September 11 came, it went and despite the FBI warning to credit unions to be ready for a bump in hostileactivities on that anniversary date, multiple experts said they sawabsolutely no traffic increase.

But they also had worrisome news: There has been a sharp rise inlow-grade Distributed Denial of Service (DDoS) attacks aimed atfinancial institutions, often in association with attempted fraud,but sometimes apparently simply an angry act by a rejected loanapplicant or a terminated employee.

First, the 9/11 news: “Nothing unusual happened on September 11.The reason there is nothing to report is that the volume is thesame as the day before,” said Ashley Stephenson, CEO of Corero, a Hudson, Mass.-based DDoS mitigation firm. “Every daythere are attacks.”

Chris Novak of the Verizon Risk Team said likewise: “We saw nospike in activity on 9/11.”

Rich Bolstridge, a DDoS expert with Cambridge, Mass-based networktraffic firm Akamai, made it three: “We saw no increase in activityon September 11. We had expected to see activity. But it was veryquiet.”

The big DDoS guns fired by al Qassamand other actors usually said to be connected to nation states inthe Middle East may not have been out on 9/11, but the bad news isthe jump in low-grade attacks that may be small compared to thegiant attacks unleashed by al Qassam are plenty large enough toknock an unprepared credit union off line and, said the experts,most credit unions remain unprepared to adequately deflect DDoSassaults of just about any magnitude.

“We are surprised how naive CUs are about DDoS,” said KirkDrake, CEO of Hagerstown, Md.-based CUSO Ongoing Operations.“They don't realize how easy it has become for just about anyone toaim DDoS at a target.”

That is the rub, Terrence Gareau, principal research scientistfor DDoS mitigation firm Prolexic in Hollywood, Fla., explained: “There is a very lowbarrier to entry for DDoS. We are talking $5 that will buy you 600seconds of DDoS.”

That may only be 10 minutes, but the plunger who can come upwith $50 could put a credit union down for an afternoon.

A chilling factoid via a report from Santa Clara, Calif.-basedNSFOCUS, a DDoS mitigation firm: “Based on traffic analysis, thereare 1.29 DDoS attacks occurring worldwide every two minutes, onaverage.”

The company added, “Most attacks are short and small. The reportfound that 93.2% of DDoS attacks were less than 30 minutes induration and 80.1% did not surpass a traffic rate of 50 Mbps.” Bycontrast, the data throughput in al Qassam attacks has sometimesexceeded 45 Gbps, meaning it is vastly larger.

Vann Abernethy, an NSFOCUS spokesperson, elaborated, “The main news– the press focuses on the big DDoS – but the reality is thatunreported DDoS goes on all the time. There are a lot of smallattacks.”

And then it gets worse still: “Small attacks are oftenaccompanied by data exfiltration attempts, especially at financialinstitutions,” said Abernethy.

Verizon's Novak agreed: “We are seeing where DDoS is used todistract a medium-size financial institution. While they are busyfighting off the DDoS. they don't see that terabytes of data justwalked out the door. That's scary.”

A similar warning was issued a few weeks ago by respected Gartner analystAvivah Litan who said she knew of three instances where DDoS wasused to distract financial institution security as fraud wascommitted. She declined to offer specific details.

At CUNA Mutual, risk expert Ken Otsuka said that in the past year one loss associated with aDDoS attack had been filed. He also offered no specifics.

Add it up, however, and the situation is grim. DDoS as a service– available for hire by those with a grudge or with criminal intent– is increasingly available, it is cheap, and at least someproviders happily accept Bitcoin, the virtual currency with some anonymity built in.Importantly, just about no technical skill is required, just a fewdollars and a willingness to name a target.

On the credit union front, the sense among experts is that thelargest institutions – perhaps the top 25 or 50 – may have credibleDDoS mitigation tools in place. As for the many thousands ofothers, the collective opinion is that probably most areunprotected.

That could paint an attractive bull's-eye for crooks. “There's atrend where we see attacks going down market,” said Novak, “wherethe criminals are attacking smaller financial institutions becausethey don't have the same defenses as the big banks.”