Victim-blaming plays into DDOS attackers' hands

Tuesday, 1 September 2020

The NZX main website crashed on Tuesday afternoon.

EDITORIAL: The NZX's cyber defences have been found wanting after its website was brought down for six consecutive business days by a distributed denial-of-service (DDoS) attack.

Suspicions that it could have done more to avoid the embarrassment will have been heightened by reports that media companies Stuff and RNZ successfully fended off similar attacks on Sunday.

GCSB Minister Andrew Little says the vulnerability of the NZX’s set-up took everyone by surprise and it “clearly wasn't prepared for an attack of this nature and magnitude”.

But it would be risky to rush to judgment.

* Govt spy agency has 'no clues' on source of cyberattacks on NZX

* Five Eyes cybersecurity agencies will be involved in fight against NZX cyberattackers

DDoS attacks are one of the oldest and crudest types of cyber-crime, but aren’t always easy to tackle.

Attackers typically rent access to a network of hacked computers and direct these “botnets” to bombard a victim’s online services with spurious requests, until they crash under the sheer volume of traffic.

No-one can prevent being targeted, and there are suggestions the DDoS attack on the NZX peaked at more than a terabit of data a second, which would make it a huge attack on a global scale.

The exchange is understood to have received a demand for a ransom in Bitcoin ahead of the attack, which it did not pay.

A popular defence to DDoS attacks is to employ a specialised protection service from a company that will act as a gatekeeper for incoming internet traffic. If it detects a spike in traffic caused by an attack it will deploy more servers to help handle the load.

It will then start to block requests that appear to be coming from compromised computers, so they aren’t passed through to the customers’ systems.

Unfortunately, no defence is perfect. It can be hard for organisations to combat DDoS attacks if the nature of their business means they can’t afford to risk blocking some genuine traffic along with the bad, as may be the case with the NZX.

Attacks can vary in sophistication as well as scale.

In some cases, rather than swamping a victim’s online services directly, attackers will “spoof” internet addresses used by their victims.

They will then instruct their botnets to pump out requests to poorly-configured computers operated by innocent organisations, tricking them into replying to the victim’s computers instead. These “reflective” attacks make the task of trying to weed out the bad internet traffic from the good that much harder.

It is normal for organisations under siege from cyber-attacks to clam up on the details, as the NZX has done.

If they reveal how they are being attacked, and their means of defence, that may make them more vulnerable.

This can also be a convenient excuse to pull down the shutters, of course, if an organisation has dropped the ball in its preparations.

We may only ever be able to guess the extent to which the NZX has been the architect of its own misfortunes. But victim-blaming plays into attackers’ hands.

The more ‘reputational damage’ we attach to falling victim to cyber-crime, the higher the chance that victims will pay a ransom to prevent an attack.

So what responses would the attackers not like to see?

More preparation, of course. Better too to save our vitriol for those that pay cyber-ransoms and so “feed the beast”.

Little says it is never ethical to pay ransoms to cyber-criminals, “because then you are sustaining criminal activity”.

Once this attack fizzles out, the NZX could insist all companies on the New Zealand exchange, itself included, must report paying any ransom as part of their continuous disclosure obligations.

Few publicly-listed firms would dare to do so if they had to disclose it.

That may be one way the NZX could get a brief last laugh.