April 4, 2013 at 9:49 AM ET
Banks knocked offline, day after day - on Thursday, it was WellsFargo.com's turn. A digital skirmish between two European firms that grew so large it slowed Internet traffic worldwide. If it feels like the Net has been fragile lately, there’s a good reason: Computer criminals are launching more powerful attacks and are gaining the upper hand.
Security firms have been relatively successful in recent years countering denial of service attacks — criminal assaults that overwhelm websites with fake traffic to make them unreachable, the equivalent of speed-dialing a friend's phone repeatedly so no other calls can get through — with software designed to separate real traffic from fake, or simply by purchasing bigger Internet pipes that can absorb the requests.
But the equation is changing dramatically as criminals have learned how to use the Internet against itself.
Among the Web’s dirty little secrets: Economics strongly favor the criminals. They hijack bandwidth used for normal Web operations, concentrate it and aim it at a target. The more money that firms invest in bandwidth to protect against traffic floods, the more bandwidth crooks can steal and use to attack. Worse yet, the bigger the pipes going into hijacked computers, the fewer computers criminals must control to succeed in an attack.
An attack that might have required 10,000 compromised computers in past years can now be accomplished with 100. That means the costs for the criminals is going down, while security costs are going up.
"The problem is, this is an asymmetric war, an arms race we can't win because they are using our resources against us," said Rodney Joffe, senior technologist at Internet infrastructure company Neustar, which helps companies fight denial of service attacks. "That's why building larger highways won't help. They just make use of our resources."
Wells Fargo told NBC News that some of those resources were used to knock it offline for part of the day Thursday.
“We’re seen an unusually high volume of website and mobile traffic which we believe is a denial of service attack,” the firm said in a statement.
'Not really much we can do'
Last week, a European denial of service incident that targeted spam-fighting organization Spamhaus and its Internet providers involved an incredibly focused attack that stormed the service with one of the largest measured attacks in history. There is debate about how much the rest of the Internet suffered as a result of the attack — in truth, the impact was imperceptible to most — but it would be a mistake to overlook it. Experts expect copycats soon.
The Spamhaus attack used a technique that’s more than 10 years old. Domain name servers that run the guts of the Internet were tricked into sending a flood of traffic at Spamhaus. Hijacked computers with disguised, or spoofed, return addresses asked the DNS servers for long lists of data — specifically, to resolve website addresses — which were reflected and sent by the servers to Spamhaus servers. Exploiting about 1,000 misconfigured DNS servers was enough to generate a record-sized attack. A group devoted to fixing such misconfigured machines says there are 25 million of them on the Web, ready to be exploited.
DNS attacks haven’t been top priority in recent years, partly because servers didn't need large amounts of bandwidth to do their relatively simple everyday tasks of matching numerical Internet addresses with common website names. Today, many are linked with high-capacity pipes, making them newly attractive takeover targets for hackers.
The bank attacks work differently. The group behind them — which calls itself al Qassam — uses an army of thousands of compromised computers called a botnet in coordinated actions to attack banks. But al Qassam holds an advantage: A single compromised home PC, connected to the Internet with high bandwidth, can generate 100 times the malicious traffic as a similar computer five or 10 years ago.
"There's not really much we can do about that," said Michael Smith, director of the customer security incident response team at Akamai Technologies Inc., which provides website performance optimization and security for some of the companies targeted in the attacks. "Speeds are going to get faster."
Changing tires on a moving bus
Aaron Rudger, a spokesman for Internet traffic measurement firm Keynote, notes that denial of service attacks rarely escalate beyond a major annoyance for companies or consumers. Traffic after the Spamhaus attack was back to normal within a few hours as packets found other routes to their destinations. Consumers who need access to their bank accounts can use the telephone, or in some cases, even mobile phone apps when a bank’s website is down.
“You can't really kill the Internet,” Rudger said. "The Internet in general is inherently very resilient.”
There are ways to fix the denial of service attack problem, but they are expensive and would require fundamentally changing the protocols that govern the way the Internet works. And it would all have to happen without interrupting Internet service.
“It’s akin to changing the tires on a bus moving 60 mph,” Joffe said. “We have to rethink the entire thing.” Proposed new rules would make it impossible to use fake return addresses, for example, but Internet service providers around the globe would have to agree to the changes.
Avivah Litan, a banking security analyst with consultancy Gartner Group, said that an even more radical change might be necessary, because there’s really no way to get rid of the criminals.
“We might have to put the banks on a private Internet,” she said. “Because we are not going to get rid of the people attacking the banks ... You might think the only way it's going to end is if we take them down, but they are like Al Qaeda, totally distributed. In fact they are 1,000 times more distributed.”