Major international bank hit by DDoS that leaves service interrupted for several days
The Dutch bank Rabobank was hit by a distributed denial-of-service (DDOS) attack last weekend that left customers and partners unable to access their accounts.
Rabobank Group, which describes itself as an international financial services provider, confirmed that it experienced some downtime on the weekend of the 19th and 20th February.
In a statement to SC Magazine it said: “The downtime experienced on the Rabobank internet site last weekend was caused by deliberate actions of an unknown party to overload the Rabobank network with large quantities of data. As a result, clients were unable to access the site.
“Rabobank has reported the incident to the police. The outage of the site meant that clients were unable to conduct internet and mobile banking transactions. At no time was there any intrusion into the bank's systems or customer data.”
It confirmed that the ‘problems' occurred on the evening of the 19th February and in the afternoon of Sunday 20th February. It also confirmed that it had made technical adjustments to ensure its security against possible new attempts to block access to the site.
“These measures required some providers to make additional adjustments to technical settings for access to the Rabobank site. As a result, in the following days the customers using these providers have only been able to conduct internet banking through a direct web address. By Tuesday evening all customers were able to access their accounts again,” a statement said.
Domain name system security provider IID said that the outage lasted four days, as Rabobank altered its DNS (domain name system) records for its website in order to deflect the attack.
Rod Rasmussen, president and CTO of IID, said that it was still gathering information of what actually happened, but based on the published reports it would appear that Rabobank redirected its primary DNS entries to a loopback or a sinkhole to squash the DDoS attack.
“That's a trick others have used in response to DDoS in the past, but based on the reported problems after they removed the redirect they didn't use a short time to live for the changes. So when it came back up, most people still had the wrong address cached to try to get to the bank's website or transaction systems meaning it didn't work for those customers for over a day. This was an apparent self-inflicted wound,” he said.
Asked on the best mitigation advice to better buffer DDoS attacks, Rasmussen said that if Rabobank or anyone is going to use a DNS 'trick' to escape a DDoS, they should use a relatively short time to live so that they can recover quickly after the attack abates.
He said: “Of course you don't want too short a time period, or you end up flooding your DNS servers too as the DDoS bots perform domain name lookups for their target.
“From the reports we've seen, it also doesn't appear that Rabobank informed all of its key partners of the situation to let them know to adjust their automated process. Basically anyone trying to do business online with Rabobank couldn't, and that was intentionally put in place by Rabobank themselves. Thus iDeal, a key partner and major payment service had their business dramatically impacted by a third-party changing their online configuration, another self-inflicted wound.
“With notification, or even just monitoring of its vendor's online posture, iDeal would have been able to avoid the major service outage they suffered that went well beyond the Rabobank situation. Outreach to key processors/partners/government needs to be part of any response plan where there's a major compromise or loss of service."