Hacktivists Estimate DDoS Attacks on Banks to Last Another Year

Have we decided what 2013 will be the year of yet? According to a new threat issued by the extremist group Izz ad-Din al-Qassam Cyber Fighters, the group claiming responsibility for the continued campaign against U.S. financial institutions, it may well be remembered as being the year of the Distributed Denial of Service (DDoS) attack. According to the group’s own calculations, banks can expect to continue dealing with the annoyingly inconvenient assault on their websites for another 56 weeks, extending the protest well into 2014.

The attacks, which began in mid-September, have resulted in intermittent downtime for the online banking websites of some of the largest financial institutions in country, including U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services Group, SunTrust, HSBC, Ally Bank, BB&T, Wells Fargo and Capital One.

In a Pastebin post published January 8th, the group attempts to provide a rational accounting for the projected duration of their protest against a controversial YouTube video, and their estimate of the financial impact to the targeted organizations, with some simple arithmetic.

The group based their calculations on the total number of times the video in question has been viewed on the top five YouTube postings of the film, in addition to the number of times viewers have “liked” the video, and also taking into account the number of “dislikes” of the video:

  • Total number of views: T = 26546482
  • Total number of “Likes”: L = 73721
  • Total number of “Dislikes”: D = 194906
  • Dislike Factor: DF = 10 (no explanation for this figure provided)
They stated that their “jury” has levied a “sentence” against the banks for every “view” and “like”, then estimated the total cost to each bank per minute of a DDoS attack (thought they do not mention how they arrived at the number):
  • Cost per minute of DDoS: C = $30,000
  • Sentence for each view/like: CF = $100

Using these figures, the group estimated the following penalty should be exacted against the targeted banks:

  • Total number of minutes for DDoS attacks: TM = TC/C = 82237 minutes
  • Total cost to be exacted: TC = (T+L-DF*D) * CF = $2,467,114,300

The attackers estimate a successful attack lasts seven hours, or 420 minutes, and calculate the number of days they will continue the DDoS attacks as:

  • Total Days: TD = TM/S = 196 days

After 27 (PD) days of attacks so far, the group estimates the number of days remaining in their campaign to be as follows:

  • REM = TD-PD = 169 days total (about 56 weeks total duration at an average of 7 hours of “DDoS attack success rate per day”)

The group also said that if the URLs for the video used in these calculations were to be removed, they would recast the calculations for the DDoS attack, stating that “…we will consider other similar URLs with less than 1,000,000 views which are omitted for now, until all copies of the insulting movie (both trailer and full version) are removed.”

If the protesters really have the fortitude to carry on the campaign for another year or more, 2013 may indeed go down as the year of the banking DDoS.Of course, it is not merely financial institutions who can suffer disruptions to business activities due to denial of service attacks; every organization with an Internet presence is susceptible.

Organizations concerned about their own potential exposure to DDoS attacks are encouraged to take a free DDoS preparedness assessment test which provides a customized evaluation and subsequent recommendations based on answers to a short questionnaire. The DDoS assessment can be conducted in a matter of minutes by following the instructions here:  DDoS Preparedness Test. Resources are also available for those organizations who seek to deploy a first line of defense to filter unwanted traffic before it ever reaches the targeted network.

Bookmark and Share
Anthony M. Freed

About Anthony M. Freed

Anthony M. Freed is an information security journalist and editor who has authored numerous feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets, including The New York Times, Reuters, The Register, Financial Times of London, MSNBC, Fox News, PC/IT/Computer/Tech World, eWeek, SC Magazine, CSO Magazine, Federal News Radio, The Herald-Tribune, Naked Security, and many more. Anthony was the Managing Editor of Infosec Island, an online community designed for IT and network professionals who manage security, risk and compliance issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

*


seven × = 63

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>