NAB floats denial-of-service threats to the cloud

A year on from the DDoS attack that hit NAB, general manager for technology, security and risk at the bank, Gary Blair, said it is still investigating the crime.

"In terms of the actual event itself, the incident is still under investigation. These are necessarily long term and the information needs to be correlated with other similar attacks that have taken place prior and since," Blair told ZDNet Australia.

While the number of DDoS attacks against financial institutions, government departments and online businesses such as gambling and porn sites has increased in recent years, so too has the scale of attacks. Increased broadband penetration and the prevalence of bots is adding power to the arsenal of cybercriminals bent on disrupting services, which in some cases, is used as leverage to blackmail businesses.

Although thousands of DDoS attacks are launched daily, according to Sean Lord, consultant for Verizon's IT services division, roughly four percent are conducted by professional crime groups.

"We saw a number of online betting organisations on the day before the Melbourne Cup receiving blackmail threats but its one thing to be able to hear about it from gambling sites because they're not as worried about risk to their reputation, versus banks, which are petrified they would lose their institutional online customer base. An even larger dimension to this is the Estonian DDoS attacks, which were politically motivated and country specific," said Lord.

Although NAB's Blair said the bank was well prepared for the attack it experienced, DDoS still disrupted services, prompted NAB to warn customers of new phishing threats and forced the bank to review its defence capabilities against DDoS attacks.

"Coming out of it, we took the opportunity to review what we could do differently. We concluded that we did perform well, but there are things we have done with our telco partners which mean that we have the ability to prevent these types of attacks further up in the cloud, so to speak," said Blair.

The call for ISPs and telcos to provide "clean pipes" is not new but has remained elusive for the general public. For larger organisations however, which want control over packet traffic volumes, rather than malware or pornography, telcos are offering security services to "shape" and "scrub" incoming traffic to prevent DDoS attacks.

"One of the key things was recognising that the defence-in-depth principal doesn't start at the perimeter -- it extends to the cloud -- and that as we do so, we need to work closely with our telco partners to shape and manage the traffic," said Blair. Defence in depth represents the multi-layered approach to security to help minimise the effects of a single layer being compromised.

Although, for security reasons, Blair was unwilling to divulge the methods the NAB or its telco partner uses to prevent DDoS attacks, he said it "ensures that we effectively receive clean traffic to our perimeter".

Verizon's Lord said that telcos -- Telstra, Optus, Singtel, AT&T, Verizon and BT included -- all use the same basic architecture for these services, with the main differentiator being that AT&T and Verizon have the most wide coverage of the world's networks.

Scrubbing and shaping
Two key techniques used to defend against DDoS attacks in the cloud are shaping and scrubbing packet traffic.

"Shaping, for me, suggests that I will make a haphazard analysis of total volume and I would reduce it on the basis of a desired volume. Scrubbing is the establishment of a white-list profile of good packets and then, through behavioural and holistic analysis, a recognition of what constitutes good versus bad packets and the removal of the bad packets," said Lord.

However, cloud security present a different challenge to Australia's local telcos such as Telstra and Optus compared to their larger multinational peers, Lord said.

"I would suggest a differentiator for a global tier one telco is that they can do that at a regional rather than a country basis. [Local telcos] have to 'throw away' at the borders of Australia whereas Verizon can 'throw away' at the borders of Asia," said Lord.

A network that many local telcos are "queuing up for" but are yet to join, said Lord, is Arbor Network's Fingerprint Sharing Alliance.

The Fingerprint Sharing Alliance is being touted by Arbor Networks as a method by which telcos and ISPs can share threat information without revealing competitive information.

"This is the beginning of cross ISP intelligence gathering," said Lord, who reckons the intelligence gathered from such a network is the essential ingredient to true security in the cloud. One major benefit of such an approach, he added, is that it allows telcos to recognise the origins of a bad packet and trace it back to its source.