A number of New Zealand companies have fallen prey to DDoS attacks lately. But why are they being targeted and why can’t they handle it? As Ben Gracewood explains, they all have one thing in common.
If you’re a Kiwibank customer, have been trying to track a parcel with CourierPost or check the weather on Metservice, you’ve likely been frustrated by outages over the past couple of weeks. What gives? Why are these companies affected and not other banks or big websites?
The consensus is that these and other organisations are dealing with a sustained barrage of DDoS attacks. Of the many ways that dickheads can extort, or just torment, organisations over the internet, DDoS is the stupidest and easiest. It requires no special technical expertise other than having the website address and $10.
The general idea with a DDoS is to use thousands of compromised computers to flood your victim’s website with traffic so that regular users can’t use it. Then you ask the target for money in exchange for halting the swarm.
You’ll be relieved to hear that DDoS attacks almost never involve “hacking” or access to the underlying data (although sometimes they’re used just to make a bunch of noise and keep the security teams busy while they attempt hacking in the background). Even if Kiwibank’s website is utterly hosed by DDoS traffic, your bank account data is safe. It just happens to be inaccessible to you while the attack is under way, and the error messages that pop up can look kinda scary.
The only way these New Zealand websites can avoid a DDoS attack is to either have a buttload of bandwidth to handle all those rogue computers, or to have systems “upstream” that can deflect the DDoS attempts. But what can you do when the amount of traffic hitting you is country-sized?
You get yourself a DDoS protection system that is bigger than a country.
All the major cloud infrastructure companies have DDoS protection. Amazon Web Services, for example, provides AWS Shield to its customers. For a few grand a month AWS will just swallow terabytes of DDoS traffic before it hits your poor little servers. You’ll also have indirect access to hundreds of nerds whose only job is working out how to defeat DDoS attacks, usually by feverishly finding and blocking the sources of traffic. When you have stuff like AWS Shield turned on, most DDoS attacks look like a mosquito trying to stab an elephant.
So if these tools exist, why have so many NZ companies fallen to DDoS attacks these past few weeks? Why are they being targeted and why can’t they handle it? A wee bit of looking around finds one obvious similarity between several of these organisations (and, not coincidentally, NZX, which suffered a major DDoS outage in 2020): RedShield. You can see that the websites below are actually hosted by red-shield.net:
RedShield is a New Zealand company that provides “web application firewalls” for a bunch of companies. A web application firewall (nerds call them WAFs) inspects all incoming web requests to make sure hackers aren’t trying to do nefarious things, like exploiting old bugs in your web servers.
They might allow requests like:
https://ib.kiwibank.co.nz/check-my-balance
But deny ones like:
https://ib.kiwibank.co.nz/api?hackstuff=yesplease
Hoary old enterprise companies love WAFs because it means they don’t have to upgrade their old systems with known security holes, they can just tell the WAF to block the particular requests that would exploit those holes.
But to do this, WAFs have to inspect every single incoming request. You see where this is going? If you suddenly have millions of requests because of a DDoS, your WAF is almost certainly going to have a Bad Time.
It looks like one of two things is happening. Either there are a ton of different DDoS attempts happening across New Zealand and RedShield’s customers are having a worse time than most; or more likely the baddies saw just how successful the NZX DDoS was last year, and are now working their way through RedShield’s customer list to wreak havoc. It’s an unfortunate situation for a company whose raison d’être is web security, and an indicator that DDoS attacks have got to a point where only the very largest infrastructure providers can handle them.
RedShield hasn’t responded to our request for comment (poor buggers are no doubt flat out trying to solve the problem), and CERTNZ responded that “we cannot provide further detail at this time”.
A final point: it’s often hard to know what’s causing outages like this, for two main reasons.
Firstly, companies don’t want to reveal vulnerabilities in their systems and fear that if they publicly admit something has broken, it gives adversaries information on where to attack.
Secondly and perhaps more often the case, banks and large enterprises don’t want to publicly admit when they stuff up. The downside of this secrecy is that organisations can’t learn from other’s failures, and overall improvement is slower than it otherwise would be.