It came out of nowhere and then it took down the website of $1.5billion University Federal Credit Union “for around two andone-half hours,” said a spokesperson.

What appeared to be the same purportedly Iranian group that inrecent months has taken down Bank of America, PNC, Capital One andassorted money center institutions bragged about the exploitonline, at a website experts told Credit Union Timeshas commonly been used to post news of such takedowns.

• ALSO READ: Patelco a Target of DDoS Attack
  
• ALSO READ: Texas Credit Union Hit by DDoS Attackers
• ALSO READ: How One Corporate Credit Union DefendsItself

The experts acknowledged they knew none of the specifics of theUFCU take down but, they said, to all appearances this is the workof the cybercriminals who have been said to be linked to Iran.

What does this UFCU attack mean? “The attackers are definitelygoing after softer targets,” said Rich Bolstridge, a DDoS expert with network traffic company Akamaiin Cambridge, Mass.

The bad news, said experts, is that, right now, no credit unioncan any longer count itself as immune from large-scale DDoSattacks.

Off the record, many credit unions, including billion-dollarinstitutions, had told us that indeed they had DDoS mitigationcapabilities to handle run-of-the-mill attacks launched byex-employees, terribly unhappy members, or would-beextortionists. These usually are fairly low force attacks anddefense is fairly simple.

Defending against the high-velocity, nation-state level DDoSattacks is a different matter. The belief has been that onlya handful of money center financial institutions had the resourceson hand to defend themselves but nobody else really needed thatlevel of protection, or so the thinking went.

Something has changed and what very well may have changed isthat the big FIs have gotten good at deflecting nation state DDoSwith minimal downtime. They have contracted with themitigation companies, they have bought the mitigation appliances,they have arranged for redundant Internet broadband (often havingarrangements with three providers). And so they wereready.

Smaller institutions are not ready.

That point is made vivid in a recent report, “A Study of RetailBanks and DDoS Attack,” sponsored by Corero Network Security. Thefull document is here.)

In an interview, Marty Meyer, CEO of Corero, a DDoS mitigationappliance maker in Hudson, Mass., said that in the survey of 351banks, 48% said they had suffered multiple DDoS attacks in theprior 12 months and 78% said they expected DDoS attacks to continueor slightly increase in the coming year.

What Meyer said he found worrisome in the data is that “only 17%of the institutions said they were effective at responding toDDoS.”

Many pointed to utterly inadequate defenses such as firewalls astheir DDoS response. Firewalls, noted Meyer, were neverdesigned to mitigate DDoS and won't do that job.

Meyer indicated that no credit unions were included in thesurvey, although “we do have credit union customers, around adozen.”

For reasons of simplicity the survey – conducted by third-partyresearchers – focused only on banks, including “some of the largestin the world,” said Meyer, who declined to name names.

Have credit unions had fewer, or more, attacks than banks? Nobody knows. NCUA's current regulations require incident reportsonly if an event results in a potential compromise of member dataand, in classic DDoS, what happens is that the overwhelmed networkcollapses. But there is no data leakage.

And therefore there is no reporting to NCUA.

Up until last Thursday there was a widespread belief thatprobably credit unions had many fewer attacks – they generallydon't get the hate that banks do – but the UFCU attack has to putthe industry on notice that credit unions don't have DDoSimmunity. Not anymore.

And they had better begin assembling defenses to guard againstwhat could turn out to be a long spell of high volume DDoSattacks.

If University Federal Credit Union is not safe, who is?