Is Iran the perpetrator of DDoS attacks on US banks?

by Gene Michael Stover

created Monday, 2013-01-14 T 13:03:28Z
updated Monday, 2013-01-14 T 13:38:22Z

In the news this morning are stories about some cyberattacks against US banks. Here's the skinny.

The attacks were a Distrubted Denial-of-Service (DDoS) against some banks in the USA. There were a couple of interesting technical twists, but for the moment, what's important is that they increased the likelihood that you'd get a temporary error if you tried to use your bank's web site. (That's what a Denial-of-service attack does.)

I'll mention the technical twists later for you programmers. It's the political part of the story that's significant.

  1. USA government says that "there is no doubt" that Iran's government is the perpetrator. (Third paragraph here, fourth paragraph here, as well as mentioned but not quoted in most of the stories.) (Where have we heard "there is now doubt" before? Hmmm?)
  2. USA government offers no evidence to this claim. (Sixth paragraph here.)
  3. A middle-eastern hacker group called Izz Ad-Din Al-Qassam Cyber Fighters claims responsibility.
  4. Iran government says "The Islamic republic of Iran categorically denies any involvement in cyber attacks on American banks and denounces such methods which are a violation of the sovereignty of nations".

Since Iran mentions the sovereignty of nations, which is a damn spot more than our own government acknowledges, since the Al-Qassam Cyber Fighters have presented some evidence that they perpetrated the attacks, & since "there is now doubt", USA's claim that the Iran government is the perpetrator sounds like fear-mongering & vilification of Iran -- which isn't new.

Technical details (in case you're interested)

  1. It's a Distributed Denial of Service attack.
  2. It was executed from the cloud -- from computers at data centers such as Amazon's & Google's. (None of the stories clearly say whose data centers were used, so I'm not saying that Amazon's or Google's were used. Just saying that it was execute from data centers such as those run by Amazon, Google, & other organizations.)
    1. This is a new development in DDoS attacks. (link)
  3. It probably worked by using the "itsoknoproblembro" toolkit which attacks some security hole in PHP. (link)
  4. Another twist: The packet flood contained "encryption requests".
    1. Sounds like SSL connection requests or login attempts for the web sites.
    2. So these requests consumed network bandwidth as do the packets on any DDoS attack, but they also consumed CPU time as well. In other words, they were doubly effective.
  5. One the banks has 40 gigabit/second bandwidth. (The implication is that most of the banks had less.) At its peak, the attack was spewing 70 gigabit/second, so it sounds like the attack could seriously impact access to the web sites of at least several banks at one time. (link)


this morning
Monday, 2013 January 11 PST