Online Banks Get Extra Defenses Against DDoS Attacks

A company that helps protect websites against a popular form of cyber attacks says it's solved a major security concern. The change could mean high-profile websites can be much more resilient and secure.

The company in question is CloudFlare, which offers services to defend against denial of service attacks (DoS), including distributed denial of services attacks (DDoS). That's where cyber attackers flood a website with bogus data requests, until the site (or server) is no longer able to deal with legitimate requests. Oftentimes such an attack will bring a web server to a grinding halt.

Typically a network of malware-infected computers is used to propagate the attack, amplifying its intensity. Such a network is often referred to as a botnet, or zombie network. Many attacks are politically motivated, either by protestors who disagree with a company or organization's actions, or as part of a conflict between political groups or countries.

Web Site Service Offers 28 Separate Backups

CloudFlare operates 28 data centers around the world, constantly backing up websites. The idea is that if a website comes under a denial of service attack, legitimate visitors can be redirected to one of the data centers and access the most recent copy of the site. When all goes to plan, legitimate visitors won't even know the site is under attack.

The big problem in the past has been that such a service didn't work with secure websites, where the data is encrypted from the website's server to the users' web browser using secure sockets layer (SSL). As such: in order for the CloudFlare offsite backups to work, it needed access to the server's secret encryption key in order to provide the SSL; effectively, the backups would then be able to serve properly encrypted pages to the public.

That restriction was off-putting for websites containing highly sensitive data, such as online banks. Whether it's through a company policy, an insurance condition, or a legal requirement, some firms refuse to share their encryption keys with any other source, no matter how trustworthy. Indeed, if a US bank discovers somebody else has access to its encryption key, it must immediately inform the Federal Reserve. (Source: cloudflare.com)

Online Banks Can Still Keep A Secret

CloudFlare has now found a way to run its service without accessing the encryption key. It's a complicated process, but in simplified terms, CloudFlare sets up a private connection between itself and the company operating the website. This private connection isn't affected if the website comes under attack over the publicly-available Internet.

If a company's website has been rerouted via CloudFlare backup, it's still possible to check the secret encryption key without CloudFlare having to see the details. This uses only a tiny amount of data, and as such, won't put the company's server under any extra strain.

Once this is done, CloudFlare creates a separate, temporary "ticket" which is used just for that specific visitor, and is valid for a maximum of four days. This ticket is shared with all 28 data centers, meaning the visitors can continue getting secure access to the website, even if the site or CloudFlare is under attack.

At the time of writing, the offsite backups appear to be on a scheduled, daily interval. Presumably, encrypted transactions (such those performed with online banks) would still continue to take place at the original website, where the transactional database would be up to date and in real-time.

CloudFlare says the service is already being tested by a few of its customers, including some of the top ten financial companies in the world. (Source: arstechnica.com)

What's Your Opinion?

Have you been affected by a high-profile site being unavailable because of a denial of service attack? Do factors such as reliability and security affect your choice of services such as online banking?