Over most of last week, the NZX had to pause because of persistent cyber attacks. Similar attacks have today been reported against news websites. So how did they come through basically unscathed?
The NZX stock exchange is a critical piece of financial infrastructure, yet persistent cyber attacks have caused website crashes that led to trading being halted last week.
At the same time, similar distributed denial of service (DDOS) attacks have been launched against news websites Radio NZ and Stuff, with the possibility that others have also been targeted. And yet, they don’t appear to have had an effect on either the performance of the site, or the experience of readers.
Radio NZ wouldn’t be interviewed about the attacks, instead giving a brief statement through a spokesperson. “RNZ has been targeted by more than one cyber attack in the last 24hrs. We understand this may have been the same group that has been attacking the NZX and we are currently investigating. We have no further detail at this time however our site remains secure and this has not impacted our audience.”
However, tech experts believe the differing outcomes may not be due to how the sites are defending themselves behind the scenes, but because of the nature of the content being uploaded to them, and the way they already handle traffic.
A DDOS attack basically involves sending an overwhelming volume of traffic to a website, which it cannot handle. These can come from anywhere in the world, and often involve either armies of bots, or computers that have been taken over by viruses or malware. A DDOS attack isn’t a hack, as such – that is where a malicious actor tries to gain unauthorised access to a computer or network.
AUT professor of computer science Dave Parry said a major reason why trading had to be halted on the NZX is because of the financial information presented on the site. “The NZX is constantly updating the prices, and all of the exchange rates and everything. So it’s vitally important that it allows users to see these updates in real time.
“It’s not attacking the actual trading, but the infrastructure that analyses the trading and makes it into something the website can understand is possibly also being attacked,” he added.
In contrast, a media site is relatively static, so it’s broadly acceptable if it takes a few minutes to see new data. Parry said the NZX has legal and financial responsibilities to “service everyone equally” in terms of the information it gives. “If it’s a trading website, and you’re waiting to sell your shares – particularly if you’re in competition with somebody else to buy shares, and they can see the price before you – that’s a commercial advantage.”
News websites also have content regularly being uploaded, but what goes up is very different. “If you download a page from Stuff, it might take you three or four minutes to read it, but during that time, you’re not going to be downloading anything else – you’ll just be reading that article,” said Parry, referencing the contrast to the more dynamic information on the NZX. Much of that data on news websites is also “cached” – in other words, it’s stored to make it easier for users to access quickly.
What if you’re watching a video or listening to a podcast – wouldn’t that require the streaming of constant data? Tech expert and self-described digital plumber Ben Torkington explained that the videos on websites aren’t really stored on the website itself, which reduces the weight of data – instead, they’re farmed out to providers known as content delivery networks.
“The CDN provider has massive resources, and can easily scale capacity to respond to DDOS attacks. Because the actual images and videos don’t change, there’s not even caching involved, you simply host the image/video content on your CDN and link directly to it in the content you serve,” said Torkington.
Trading on the markets was able to take place today, despite attacks continuing. In part, that was because the NZX had secured the services of major international CDN Akamai Technologies.
The nature of traffic generally received by each type of site is also different. News websites will often have systems in place to deal with huge volumes of readers arriving all at once – after all, the appearance of a DDOS attack isn’t entirely dissimilar to a major breaking news story.
They’ll also be much more likely to see the bulk of their traffic come in from New Zealand, rather than internationally, whereas much of the traffic on the NZX website already comes from international traders. With DDOS attacks being overwhelmingly more likely to come from overseas, this can make it harder to distinguish between what is and isn’t legitimate.
So could the NZX have put systems in place to prevent the DDOS attacks from bringing everything down? While the NZX has been investing heavily in its IT infrastructure in recent years, analysis from BusinessDesk suggests it hasn’t necessarily been aimed at preventing DDOS attacks – rather, it was more focused on improving the integrity of the trading platform itself.
“Plenty of other sites deal with real-time data, not just stock exchanges,” said Torkington. “Twitter and Facebook, for example, deal with real-time data and need to defend against DDOS attacks. Seems to me that whatever measures NZX had in place simply weren’t sufficient for the scale of the attack mounted against them.
For Parry, the question of the scale of the attack is one of asymmetric warfare. “All of these things come down to the amount of effort you’re prepared to put into defence, compared to the amount of effort an attacker is prepared to put in. Once a DDOS attacker has infected a network of bots around the world, it’s virtually free to do that, and you can increase the numbers quite easily. Whereas defence involves increasing capacity, possibly moving into the cloud, possibly having multiple sites set up, having a lot of work done on your firewalls, and a lot of investigative work going on.”
Parry says these attacks are common, but the interesting thing about this one on the NZX is that it has taken place over multiple days. “That’s indicating to me that the attackers have thought of some ways to change the fingerprint of the attacks, so it looks different each time. So your standard firewall – fairly crude measures – don’t work.” That implies a reasonably high level of sophistication behind the attacks.
So what’s the point of doing it? Parry speculates that halting trading on the NZX might not be the final goal, and that instead it is about creating conditions that would allow something more sinister, and simply blocking the website would be low on the list of potential risks. The DDOS attack might just be to blind the target, so that more valuable information can be obtained.
“As soon as you start seeing these attacks, you’re immediately suspicious that something else is going on as well. One of the first things to say is that they need to be really careful of a phishing attack or something like that. You might see emails going ‘can’t get through to the NZX? We’ve got a special route here, just click through’ and whatever – that’s a phishing attack. Any disruption is always good for these attacks.”