The Impending DDoS Attack on the Financial Sector

Last October, a new kind of botnet was discovered. It was named, IoTroop. The name implies that it was composed of ‘things’ connected to the internet (IoT), such as routers and web cameras. The novel characteristic of this botnet was that the things within it could be updated with new commands when its administrators so desired. This feature was first discovered in the dangerous Reaper Botnet. Former botnets used devices that were compromised and then programmed to perform specific tasks, such as sending spam emails. These built-in programs could not be changed. Now, however, whenever a new vulnerability is found, the entire botnet can be reprogrammed to exploit it. That’s a dangerous turn of events.

The IoTroop botnet is based on the Mirai Botnet; the botnet that brought down much of the internet in October of 2016. IoTroop still incorporates some of the devices used in the original Mirai attack, but has now added devices from companies like AVTECH, Linksys, MikroTik, TP-Link, and a Samsung TV. (For a complete list of all compromised devices, see the original Insikt Group report.)

On January 28th of this year, three financial institutions were targeted with distributed denial of service (DDoS) attacks. It was the largest DDoS attack since the Mirai attack of 2016. The targets appeared to have been three major Dutch banks; Rabobank, ING Bank, and ABN Amro. The banks claimed that some of their services were disrupted for a short period of time, but details have not been disclosed. Here are the countries that the compromised devices (botnet clients) attacked from. The preponderance of Russian-based devices was probably due to the large number of MkroTik devices located there, as these formed the main type of device used in the attack.

iotroop botnet distribution

In February, Dutch police arrested a teenager who they thought might be implicated in these attacks, but, so far, no connection has been found.

So that’s the end of the story, right? Well, probably not. At the end of 2017, Verisign reported that the most targeted sector for DDoS attacks was the financial sector. In fact, 40% of all DDoS attacks targeted financial institutions. There is no reason to expect this will change anytime soon. In addition, whether the owners of the botnet planned it or not, this attack on Dutch banks served as a sort of ‘proof of concept’ attack. That is, the attackers were able to learn the size of a botnet needed to take down a major bank. That’s important information.

Most botnets are leased for, purportedly, ‘stress testing’. Yes, that’s right; there are websites that rent the use of a botnet. When you lease a botnet, you are supposed to use it on your own network to see how resistant it is to a DDoS attack. You can even rent the entire 400,000 device Mirai botnet, if you have the money. Of course, there will be those who lease these botnets for criminal purposes. But why? Why would they want to pay so much money just to bring down a financial institution? In other words, what’s in it for them?

There may be a number of motivations, but here are a few that have been found.

  1. Street Cred

Some hackers or hacking groups need to gain credibility among their peers and others. It’s not only that they want respect. If their group becomes known as one that can bring down a large firm, they may be able to wield the name alone as a weapon. They don’t need to actually launch an attack to get money. They can threaten an institution with a DDoS attack and, with their reputation for support, demand money to abort the attack. Sometimes they can launch a limited attack just to show that they have the capability. The hope is that a one-time investment in a large botnet will make further investments unnecessary. They can earn money through threats alone.

  1. Extortion

 With or without street cred, once a DDoS attack begins, the attackers can demand a payment (often in Bitcoins) to stop it. In such a case, it is better to wait out the attackers since it costs them more money the longer the attack takes place. (70% of all DDoS attacks last less than 10 minutes.) Botnets are leased according to the number of devices in the net and the time they will be used.

  1. Political Reasons or Revenge

 The Anonymous Hacking Group has been known to target banks with DDoS attacks for political reasons. They may ask the attacked institution to perform some service or give some apology before they will end the attack.

Individuals may launch such attacks for revenge. These attacks may be from disgruntled employees, angry customers, or jealous competitors.

  1. A Diversion to Launch Other Attacks

 According to Kaspersky, 56% of companies targeted with DDoS attacks experienced other, more serious, attacks at the same time. The DDoS attack was just a smokescreen to distract the IT staff. It’s possible the attackers allowed for a lull in the attack so that they could install malware on the network. Later, this malware would be used in more serious exploits.

The Amplified DDoS Attack

 Recently, a new type of DDoS attack has appeared. This attack, called the Memcached Reflection/Amplification attack, amplifies the attack of one botnet by a factor of 50,000.

Let me over simplify this a bit. Imagine you have a personal website. It is connected to a server that manages the traffic to your website. If you get a lot of traffic, your server will have trouble managing it. People who want to access your website will have to wait to get to it. Now, imagine that I gain control of your IP address. I can then tell certain servers, memcached servers, to send me (pretending to be you) information. In fact, I can have them send you lots of information, so much information, in fact, that your server crashes trying to keep up with all the requests. Now, imagine I have a large botnet that keeps sending requests from you for more information. You have effectively been knocked offline. This is why even large institutions, such as financial institutions, may have trouble undermining such an attack.


Since recent DDoS attacks have targeted financial institutions, it would seem likely that this amplification method will be used against them. Some memcached servers have been patched, but the amplification idea still exists. This plus the ability of botnets to evolve to exploit new vulnerabilities has everyone waiting for the inevitable attack on targets within the financial sector. My guess is that they won’t be waiting long.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s