Unknown assailants strike Rabobank with DDoS

The Dutch bank Rabobank was hit by a distributed denial-of-service attack last weekend that left customers and partners unable to access their accounts.

Rabobank Group, which describes itself as an international financial services provider, confirmed that it experienced some downtime on the weekend of the February 19-20.

“The downtime experienced on the Rabobank internet site last weekend was caused by deliberate actions of an unknown party to overload the Rabobank network with large quantities of data," Rabobank said in a statement.

"As a result, clients were unable to access the site.

“Rabobank has reported the incident to the police. The outage of the site meant that clients were unable to conduct internet and mobile banking transactions. At no time was there any intrusion into the bank's systems or customer data.”

It confirmed that the problems occurred on the evening of the February 19 and in the afternoon of the follwoing Sunday. It also confirmed that it had made technical adjustments to ensure its security against possible new attempts to block access to the site.

“These measures required some providers to make additional adjustments to technical settings for access to the Rabobank site," Rabobank said.

"As a result, in the following days the customers using these providers have only been able to conduct internet banking through a direct web address. By Tuesday evening all customers were able to access their accounts again.”

Domain name system security provider IID said that the outage lasted four days, as Rabobank altered its domain name system records for its website in order to deflect the attack.

Rod Rasmussen, president and chief technology officer of IID, said that it was still gathering information of what happened, but based on the published reports it would appear that Rabobank redirected its primary DNS entries to a loopback or a sinkhole to squash the DDoS attack.

“That's a trick others have used in response to DDoS in the past, but based on the reported problems after they removed the redirect they didn't use a short time to live for the changes," Rasmussen said.

"So when it came back up, most people still had the wrong address cached to try to get to the bank's website or transaction systems meaning it didn't work for those customers for over a day. This was an apparent self-inflicted wound,” he said.

Asked on the best mitigation advice to better buffer DDoS attacks, Rasmussen said that if Rabobank or anyone is going to use a DNS trick to escape a DDoS, they should use a relatively short time to live so that they can recover quickly after the attack abates.

“Of course you don't want too short a time period, or you end up flooding your DNS servers too as the DDoS bots perform domain name lookups for their target," he said.

“From the reports we've seen, it also doesn't appear that Rabobank informed all of its key partners of the situation to let them know to adjust their automated process. 

"Basically anyone trying to do business online with Rabobank couldn't, and that was intentionally put in place by Rabobank themselves.  

"Thus iDeal, a key partner and major payment service had their business dramatically impacted by a third-party changing their online configuration, another self-inflicted wound.

“With notification, or even just monitoring of its vendor's online posture, iDeal would have been able to avoid the major service outage they suffered that went well beyond the Rabobank situation.  

"Outreach to key processors/partners/government needs to be part of any response plan where there's a major compromise or loss of service."

This article originally appeared at scmagazineuk.com