ChatGPT saw an outage last week which has been blamed on a Distributed Denial-of-Services (DDoS) attack.
DDoS attacks are nothing new within the financial cybersecurity world, the first is believed to have occurred in 1999, commonly known as the Mafiaboy attack against the University of Minnesota, but there were similar instances that predate this.
Since then research from
Zayo has suggested that DDoS attacks were up by 200% in the first quarter of 2023, compared to the same period in 2022. Additionally, research from
Akamai saw that over 29% of DDoS attacks between January 2022 and June 2023 were focused on the financial services industry.
With the threat of DDoS attacks seeming to grow, it’s important to understand what these attacks are, why they happen, and how the financial services industry can protect themselves.
I spoke with Richard Meeus, director of security technology and strategy EMEA, Akamai, about these concerns.
What is a DDoS attack?
The first thing to understand about a DDoS attack is that it is not a hack.
Meeus described DDoS attacks as a “saturation of services”. While these attacks do not damage the website, customers are prevented from using the site by flooding the page with visitors.
Criminals do this by leveraging the vulnerabilities in the design of servers, and the internet more generally. The internet was not designed with security in mind, meaning its whole design has common vulnerabilities to everyone.
The most common type of DDoS attacks are flood attacks. This can happen by taking advantage of Domain Name System (DNS) requests. DNS is a tool that translates domain names (e.g. amazon.com) into an IP address. Criminals can take advantage of this by sending
spoofed IP addresses to the DNS servers.
They can also flood DNS servers by hacking into the many internet-connected devices to create more requests to a specific domain. Bots can also be used to flood through repeated requests.
Meeus said: “I can send lots of requests to various services on the website that overwhelm it. That means that the CPU is overwhelmed, the memory is overwhelmed. The database is overwhelmed.”
There are also protocol attacks, which utilise weaknesses in internet communication protocols. These are rarer, but the principle of overwhelming the target is still the same.
Attacks will often target or overwhelm a different layer of the Open Systems Interconnection (OSI) model, which is a seven-layer system used by computers to communicate with each other.
Criminals will often use multiple attacks at once, using different methods and attacking different layers.
What is the impact of DDoS attacks on financial services?
As mentioned, it is important to understand that a DDoS attack is not a hack, because if a customer sees their bank’s website is down, they will more than likely be concerned if their money is safe.
This means that the main consequence for the financial services industry after a DDoS attack is reputational. It shatters the feeling of security customers have with their bank, even if the bank or the account hasn’t actually been hacked.
Meeus illustrated: “Back when banks first commonly came into existence, maybe 100 years ago, banks were big buildings. Big thick walls. Very small windows. They looked imposing. They looked substantial. They were trying to put across a perception of security.
You go to a bank now, you don’t go to a bank. You don't have that impression of stability, forced upon you through structural integrity. What you do now is you're looking at the website. That's how you access your bank account. So if your bank accounts
go offline, it's like somebody going into a bank and seeing all the glass smashed in and all the money lying around on the floor because it loses all of that perception.”
Why do DDoS attacks occur?
DDoS attacks are used in response to geopolitics.
Meeus noted that Akamai research has seen an uptick in DDoS attacks in the EMEA region and that was “primarily due to Western European nations announcing support for what was happening in the Ukraine Russia conflict. Organisations who are affiliated
to or had loose connections to the Russian side of it wanted to express their displeasure.”
Another notable example is when the Eurovision Song Contest faced DDoS attacks after the competition and many of the acts showed support for Ukraine. Indeed, the rise in the number of attacks has been linked to global political circumstances. DDoS attacks
have also been used as a cyber political tool by the group Anonymous a number of times.
Another motivation has been ransom. Under this aim, criminals tend to behave differently than if they were politically motivated.
Meeus described how ransom attackers will often send an email to a particular company on a Friday evening threatening to DDoS attack their website on a Monday morning unless a ransom is paid. Often the amounts are smaller as they are easier to obtain over
a weekend, and so the attackers can continue to make numerous attacks.
A ransom attack can also be accompanied by ransomware to double its potency.
How can DDoS attacks be prevented?
It isn’t possible to prevent a DDoS attack because it is just creating overwhelming traffic. There are ways to help when it does happen, and ways to be prepared.
Businesses want to be able to pick between the bad users and the genuine users that are generating traffic. Meeus argued that this cannot be done on premises but on the cloud.
Meeus added that the way you deal with this excess bad traffic is by having nodes all over the world to extend the edge of your cloud network so that when an attack does happen, you’re able to absorb the
bad traffic.
Advising financial services organisations about DDoS attacks, Meeus said: “when you're partnering with cloud-based services, you need to make sure that the expertise is there because we've seen that DDoS and their techniques pivot on a regular basis.”