the news. An attack of the size they were threatening takes resources, lots of resources. You don’t just press a button and take down half the US internet infrastructure; we aren’t really _that_ vulnerable. I mean, we are vulnerable, if taken one site at a time. But to attack that many sites all at once requires resources of such magnitude that even Anonymous may not be able to harvest them.
Nevertheless, a DDoS attack on your CU is still possible for other reasons and from other sources. As we’ve seen in a previous article I wrote on this journal, it’s possible to rent a network of bots for as little as $1000, and use it for 24 hours to do whatever one seeks to do, including unleashing a DDoS attack against a particular IP address. So, someone with a grudge against you might well succeed at causing you some grief for a little while. Take comfort in the knowledge that it won’t last – it costs money to run such an attack.
Another reason why you might get an attack would be if a hacker is after information you’re hosting (or he hopes you might be hosting) and he uses the DDoS attack as a diversion, while attempting to access your database. All of which bears the next questions – what should you do? Let’s now review a list of viable options.
First of all, do you host your own customers’ database? If you’re like many small/medium CUs, a core provider is hosting that data for you, and you access it via a private link. A DDoS attack on that link is typically not possible. But it won’t hurt to ask your core provider about it, and get a written statement from them as to why it isn’t possible, or how they’re planning on ensuring continuity of service in case they end up under attack.
Next, consider your web presence; who’s hosting your website? Is it still your core provider? Then go back to point one. If not, check with the hosting provider and see what they’re planning to do to protect your site. If the answer is ‘nothing’ because you’re hosting with one of those very inexpensive web hosting companies that do zilch to protect their servers, you’ve already done something very wrong to begin with, and this is the time to review your situation and move your web presence to a more controlled environment. Whoever is hosting your website MUST ensure you that they’re adequately protected against any attack, be it DDoS or something else.
Finally, check your internet connection and consider the losses you’d incur if this were under attack for a couple of days; would you lose business? Depending on what your institution does, you might. Many traders for example, rely heavily on the internet for their real time transactions; and losing even one minute of connectivity is unthinkable. If you are’t in that category, your worries about DDoS might end here, and you might conclude “who cares”. But if you are dependent on the internet for your business as many of us are, then let’s follow a plan of sorts on what to do.
First, call your ISP and ask about “their” DDoS policies. During an attack on you, those packets are traversing the ISP network, and they might well take down their routers and switches; so, believe it or not, some ISPs have a stated policy that in case of an attack to one of their customers, they’ll take your IP offline for at least one day; and if the attack repeats within 3 months, they take your IP down for 4 days.
So here you are, trying to protect yourself from an attack, spending money and time to plan a response, and your ISP renders all these efforts useless by taking you down completely and effectively giving you that DoS you were seeking to avert. Any DoS prevention plan must include the ISP. They will be attacked as you are, and the response must be coordinated.
Once you’ve done that, consider how much bandwidth you have. A customer asked me if he was at risk with his T1 and, frankly, I chuckled inwardly. A T1 is 1.5Mbps; the small laptop I’m using to type this article would be able to overwhelm that line without the need for a botnet’s help. If your internet pipe is still that small, in all candor, all you can do is sit tight and wait. There’s no point in spending money on any protection, your pipe will be filled up too quickly for it to even matter.
But, if your pipe is large enough (say 20, 50 Mbps), you can consider protection of other types ~ physical hardware built to stand against DDoS attacks. Network Box’s DDoS protection can stop up to 500,000 packets per second, or about 5Gbps is the packets are all maxed out.
The techniques used to quickly, dynamically blacklist attacking IPs are also very important, because being able to distinguish between an IP that’s attacking you and one that’s trying to conduct legitimate business is crucial – the scope of all this is to be able to conduct business as usual even as the attack is ongoing.
This hardware is expensive though, so you may not want to purchase the biggest available as it may not be necessary. A better approach is to figure out how much bandwidth you have and how many packets or bits per second you want to fend off. You don’t need hardware capable of 5Gbps if your bandwidth is only 50Mbps; that’s overkill and a waste of money, because your bandwidth will collapse well before your protections anyway. So ensure the hardware is adequate to the rest of your resources; or as they taught me in a risk assessment class, don’t spend $20,000 to protect a $10,000 horse! There is DDoS protection for smaller attacks.
If your bandwidth is very large, so large that dedicated hardware wouldn’t make much sense, there are companies that offer in the cloud protection using a routing technology called anycast. We all know multicast, broadcast, unicast; anycast is not something we deal with on a regular basis in our networks. An IP is an IP and it has one location and one location only – or so you thought.
Anycast is a routing technology that allows us to put the same IP at multiple locations; other routes wanting to ‘talk’ to that IP will reach the closest to them (where closest is defined by the various routing protocols as the shortest path, or the one with the best roundtrip time).
When this is used with public IPs, in the cloud, over a large geographical area, it’s a very effective method to spread the attack over multiple locations and substantially dilute it to the point of rendering it ineffective. Again, this is a VERY expensive proposition, one which you might consider only if your risk of loss is really worth that route.
