For five (business) days in a row now the NZX, New Zealand’s Stock Exchange, has been crippled by so-called distributed denial of services attacks that have taken its website offline. And no one seems to know what’s going on or how to stop it. The headline of a piece Martyn Bradbury wrote last week, after just three days of attacks, says it all: “FFS – Are we or are we not under ATTACK!!!”
We have our Stock Exchange, the very muscle of our economic sovereignty, blocked from working, this is an attack on our Financial system and to date no one seems to know what the fuck is going on.
Anatomy of an attack
Few people seem to know much about about distributed denial of service (DDOS) attacks either, but they come in many flavours and have a varied and interesting history. The motivation for some, like the take-down of the messaging app Telegram during the Hong Kong anti-extradition protests on June 2019, seem to be political. Others, like the DD4BC attacks on financial institutions back in 2014-15 were for extortion. (The acronym stood for “DDOS for Bitcoin”. Still others are the result of mischief makers or “script kiddies”, but casual attacks are much harder to do these days because of the protections and countermeasures available.
Web servers are “on demand” devices. That is, they sit around waiting to respond to external requests. Think of them like the barista at your favourite coffee shop. Sometimes they just stand around drumming their fingers, but most of the time there’s a steady flow of customers. If the coffee shop’s management have got it right, even at peak times like lunchtime the flow of business is managed by having extra staff on hand; someone to take the orders, someone to wash cups, someone to deliver the coffees. Now imagine if a hundred customers walk in at once demanding to be served. Or a thousand. Or ten thousand. The barista – and the system – will collapse. And that’s the basis of a denial-of-service attack; hit a server with so much traffic that it either falls over or fails to respond in a timely manner.
There are numerous ways you can cripple a server. Wikipedia lists two dozen varieties of DDOS attack, from hitting the thing with thousands upon thousands of requests simultaneously (and continuously), to tying up all input channels with very slow requests. (The equivalent to the guy in the coffee queue saying, “Can … I … please … have … a … … What … are … those … things … called? … Cappuccino? … … No … no … make … it … a … flat … white …”) There are even attacks that target supporting hardware.
Where they come from
By their very nature, DDOS attacks are hard to track and their source is even more difficult to pinpoint. That’s due to that distributed part of the acronym. The IP addresses of the machines asking for attention may be forged (“spoofed” in hacker slang), or they may be genuine. Either way, it’s very difficult to determine which enquiries are part of the attack and which are actual users.
So-called “State-sized actors” may use a handful of powerful machines with huge amounts of bandwidth, while smaller players may rely on botnets – thousands of compromised devices from all over the world that send requests to a single target. Traditionally, botnets were comprised of poorly protected Windows PCs, but these days they’re equally likely to be fridges, TV sets, or any other device that’s connected to the internet. Security on these Internet-of-Things things tends to be sloppy, and they can be easily compromised. (One DDOS attack – which resulted in 20,000 requests per second – was traced to 900 compromised CCTV cameras.) You can even hire botnets for as little as US$20 a week!
We had a saying in one of my old workplaces that you could never make a system foolproof because fools are so damned clever. It’s a similar situation in computer security; you’re always playing catch-up because someone’s just discovered a new vulnerability or attack vector. September 6 will mark the 24th anniversary of the very first denial-of-service attack way back in 1996, and they continue to this day, ever more powerful and ever more sophisticated.
One of the backstops are so-called CERT groups – Computer Emergency Response Teams. New Zealand has one, though it doesn’t appear to be of much use in the current NZX attack. We also have the Government Communications Security Bureau (GCSB) which, as Martyn Bradbury reminds us, was supposed “to act like a giant security blanket that would protect Cyber NZ”. They haven’t been much use either. As Bradbury concludes:
The GCSB look like they have been caught fast asleep at the wheel again, just like they were when the White Supremacist Terrorist plotted his atrocity in NZ for 2 years without them noticing.Martyn Bradbury, The Daily Blog