Slashdot Mirror
Finnish Bank OP Under Persistent DDoS Attack
An anonymous reader writes The Finnish bank OP Pohjola Group has been a target of a dedicated DDoS attack for days. The attack, which investigators said was launched from both Finland and abroad, began on New Year's Eve. OP was forced to open a helpline for customers unable to confirm payments or transfer money because of jammed systems. On Saturday the firm said it would compensate people for any losses or late payment fees incurred as a result of attack. On Sunday morning the bank tweeted that its services were operating normally and even customers based outside Finland were able to access their accounts — and that it was still monitoring traffic carefully to try and ward off any renewed strikes. However, on Sunday afternoon further denial of service attacks took place delaying payments and preventing access to banking services for OP customers. A formal police complaint has been filed and OP says that KRP is looking into the case.
That traffic be too OP for OP to handle...
Buck Feta. You know what to do.
God prefers stone tablets. They last longer, at least if you don't intentionally smash them...
Sleep your way to a whiter smile...date a dentist!
Sure... Linux will solve all DDoS problems with fairy dust and other magic.
I'm by no means a fan of Windows, but install any odd Linux distribution of a few months old on a public IP address, with most standard features enabled and let's see how long it lasts without getting exploited.
Also, Linux solves nothing if you're on the receiving end of a very large DDoS. The only thing that will help you then is sufficient bandwidth, sufficient server capacity and dedicated, specialized filtering equipment. Then again, it's still hard to fight many of those "semi-intelligent" DDoSes and even the best hardware and massive pipes will get you only so far.
It's time to see those DDoSes for what they really are: Lame acts of vandalism or extortion. There's nothing clever about them and they're causing an increasing amount of financial damages, often also a lot of collateral damage. Maybe it helps if those who initiate them get caught more often and don't get away with a few weeks of house arrest and public service.
There are service providers that specialize in DDoS mitigation. Some of them already host banks (lots of them, in some cases), and have multiple terabits of bandwidth available to survive DDoS attacks with minimal impact. They're able to mitigate attacks in the hundreds of gigabits.
They're not cheap, but they work, and banks tend to be able to afford it.
New mouse does this. Wanted to mark funny, ended up as troll. Replying to fix.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
In addition to OP (Osuuspankki), Nordea has also been attacked, and even Danske Bank is having troubles at the moment, though it's not known if they're being DDOSed or if it's just the usual incompetence.
Finland, like other countries that have had security incidents, seeks to protect itself ....
Supo wants expanded net surveillance powers - 20.6.2013
The head of the Finnish Security Intelligence Service (Supo) has told the business daily Talouselämä that his organization wants increased funding and expanded powers to carry out surveillance of internet traffic.
Five years ago, the Swedish Defence Radio Authority (FRA) was authorized to warrantlessly wiretap all telephone and internet traffic that crosses Sweden's borders. According to Supo chief Antti Pelttari, Finland should consider introducing the Swedish model here as well.
"Our legal mandate is to ensure the security of the State of Finland and its social system from both internal and external threats," said Pelttari. "There must be means available to monitor what is transmitted through data networks, and the capacity to identify and evaluate anomalies," he added.
I wonder who is attacking the Finns, and who would have reason to? Russia has been menacing Finland and its neighbors in the Baltics with incursions by aircraft and submarines. There is concern that Russia may turn on Finland after Ukraine. The Baltic states and other targets of Russia have suffered similar attacks coming from Russia.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
I see no other reason for this DDoS attack but vandalism of some sort. The attackers have no political agenda (this is a small Finnish bank, not one of the big tax-haven transfer banks like UBS. It also has no political connections/owners.
The attack also has no way of obtaining any useful info, as all banks in Finland use one-time passwords for login.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
No. You login as AC over http.
Sleep your way to a whiter smile...date a dentist!
http://www.independent.co.uk/n...
Religion is what happens when nature strikes and groupthink goes wrong.
It's time we started charging those who launch DDOS attacks with "terrorism". They impact the entire public community of their target, with widespread damages and effects to both the user and provider of the DDOS'd services. Lock the bastards up when they're caught for far, FAR longer than happens now. :(
I do not fail; I succeed at finding out what does not work.
Why does it matter on the skill level needed? Does the attack lose cool points on the hipster level because it isn't a skilled attack?
It doesn't matter how you get the oranges up the stairs, a guy from kinkos or a ddos.
I knew it. Something was a-miss this morning, some hidden urge or itch was there. I am sure you know this feeling, you know something is wrong but do not know exactly what. You took cover away and then the difficult to identify feeling becomes a full blown itch and burn - this big monster is called Putin sending his proles to do their dirty deeds.
But seriously - I know there are technical means to mitigate such attacks but they are still an annoyance and the only way to combat those is to go after the attackers. Pointing fingers in general direction of Putin, Russia or Zamunda is not going to do anything but raise tensions possibly, strengthening this overwhelming feeling that conflict is inevitable making the conflict in fact inevitable - if you are under pressure from all sides you may justifiably feel threatened , sort of self fulfilling prophecy.
Yet from another angle - all the BS that NSA and security military industrial complex did over years is making me uneasy about any request for more power. Clearly the police needs more powers to find perpetrators of such acts of IT violence but we also know that they are going to abuse that as soon as they get those new powers. Thus NSA is also a culprit then.
How interesting that you post it in a story about a DDoS. Want to give us ideas how to deal with that spam?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Not every problem is a nail. No matter how much you love your hammer.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
More than you'd even know. If it wasn't for blasted NDAs... let's say the Finns are in good company.
Technical fix... well, there are a few things that we could do to make such DDoSs harder to pull off.
First, if it's a DoS that relies on flaws in software or configuration (Slowloris et al), there's an easy fix for that: Hire an admin who knows what he does, patch the crates, install the relevant mods and don't use crappy default configs.
Let's move on to the more difficult to handle stuff, i.e. what we usually think of when hearing DDoS: Lots and lots of computer clogging the pipe. While seemingly there is little you can do about it, there's actually quite a bit that could make such attacks harder or more costly to the attacker.
These attacks usually rely on reflected amplification. You send from your machine a small packet that requests a large one from the reflector which is then sent to the target. Sounds complicated to pull off but isn't. Essentially what is (usually) done is to spoof the IP address of the target in a DNS request. DNS requests are tiny, the replies can be huge if you ask for all the info (and of course you do). Now, of course DNS is by far not the only route you can go, pretty much anything that doesn't require a complete TCP handshake can do as long as a small request leads to a huge reply. Some games are guilty of the same kind of behaviour where a client asks a server about its setup and the server sends back a load of crap.
Mitigating this it technically of course possible, but completely unfeasible: Forgoing UDP and moving every service using it to TCP. Now, where is the interest for the service owner? He's not the one under attack. Why would he want to foot the bill? Not to mention that we're talking about completely rewiring DNS. Not some obscure little protocol that 3 people use but one of the backbone services of "the web".
So yes, there are technical solutions to that problem. But no, it won't happen.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Now, that's harsh.
It's enough to ban the people using it. It's not the OSs fault when users give dancing pigs higher priority than security.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Could be a customer of the disgruntled kind. At least that was my first thought.
SLOWER TRAFFIC KEEP RIGHT
Are we 4chan yet?
CLI paste? paste.pr0.tips!
Unlike ecommerce sites that are open to any new customers, it seems a bank could easily have warded off such an attack with a Bayesian or other learning algorithm. Assuming two-factor auth, you have a list of all of your clients most common authenticated IP addresses. Add those to an allow or positive factor list. Then take all unknown IPs and add them to a negative list. When you are being overwhelmed by a DDOS, the negative list can simply be discarded while the positive list has priority at the router. While this would not entirely stop the effects of a DDOS it should make it a much more underwhelming attack rather than a an all-out crippling of infrastructure.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
Anyone checking the back door while the front one is being DDoSd?
It's a great distraction to take eyes of a real attack via more profitable and less visible vectors.
blindly antisocialist = antisocial
If you log in to Slashdot as a user, the password is sent over HTTPS, but then your session cookie is sent over HTTP where anyone can Firesheep it and pretend to be you. Only subscribers are protected from cookie copying.
Am I tepples, or am I pretending to be?
So what do you propose to fight dancing pigs? Should governments make it illegal for members of the general public to own a machine that both connects to the Internet and gives the owner administrative access? Or should ISPs require PC owners to surrender administrative access to the ISP using something like Trusted Network Connect, as Alsee predicted would happen sometime this year?
Mitigating this it technically of course possible, but completely unfeasible
It's perfectly feasible to foreclose the lion's share of amplification attacks. All that's needed is for network operators to drop packets with source addresses that don't originate from their networks. This problem has been discussed for decades now but lazy network operators still can't be bothered to engage basic egress filter rules. My ISP will happily pass along packets with source addresses that they don't own; hell, I can send out packets with source addresses that don't even belong to ARIN and my North American ISP will happily pass them along.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
No. But we have to address it soon or we WILL get what you propose. Because that's probably what governments would certainly enjoy, and with insecure computers littering the net with their garbage, they have every excuse to demand it.
I'd be very happy about laws that make you responsible for what your computer does on the net. I'm required to keep my car in good repair so the brakes work and the lights indicating what I'll do, too, if I want to participate in traffic (not to mention that I'm required to know the relevant laws and rules). I'm required to keep my house in decent repair and keep people from squatting there if I don't want to be held responsible for damage that can be traced to my negligence. No matter what hobby I may have, as soon as it could possibly have some sort of impact on others there are a lot of regulations I have to heed to be allowed to do it.
Just when it comes to hooking your computer to the internet you can be as much of an idiot as you can be and not be responsibly for diddly squat.
Why?
One thing is certain: More and more computers on the internet are infected in some way, becoming malware infested bots that are used by criminals in various nefarious ways. This will eventually lead to governments passing laws to stop that. It's only logical. It's the only thing governments could do to stop it, since the criminals are usually way outside their jurisdiction. And unless we find a way to solve this problem, they will solve it. And rest assured, their solution will certainly mean as much control over your machine as they can get away with.
My suggestion in this context would be that people become responsible for what their computer does. And if they can't show that they have taken just and reasonable actions to reduce the chance of being infected, I'd throw them in with the actual criminal for aiding and abetting. Without going overboard with it, I'd already consider it quite just and reasonable if people kept their system updated (which is the default setting for contemporary systems) and took reasonable care to avoid infections (installing some sensible antivirus should do). Nothing that would require any kind of learning or even knowing what they're doing, don't worry.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes, but unless there is a law requiring that, nobody will implement it. Why should I implement something that benefits not me but someone else (who is under attack)?
Such things can only be solved by governments. Nobody would want to deal with expenses that benefit only someone else.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Without going overboard with it, I'd already consider it quite just and reasonable if people kept their system updated (which is the default setting for contemporary systems) and took reasonable care to avoid infections (installing some sensible antivirus should do).
Can an antivirus be called "sensible" if it has only batch scanning like ClamAV as opposed to "real-time" scanning? If not, what "sensible" antivirus might users of GNU/Linux or OS X use?
I was giving examples. Take "just and reasonable" precautions and you're fine.
I agree in principle. I also agree with you that early legislation will cause wide-reaching unintended consequences.
Whatever just and reasonable is would be up to a court.
The imagined threat associated with "Trusted Network Connect" is that ISPs might require all subscribers to run ISP-approved antivirus on an ISP-approved kernel. If there's no available antivirus for a particular operating system, the ISP will just decline to approve the operating system and thus won't give the subscriber an IP address outside its private internet. The court would likely end up ruling that ISPs, as private sector companies, have the right to choose their customers.
One thing is certain, we will get some kind of legislation in this matter. Corporations are losing money and it's impossible to catch the actual criminals.
The fear is that Microsoft and Apple will fool ISPs into thinking GNU/Linux users such as myself share enough overlap with "the actual criminals" to warrant an ISP-imposed ban on connecting a home PC running a free operating system to the Internet.