Military science has a simple mechanism utilized at almost every level of both tactical and strategic thinking: Pin the enemy down with a distraction (a feint or an actual attack, either way), and then hit them where they’re not looking. This maxim has worked very well from squad level tactics where you pin them down with a base of fire while half the squad creeps around the enemy to hit them from the side to strategic tactics like when you attack on the entire front, but keep a massive reserve to push through any point that shows weakness. While the correlations of security to warfare can grow rather tiresome, sometimes, they are the correct correlations. The manner in which DDoS attacks are increasingly being used is well defined by this military maxim.

Picture from ArmChairGeneral.com Kursk, 76 years ago the day this blog was posted. The space in the middle between the darker red lines is where the Soviet army found weakness in the German lines around Prokhorovka. After a general counter-offensive, this weak spot is where they poured their reserves and ended the last major German offensive of WWII.

Why is that? The trend for DDoS attacks is to use the DDoS to mask some other intention – literally using it as a massive assault, so a few targeted attacks can be hidden within to try and break through the defenses of the organization being attacked. The methods range from highly sophisticated to pretty straight-forward, but there is a lot of sense in utilizing this tactic. First off, if the security team is focused on the DDoS, there’s a chance they’ll miss the more targeted attacks. Second off, with millions of connections occurring, the attack of a few packets might be overlooked, and third, while adjusting things to deal with the DDoS, security or other IT staff might well make a change that opens the door to one of these targeted attacks.

The aim is to get inside and steal data, the distraction is the DDoS, which is a very real attack, but forces the defender to split resources, or even dedicate all resources to defending against the DDoS. As in warfare, sometimes this tactic is staggeringly successful, and sometimes not. Even when not successful, the damage done to business can be immense. In the month before this blog post was written, nearly every major US bank had experienced DDoS attacks, with most suffering some form of reduced service or even outage during the attacks. The linked to article does not include others who were targeted after the date of publication, so the total number of US banks is pretty large.

And if you think that banks are being targeted enmasse for some random outside reason, I’ve got a highly influential spot on the Anonymous board of directors to sell you.

The DDoS attacks being waged against banks are for some other, more nefarious reason, and while I don’t know what that is at the moment, they’re banks. That does make it easy to speculate “financial gain” in one form or another.

The thing is, there are a variety of ways to stop such attacks, including utilizing our own BIG-IP (meant to handle outrageous volumes of requests, and able to identify most DDoS methods before they reach your servers) to stop DDoS dead in its tracks. The problem is that we often don’t treat security seriously until it is a problem. If you’re a large enough organization, at this point you should be able to determine that you will at some point be the target of a DDoS attack. If you’re a financial institution, no matter how small, you should be able to come to that same conclusion. So stop waiting for services to go down, find some money in the budget, do some research, and put something in place. Most major banks started to address DDoS last year, and took a closer look at it again in April – the last two targeted waves of attacks – but not all. There are a ton of reasons why some didn’t, but the trend is now obvious, procrastinating may hurt.

My co-worker David Holmes has written about mitigating a lot of these attacks here, and his approach is just one of several. In fact, if you search his blog for DDoS or Attack Mitigation, you get a ton of valuable information.

The thing is that pretty clearly there’s an ulterior motive to these attacks, and stopping the DDoS stands a good chance of either exposing or stopping whatever the ulterior motive is. And in banking, blocking ulterior motives is a way of life, no?

Many banking websites disabled logins during the attacks on their premises, but this alone can cause customer flight for the people who do all of their banking online. It’s their money, they tend to get testy if you won’t let them at it. Rumors abound, for example, that Citibank blocked logins for days and only slowly returned functionality. Meanwhile, customers were stewing. That’s a problem they will have to resolve outside the technological realm, but is also a proof that the easy answers – take the website down, protect customers’ money by disabling logins, etc – are not good enough. I’m not picking on Citi here, they were just the one I was pointed at by online friends, other big financial firms did much the same thing while under these attacks.

The security of our financial information is of tantamount importance to all of us. Banks do a very good job of protecting that information (consider number of breaches versus number of transactions or accounts as a measure), but in a changing environment they must consider doing even more. DDoS prevention appears to be a staple of FSI security moving forward. And as is always the case with security and the Internet, that will solve the current round of problems, but with billions of people on the internet, another challenge is just a mouse-click away.

Here’s hoping that none of the hidden agendas were realized while those attacks were going on, and here’s to security folks who now have to be more alert about other parts of security while defending against a DDoS. Thanks for doing what you do, most of the people out here have no idea how effective you are at keeping our data safe. And that’s probably for the best.