Hi folks, Ed Amoroso here and I want to tell you little bit about a case study in distributed denial-of-service activity with a very specific incident that I remember vividly. It was the summer of 2012. What happened was, a malicious actor decided that they were going to target a bunch of financial Institutions here in the United States that wanted to make a point, make a case. I'm not really interested in what it was or what the point was. But the idea was that they were going to spend Tuesday, Wednesday, Thursday of the work week kind of attacking a series of banks. And doing it for a very limited period of time using a big botnet that was known as Brobot. And it had the characteristic that it was attacking or using as bots, servers that had fixed IP addresses, known IP addresses, because they were establishing a connection. A full three handshake step TCP connection to a known source IP to generate the value. And that's how that bot [INAUDIBLE], so what was the effect? Well, it turned out that this was a little bit more difficult than anybody had ever really expected. Now it was kind of called out, they would say here's what time we were starting and here's when we're going to finish. So all of the banks and their service providers, and the security providers, the whole community sort of knew it was coming. And what would happen is in the early stages of the attack it would take a little bit of time to characterize what sort of traffic was being thrown and to which banks. So it was a little bit of activity in the beginning to figure out what's happening. But then over time, the defenders would figure out what's happening, be able to get the right packets filtered in those scrubbing systems, and essentially forward good traffic. And for the most part keep banks up, but there was that early period each day where it was a little tricky. Now why is this important? I think it's important because it suggests that under optimal conditions. An attack by a capable adversary at some critical infrastructure, certainly banking is that, was more or less accessible, but not perfect. And it highlighted in my mind that all of us in the community need to redouble our efforts to do a better job in and around distributed denial-of-service. I tell you, we don't tend to do a lot of attack testing in this area. Now you could laugh at that and say why would you test something when we have a lot of DDoS attacks. But look, here's a case where we knew what time it was going to happen, we the community. And still there was some struggle in kind of tuning the systems and getting to the point where as the attack occurred. You very quickly adjusted, you were able to keep sessions working on a website, that was not the case. I think there's a lot of learning here, I think again, distributed denial of service, it turns out it's going to be something that will be more consequential. As intruders get a better sense that they can combine big volume metric. Tricks, lots of different attacks, with layer seven attacks, understanding that even under the best conditions the defenders do have some struggle. It's not a snap to just very quickly characterize the DDoS, very quickly get the right packets pushed off the scrubbers. Very quickly setup wherever tunneling or redirect to the sites needs to be done and very quickly be able to sort shape the traffic patterns to keep things normal. And do it for as long as the attackers are carrying plus be able to turn up on concurrent, diverse attacks that might be happening at the same time. So that you're juggling ten balls at the same globally. These are the kinds of things I worry about everyday. The kinds of attacks that I think can be really consequential to global infrastructure. So you, as you're learning about cyber, I want to make sure you're pondering this and thinking about the case in summer 2012. When these major banks were hit with what some people refer to as the biggest cyber attacks in history. So I hope this has been useful insight for you, we'll see you in the next video.
