Slashdot Mirror

← Back to Stories (view on slashdot.org)

Finnish Bank OP Under Persistent DDoS Attack

Posted by samzenpus on from the breaking-the-bank dept.

An anonymous reader writes The Finnish bank OP Pohjola Group has been a target of a dedicated DDoS attack for days. The attack, which investigators said was launched from both Finland and abroad, began on New Year's Eve. OP was forced to open a helpline for customers unable to confirm payments or transfer money because of jammed systems. On Saturday the firm said it would compensate people for any losses or late payment fees incurred as a result of attack. On Sunday morning the bank tweeted that its services were operating normally and even customers based outside Finland were able to access their accounts — and that it was still monitoring traffic carefully to try and ward off any renewed strikes. However, on Sunday afternoon further denial of service attacks took place delaying payments and preventing access to banking services for OP customers. A formal police complaint has been filed and OP says that KRP is looking into the case.

18 of 92 comments (clear)

  1. Too OP by buckfeta2014 · · Score: 3, Funny

    That traffic be too OP for OP to handle...

    --
    Buck Feta. You know what to do.
  2. Re:This is a good thing by davester666 · · Score: 3, Funny

    God prefers stone tablets. They last longer, at least if you don't intentionally smash them...

    --
    Sleep your way to a whiter smile...date a dentist!
  3. Re:Sonebody go tell them by Anonymous Coward · · Score: 2, Interesting

    Sure... Linux will solve all DDoS problems with fairy dust and other magic.

    I'm by no means a fan of Windows, but install any odd Linux distribution of a few months old on a public IP address, with most standard features enabled and let's see how long it lasts without getting exploited.

    Also, Linux solves nothing if you're on the receiving end of a very large DDoS. The only thing that will help you then is sufficient bandwidth, sufficient server capacity and dedicated, specialized filtering equipment. Then again, it's still hard to fight many of those "semi-intelligent" DDoSes and even the best hardware and massive pipes will get you only so far.

    It's time to see those DDoSes for what they really are: Lame acts of vandalism or extortion. There's nothing clever about them and they're causing an increasing amount of financial damages, often also a lot of collateral damage. Maybe it helps if those who initiate them get caught more often and don't get away with a few weeks of house arrest and public service.

  4. So get protection by Guspaz · · Score: 5, Insightful

    There are service providers that specialize in DDoS mitigation. Some of them already host banks (lots of them, in some cases), and have multiple terabits of bandwidth available to survive DDoS attacks with minimal impact. They're able to mitigate attacks in the hundreds of gigabits.

    They're not cheap, but they work, and banks tend to be able to afford it.

    1. Re:So get protection by Kiuas · · Score: 5, Insightful

      They're not cheap, but they work, and banks tend to be able to afford it.

      Well, 2 things here: The Finnish banks are rather tiny compared to large international banks and national banks in larger countries. There are only 5,4 million people in the entire country. Secondly, this is the first time to my knowledge that a DDoS attack has done anything to any bank here. All the banks use 2-step verification process, so even in a hypothetical worst case scenario in which somehow attackers would manage to get their hands into some login info, that would not compromise the funds of the customers. Not that that would be possible with a plain DDoS attack.

      In the end it comes down to the cost-benefit ratio: sure i'd be nice to have protection from DDoSing, but unless this starts to become so commonplace as to actually start costing them significant amounts of money/customers, I doubt it will happen.

      --
      "It is the business of the future to be dangerous" -Alfred North Whitehead
    2. Re:So get protection by TapeCutter · · Score: 4, Interesting

      In the end it comes down to the cost-benefit ratio

      The DDOS attack is likely to have a ransom attached to it, so it boils down to two options; spend money on honest and reliable uptime protection, or submit to the attackers dishonest and fickle protection racket. I'm pretty sure the first option would be cheaper in the long run, sure it's a relatively expensive line item on an IT budget but not enough to seriously damage the total budget of a small bank.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    3. Re:So get protection by Guspaz · · Score: 5, Informative

      That "tiny" finish bank has US$3.23 billion in revenues, around US$900 million in net income, and nearly 13 thousand employees. They can afford to pay a bit more for their servers.

    4. Re:So get protection by Gaygirlie · · Score: 3, Informative

      Actually, it seems the attackers are mostly just a loose bunch of youngsters trying to emulate the big groups, ie. Lizard Squard and Anon et.al. I certainly have not heard anything hinting towards any ransom. F-Secure already has identified and knows from before of several of the attackers, so we can expect arrests soonish.

  5. More than one bank under attack by Anonymous Coward · · Score: 5, Funny

    In addition to OP (Osuuspankki), Nordea has also been attacked, and even Danske Bank is having troubles at the moment, though it's not known if they're being DDOSed or if it's just the usual incompetence.

  6. OP customer here: this must be pure vandalism by blind+biker · · Score: 4, Informative

    I see no other reason for this DDoS attack but vandalism of some sort. The attackers have no political agenda (this is a small Finnish bank, not one of the big tax-haven transfer banks like UBS. It also has no political connections/owners.
    The attack also has no way of obtaining any useful info, as all banks in Finland use one-time passwords for login.

    --
    "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
    1. Re:OP customer here: this must be pure vandalism by circletimessquare · · Score: 4, Interesting

      russians

      it doesn't take much to mount a DDoS, and one or a handful of ultranationalist douchebags felt slighted by something innocuous someone in finland did or said recently

      they had to prove something about glorious russia, so down went a finnish bank

      it makes sense in some propagandized loser's head

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  7. Re:This is a good thing by davester666 · · Score: 2

    No. You login as AC over http.

    --
    Sleep your way to a whiter smile...date a dentist!
  8. I'll just leave this here by bytesex · · Score: 4, Interesting

    http://www.independent.co.uk/n...

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
    1. Re:I'll just leave this here by symes · · Score: 2

      Illarionov is a bit crazy and paid (by American think tank iirc) to spout this sort of stuff. I think the chance that Putin would seriously threaten Finland is about the same that Putin would threaten Sweden. Also, Finland is very different to Ukraine in that pretty much everyone in Finland thinks Putin is crazy. In Ukraine there was and still is very strong support for Putin in some areas.

  9. Getting out of hand by msobkow · · Score: 2

    It's time we started charging those who launch DDOS attacks with "terrorism". They impact the entire public community of their target, with widespread damages and effects to both the user and provider of the DDOS'd services. Lock the bastards up when they're caught for far, FAR longer than happens now. :(

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:Getting out of hand by Anonymous Coward · · Score: 3, Interesting

      I kind of think terrorism is not the correct tag here. Other crimes can have the same punishments etc as terrorism, so no need to put everything under terrorism. I already hate it when all kinds of stupid laws and punishments are given under the terrorism flag, even though they have nothing to do with terrorism.

  10. Re:DDOS Mitigation by Opportunist · · Score: 2

    More than you'd even know. If it wasn't for blasted NDAs... let's say the Finns are in good company.

    Technical fix... well, there are a few things that we could do to make such DDoSs harder to pull off.

    First, if it's a DoS that relies on flaws in software or configuration (Slowloris et al), there's an easy fix for that: Hire an admin who knows what he does, patch the crates, install the relevant mods and don't use crappy default configs.

    Let's move on to the more difficult to handle stuff, i.e. what we usually think of when hearing DDoS: Lots and lots of computer clogging the pipe. While seemingly there is little you can do about it, there's actually quite a bit that could make such attacks harder or more costly to the attacker.

    These attacks usually rely on reflected amplification. You send from your machine a small packet that requests a large one from the reflector which is then sent to the target. Sounds complicated to pull off but isn't. Essentially what is (usually) done is to spoof the IP address of the target in a DNS request. DNS requests are tiny, the replies can be huge if you ask for all the info (and of course you do). Now, of course DNS is by far not the only route you can go, pretty much anything that doesn't require a complete TCP handshake can do as long as a small request leads to a huge reply. Some games are guilty of the same kind of behaviour where a client asks a server about its setup and the server sends back a load of crap.

    Mitigating this it technically of course possible, but completely unfeasible: Forgoing UDP and moving every service using it to TCP. Now, where is the interest for the service owner? He's not the one under attack. Why would he want to foot the bill? Not to mention that we're talking about completely rewiring DNS. Not some obscure little protocol that 3 people use but one of the backbone services of "the web".

    So yes, there are technical solutions to that problem. But no, it won't happen.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:DDOS Mitigation by Opportunist · · Score: 2

    Now, that's harsh.

    It's enough to ban the people using it. It's not the OSs fault when users give dancing pigs higher priority than security.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.