Way back when denial of service attacks first began, they were used as primarily a cyber crime extortion tactic. The attackers would offer to cease attacking a website in return for cash payments.
That approach has somewhat faded although we do hear of extortion periodically against mainly on-line gaming sites. There is little question that increased sophistication by law enforcement in tracking extortion payments has been a significant factor in reducing extortion as a criminal business driver.
It appears the groups responsible for denial of service attacks now fit the definition of hactivists and nation states.
BOTS and BOTNETS
The rise of the bot and the linking of bots into botnets under centralized command & control brought denial of service attacks to a new level. Unfortunately I still find way too many executives confused about bots and botnets. Let me propose simple definitions of bots and botnets that might help us understand where we are in this aspect of the complicated landscape of cybersecurity.
I think of a bot as a simple piece of malicious code, usually fairly small in size, that has found its way onto a personal computer at home, a host server within an enterprise computing infrastructure or a server at a hosting company. Unfortunately bots are now being found on smartphones, tablets, digital security cameras and internet ready TV's. Any digital device attached to a network can store a bot. Readers will do well to remember that the vast majority of bots remain undetectable to common anti-virus scanning.
Although many bots do carry some rudimentary capability to probe their host environment, by and large the dominant capability of most bots is to communicate with and receive instructions from a central command and control server. When multiple bots do that they have become part of a botnet. Botnets being instructed by a command and control server to flood a website with thousands if not millions of web page requests per second, constitute a distributed (many bots) denial of service (DDOS) attack. DDOS constitutes an ongoing problem for major financial institutions.
PAST, PRESENT, FUTURE
Prior to 2012, most DDOS attacks against financial institutions lasted several hours and may have extended to several days at most. Beginning around mid 2012 the duration of DDOS attacks significantly elongated.
Some evidence exists that compromised or organized crime associated hosting facilities (read lots of computing power . . . . lots of communications bandwidth) in central Europe and Asia have become the attack origin of choice for DDOS attackers. Given access to or control of larger computing and bandwidth, Botnet operators devised ways of very rapidly populating very larger numbers of bots within these hosting facilities.
Of additional concern is the widespread availability of consumer cyber crime tools, including toolsets capability of launching or participating in a DDOS attack.
Large financial institutions are well advised to expect, anticipate and make advanced preparations to defend against DDOS attacks on an ongoing basis for the foreseeable future.
