iDefense
June 2005
History
According to sources in the industry, DDoS (distributed
denial of service) attacks are not widespread in India.
As “outsourcing” becomes more common however, more attacks are anticipated.
Debopriyo Kar is a senior partner and the Head of Security
Practices at CyberQ Consulting, a Delhi
based consulting firm that provides a range of information security services to
its clients. CyberQ’s clients include the Reserve Bank of India,
the State Bank of India
and Tata Consultancy Services. Kar states that DDoS attacks are not something
faced by CyberQ’s clientele. Although security breaches are something companies
face on a daily basis, most of it is just fooling around done by amateurs.
Professional hackers interested in money prefer to target the banking industry
with other invasions like phishing attacks. “A DDoS attack requires a great
deal of planning,” and in the case of a bank, “will only serve to bring down
only online banking,” Kar says. The bank itself will continue functioning.
Moreover, online banking is not as popular in India
as it is in the US.
Srijith Nair, a Computer Science PhD student at Vrije Universiteit, Amsterdam
maintained a comprehensive site called Project India Cracked from 2000-2003 to
build awareness about sustained attacks against Indian websites by cracker
groups. Nair concurs with Kar’s statement that DDoS attacks are not fruitful
for attackers in India.
“Fortunately or unfortunately most Indian websites are not that big a target
(for DDoS attacks). There are several big Indian news sites and other sites
that are "worth" the attention and I am sure at some time or the
other some of them may have been subjected to DDoS but in a usual course of
business, most of them are easier to just break into and vandalize.” There are
simpler ways for hackers than DDoS attacks for hackers to prey on Indian sites.
Cultural Attacks
A security professional at a major MNC with India
offices states that as web hosting is still minimal in India,
DDoS attacks are as well. “If anything, Indian cultural sites and blogs get
attacked from community fanatics (Hindus as well as Muslims). I am not aware
of many commercial targets in India.”
In a September 2004 interview, Vladimir Golubev, director of the Computer Crime
Research Center cited cyber terrorism as a major weapon of attack used by
Indian and Pakastani militant groups. Hindustan Times cited that Pakistani
hackers defaced 477 Indian websites – 270 of them within a month’s time in
2003. The year before, only 288 sites were hacked into. Among the websites that were attacked were
those belonging to Indian governmental bodies. Indian hackers retaliated by
spreading the “Yaha worm” a virus that aimed a performing DDoS attacks on
several Pakastani websites – including governmental sites and the site of the
Karachi Stock Exchange. The group called themselves the “Indian Snakes.”
Publicized Incidents
While most claim that DDoS attacks are not widespread in the
corporate sector in India,
there have been several such reported incidents. Mr. Nandkumar Saravade,
director of Cyber Security and Compliance at NASSCOM, the chamber of commerce
for the IT industry in India,
stated that the single reported incident of DDoS attacks that he is aware of is
a recent incident detailed in an Express India news report. The article
describes a credit card company that recently faced a DDoS attack. Kishore
Tarachandani, director of Dots and Coms, a company that provides corporate web
solutions, was a client of the credit card company that was DDoS’ed in June
2005. Dots and Coms uses an online payment gateway provided by the attacked
company.
Tarachandani has a close relationship with the head of the
credit card company and explains how the attack happened. “Suddenly, our online
payment gateway stopped working.” The head of the credit card company informed
Tarachandani that they had been attacked. “They got a threat mail demanding
$10,000 dollars every year. Although they did not disclose what had happened to
them in the beginning, they were honest enough to tell us what the problem was
later.” Although Dots and Coms did not switch credit card companies, many other
retail businesses were hit hard by the attack, and Tarachandani believes that
some of them might have switched payment avenues.
Tarachandani says that the credit card company did not pay
the demanded ransom amount. Instead, they spoke to their service providers to
block certain IP addresses and update their firewall system.
Tarachandani believes very strongly that the attackers are
from Eastern Europe. “The attackers originate in Russia
and other parts of the former U.S.S.R.” The reason for this, Mr. Tarachandani
says, is the existence of the underemployed but educated population that lives
there. For example, “an ex-KGB agent or former company employee is intelligent
and educated but unemployed.”
Dots and Coms has faced DDoS attacks themselves. However,
because their client servers are based in the United
States, they were forewarned by US-CERT.
Dots and Coms was able to isolate the attacking addresses and block them.
The Issues at Hand
Indian companies aspiring for BS7799/ ISO 17799 certification
require consultants to consider the risk of DoS attacks and advise them with
mitigating controls. Therefore, according to Kar, companies who have
been BS7799/ ISO 17799 certified would have configured their
Firewalls and IDS/IPS to proactively block DoS attacks. However, he
concludes “DDoS from multiple servers are much more difficult to block.”
According to Tarachandani, computer security in India
is an under addressed issue. Srijith Nair agrees. “If you mean whether it is a
big problem, yes it is. But if you meant whether it is a big concern that is
being acted upon, the answer is a sad no.” Nair says.
In the case of DDoS attacks, large companies depend solely
on the reliability of their service providers. If the ISP sees a need to raise
precautions, an alarm is generated. However, Tarachandani feels that unlike in
the US, the
Indian CERT is neither active nor responsive.
Tarachandani explains that the police, both in India
and in the US,
are not equipped to deal with computer crime. However, CERT in the US
works in close partnership with the police forces.
In India,
both Tarachandani and Saravade (of NASSCOM) feel that CERT has a long way to
go. Unlike CERT US,
CERT India is a
small operation that is unable to closely follow security breaches.
Tarachandani has contacted CERT via e-mail on several occasions but has never
gotten a response. In stark contrast, CERT US
always responds within a 24 hour period and in the case of an emergency, will
respond within a few hours.
Dr. Bajaj, director of CERT India
says that CERT India
has never been informed about any DDoS attacks in India.
“Most of the attacks which we are aware of,” he says, “are of other varieties,
like phishing attacks.” He also maintains that similar to CERT US,
CERT India sends
out warnings to companies if any attacks by hackers are suspected. According to
Kar of CyberQ India,
CERT India
officials find the lack of information sharing regarding security threats
frustrating. Unlike their US
counterparts, companies in India
are reluctant to be forthcoming with information.
But Kar says that as the dependency on and the use of the
Internet increases in India
with the growth of businesses and e-commerce, the business stake behind
extortion activities will increase. That, he says, “is the opportunity for
which all such attackers and extortionists would be waiting for.” Invariably,
security consulting firms, companies and CERT India
will have to pay greater heed to the issue.
-Sindya Narayanaswamy