Before 2013, Distributed Denial of Service attacks seemed tomany credit union executives as something the other guys worriedabout. The prevailing attitude was: We're not on anyone's radar. Wearen't on anyone's enemies list. Why worry?

Then came January 2013 when the $1.6 billion University Federal Credit Union in Austin, Texas, and Patelco, the $4 billion Pleasanton, Calif. credit union, bothacknowledged they had been knocked offline for some hours. Many bigbanks were taken down at the same time, in attacks claimed by alQassamCyberfighters, an organization that many allege is sponsored by theIranian government.

A month later, in February, both institutions were taken down another time, again in attacksclaimed by al Qassam. Many banks also fell victim a second time.There were also dud DDoS attacks, such as a much-ballyhooed May7 attack – which saw institutions fearfully running for coverfrom an attack said to be planned by OpUsa, a hacktivist group affiliated with Anonymous – but itamounted to nothing.

As the year progressed, there were more reports of DDoS used as a diversionary tactic by criminals whosought to distract financial institution security staff withwebsite attacks as they busied themselves perpetrating high-valuewire thefts. There have been no such cases publicly linked tocredit unions, but there are multiple cases linked to banks.

How many credit unions have been taken down by DDoS? That numberis unknown. Patelco and University were named in Internet postingsby al Qassam, thus their attacks became public knowledge.

The NCUA, for its part, requirescredit unions that have been “significantly affected by DDoS” tonotify the NCUA or their state regulators. When asked in Octoberfor the number of credit unions that had filed reports, the agencyshared data showing two outages. But the regulator did not indicatethat it believed that tally to be complete. CUNA Mutual, at thesame time, indicated it had no count whatsoever of DDoSoutages.

No one really knows how many credit unions were attacked by DDoSin the year but one fact did seem to emerge. “DDoS has become aperennial, it is here to stay in the threats universe,” saidCharles Burckmyer, president of Sage Data Security, a firm thatclaims several hundred financial institutions as clients.

Just what is DDoS? The question is good, because the answer istough to give. That's because the format of DDoS shifteddramatically in 2013, said Rodney Joffe, senior technologist atNeustar, an Internet analytics company that also offers DDoSmitigation services.

Early in the year, Joffe recalled, DDoS sought to wipe outvictim websites by targeting them with huge volumes of traffic –generally assembled using resources stolen from zombie computerbotnets where the machine owners have no clue their devices aredigital slaves to criminals. So those targets – such as Patelco andUFCU – went down because they were overwhelmed.

But DDoS attacks and mitigation strategies continually evolve,said Joffe. When one side jigs, the other responds. That showed upas many financial institutions signed up with third-partymitigation companies to provide emergency “pipe” – Internetbandwidth – to be able to deflect volume-based attacks.

So the attackers switched to hitting victims with an avalancheof requests for services that had the effect of using the targetcomputers to in effect tire themselves, noted Stephen Gates, chiefsecurity evangelist of Corero Network Security. A classic, forinstance, is hitting a financial institution website with manyrequests for a password reset, probably for non-existent members,but the institution's computer still is forced to go through somany motions it may become unavailable to genuine users.

Next Page: The Cure

Pierluigi Stella, chief technology officer at security companyNetwork Box USA, elaborated: “The (DDoS criminal's) query isusually less than 100 bytes; the reply can be tens of thousands; sothe hacker gets an amplification factor of 100. For each packet of100 bytes the hacker sends out, you get hit by 10,000 bytes.”Multiply that by maybe several hundred queries per second and it iseasy to see why this attack has proven so successful in 2013,suggested Stella.

The cure, said experts, is to deploy tools that in effect scruball data as it comes into the system. Bad data is sidelined,authentic data is passed through, and while that is easier toprescribe than it is to implement in practice, experts agreed thatDDoS mitigation companies took large strides in 2013 towardsbuilding tools that in fact scrubbed incoming data with highsuccess rates.

The bad news: Nobody thinks today's DDoS format will betomorrow's, and no one knows what criminals will unleash in themonths ahead. Maybe the jackpot question is, how well protected arecredit unions when it comes to fending off DDoS, especially as itmorphs into different formats? Have they invested instate-of-the-art protections?

Not very many have made those investments, said multiple expertscontactedby Credit Union Times. Few credit unions will discusstheir DDoS defenses on the record but off the record some haveindicated that their defenses are thin. Many hope that theirvendors – for Internet banking or their Internet service provider –have adequate protections in place to keep the credit union itselfalso protected.

DDoS will remain part of the threats landscape, said multipleexperts, mainly because it is effective, it is inexpensive, and itis increasingly easy to deploy. As long as it gets results,criminals will continue to use it, said Joffe.

Nonetheless, he flatly predicted that we will not see more ofthe al Qassam-style, high-profile attacks that won headlines earlyin 2013. “Those attacks were politically motivated but theyaccomplished nothing,” said Joffe.

Other experts agreed, pointing to changes in Iranian politicsand a recent thawing in relationships with the United States. Theupshot is that the al Qassam attacks may in fact be history,meaning there may not be more days when several dozen financialinstitutions are taken offline in a brazen show of Internetpower.

“But we will see more DDoS because it works,” said Joffe, and hespecifically predicted more use of it as a diversion because if asecurity staff can be distracted for a half-day, that may be ampletime for a wire transfer to move money out of the United States andthrough several hops into a destination country where funds areunlikely to be returned.

Gartner analyst Avivah Litan – one of the experts who firstreported the use of DDoS as a diversion – noted in an interview that good policy would be to “slow” wiretransfers at times when the institution found itself under a DDoSattack. Her opinion is that simply slowing down transaction speedmight sharply reduce losses.

At least until the criminals figure out a new strategy – andthat is a big takeaway from the 2013 DDoS saga. “This is an armsrace that is no different from any other arm's race,” said Joffe.“As we add defenses, the criminals alter their attacks and so itgoes on.”

The good guys win, said Joffe, by making it expensive for thecriminals, such as disrupting their botnet zombie networks. “If wecan make it more expensive for them than the rewards they get fromtheir DDoS, we win,” said Joffe.

“This will be survival of the fittest,” he warned.