Attackers targeting major U.S. banks with distributed denial of service attacks are using a number of toolkits to automate the job. Prolexic Technologies, a security company specializing in DDoS protection services, identified one toolkit called itsoknoproblembro, a kit that attacks multiple ports and network targets.

Meanwhile, Arbor Networks told Threatpost via email that itsoknoproblembro isn’t the only tool being used in these attacks, and that this isn’t the first time it has seen the kit used in a large-scale DDoS attack. Experts have said the scale of these attacks is massive, unlike any seen previously.

During the past 10 days, PNC, Wells Fargo, J.P. Morgan Chase & Co, and Bank of America have been either taken offline or had intermittent outages interrupting services. A group using the name Mrt. Izz ad-Din al-Qassam Cyber Fighters has claimed responsibility for the attacks as retaliation for the portrayal of Muslims in a series of movie trailers posted to YouTube for the film “Innocence of Muslims.”

Prolexic said today that it has recorded sustained floods hitting 70 Gbps and more than 30 million packets per second in some of the attacks. Expert Dmitri Alperovich of CloudStrike told Threatpost last week his company had seen some attacks reach 100 Gbps. Most observed DDoS attacks require 5-10 Gbps of traffic to take down a site.

“These are not super sophisticated attacks, but we’re seeing very large, almost historic, attacks from the standpoint of the volume of traffic we’re seeing, “ Alperovich said. “And these banks are not tiny. They have massive infrastructures and they’re coming under DDoS attacks regularly. The fact that these attacks are able to shut them down is quite remarkable.”

Itsoknoproblembro, Prolexic said, attacks both the infrastructure and application layers. It uses SYN floods that can hit multiple entry points on the network, as well as ICMP, UDP and SSL encrypted attacks. Primarily, the attackers are deploying large UDP flood attacks, sending packets at the banks’ DNS infrastructures. The attacks are being carried out by legitimate IP addresses, which enables them to bypass detection, Prolexic said.

“Only a handful of companies around the world could survive a hit of 70 Gbps in conjunction with the complex blend of attack vectors we have witnessed,” said Prolexic Chief Executive Officer Scott Hammack.

Attacks of this size and complexity require months of planning and resource gathering, experts said, but aren’t necessarily overly sophisticated.

The attackers posted their motivations on Pastebin last week, promising to hit a bank a day for a particular stretch in retaliation for the movie trailers. Experts, however, dispute this and other theories that the attacks were a cover for a series of wire transfer fraud, as reported by the FBI and Financial Services ISAC, as well as a theory pushed forth by Conn. Senator Joe Lieberman, who pointed the finger at a secret Iranian military outfit called the Qud Force. Alperovich, for one, said the attackers are flexing their muscle and demonstrating what they’re capable of.

“Banks have high bandwidth connections into their data centers. They can take a lot of traffic, plus they all use security and DDoS protection services,” he said. “This is massively higher than what we see on a normal basis.”

Categories: Critical Infrastructure, Web Security

Comments (6)

  1. Michael D
    1

    So, this is an unprecendented scale of attack?  I an indeed incurring page loading issue all over the Web today.  Thanks for posting.

  2. Anonymous
    2

    “The attacks are being carried out by legitimate IP addresses, which enables them to bypass detection”

    Ok so what’s an ‘illigitimate’ IP address?  An IP address of 5 numbers or 7?

    And if by that it is meant “IP addresses that belong to credible networks like government agencies and private corporations” then I would want to know how, exactly, that sort of thing can happen?

  3. Anonymous
    3

    “The attacks are being carried out by legitimate IP addresses, which enables them to bypass detection”

    Ok so what’s an ‘illigitimate’ IP address?  An IP address of 5 numbers or 7?

    And if by that it is meant “IP addresses that belong to credible networks like government agencies and private corporations” then I would want to know how, exactly, that sort of thing can happen?

  4. Anonymous
    4

    Prolexic and Arbor are bullshit.   I’ve tested both using simple tools like LOIC and HOIC – randomizing my srcIPs – and neither of the technologies was able to stop shit.    Both companies are literally just marketing hype and somehow people fall for it and buy it.  

  5. Anonymous
    5

    The irony of the above post is that LOIC was originally developed by Prolexic.  So, while I’m not disagreeing with the point being made I do find it funny that this person used Prolexic developed source in their process to claim Prolexic is bullsh*t! :)

Comments are closed.