– Debbie Fletcher, Guest Writer for CloudPOST, says:
As online financial transactions such as online banking, trading, Forex, Bitcoin and Paypal reach grow to millions of transactions per day, disruption of service can be costly and the damages long term. Whether you are an established financial institution, online business owner or an emerging startup exchanging funds online, the threat of cyber extortion through DDos attacks is very real.
It could cost you tens of thousands of dollars, while a DDoS attacker hides behind a keyboard, paying almost nothing for access to a rentable botnet, that will pound your server with millions of fake requests, quickly making your site inaccessible for all legitimate visitors.
The motivations for such DDoS attacks are varied, ranging from cyber-vandalism to cyber extortion, and even to business feuds. Not surprisingly, one of the most common DDoS targets are financial institutions who offer best “Return on Investment” for the cyber-criminals behind the attack.
The evolution of distributed denial of service attack
Distributed denial of service or “DDos” attacks always followed the same principal by flooding the website with fake requests over multiple locations to a single destination, ultimately shutting it down by exhausting all of the available server-resources.
Traditionally, such DDoS attacks were executed by generating a stream Network Layer traffic, most commonly SYN floods, which were used to open a large number of fake connections with a server. However, over time, DDoS protection services were able to adapt themselves to these methods and today, most such attacks are easily dealt with by even the very basic of anti-DDoS solutions.
However, the DDoS race never stops. Just as the defenders got savvier, the attacker also raised the stakes, adding new tools to their DDoS-arsenal. One such tool was recently discovered by DDoS Protection firm Incapsula. They recently mitigated a 150-hour long DDoS attack, with nearly 690million hits a day, coming from over 180k locations all over the world.
While the scope of the attack would be enough to raise an alarm, the attackers’ methods were the real cause for the concern. As researchers from Incapsula revealed, the attackers were using PhantomJS bots, extremely human like malicious agents, which would easily pass through the front gate of most DDoS Protection services.
Simply put, these fake DDoS bots were equipped with full browsing capabilities and human-like behavior. Unlike the old-school DDoS threats, these were specifically designed for stealth and infiltration and thus couldn’t be stopped by any of the traditional DDoS protection solutions.
As hackers evolve, DDoS protection services must also take the next step to continue to effectively protecting banks, retail stores, online businesses and financial institutions.
5 Tips on how choose the right DDoS Protection
The easiest way to get DDoS protection is to hire a third party anti-DDoS service that is designed to deal with Network and Application Layer threats, with a combination of strong network backbone and equally strong visitor identification capabilities. These are just some of the things to look for:
- Network capacity – This will help you deal with the old-school Network DDoS threats. To be on the safe side you should look for 100 Gigabit network size or smaller, if it allows for easy scalability.
- Visitor Identification – To deal with today’s DDoS threats you need a service that can accurately identify bots from humans. With Application Layer DDoS attacks, like the one mentioned above, such capabilities are rapidly becoming absolutely essential.
- Transparency – You need to be able to stop DDoS without bringing your business to a halt. If the DDoS protection service relies on indiscriminative CAPTCHAs, Delay Pages or any other intrusive challenges, you should steer away as these will also disrupt your regular visitors.
- Support – Choose a company with strong customer care as you might need to contact them in case of an emergency.
- Cloud – New Cloud-based DDoS protection technologies provide the best value for money.
It wasn’t raining when Noah built the ark. — Howard Ruff
The Long Term Solution
Protecting you financial institution or any online company against server attacks should be part of your business plan regardless of company size. The cost of access denial can far outweigh the cost of protection.