With the recent DDoS attacks on the NZX and other large NZ based websites, the issue of how we defend our digital borders is becoming increasingly pressing.
In an interview on RNZ’s Nine to Noon last week, CEO of IT Professionals NZ Paul Matthews made the point that we need to treat the defence of our digital space with the same degree of seriousness as we do our other forms of defence.
“These are criminals attacking our infrastructure and we have to take a New Zealand wide approach – and take it as seriously as any other form of crime.”
And that in some ways, digital defenses are even more critical because we don’t have the protection of remoteness – hackers and cyberterrorists from anywhere in the world have the same level of access to New Zealand as they do to countries far closer.
Justice Minister Andrew Little says it appears the DDoS attacks were designed to extract payments out of the organisations being targeted, but to the best of his knowledge, no NZ organisation has paid anything to the attackers.
He has also mentioned possibly legislating against making payments in response to this form of attack. To highlight the seriousness of the NZX attack, at its height, New Zealand’s data pipe to the rest of the world was being bombarded with more than 1TB per second of data. That’s a massive attack.
To put that in context, our entire national usage during the first weeks of lockdown when everyone was at home working remotely and children were doing schoolwork online was approx. 2TB per second.
We experienced five days of distributed denial-of-service attacks on the NZX stock exchange. Banking, weather forecasting and news sites, including RNZ's website, were also targeted.
These were the largest attacks we have ever experienced in New Zealand and they appear to have continued at a lower level over the last few weeks.
Our total capacity via the pipes that bring data to New Zealand is 3.5TB per second, so for those who chose to target New Zealand, there was the ability to not only breach the sites they were focused on, but also to potentially take some of our critical services offline due to lack of bandwidth.
The biggest threat is not attacks on individual websites Matthews highlighted, as it is relatively straightforward to protect an individual site from attack, but rather attacks all the web based assets that provide feeds of data and other important content to that site, so the site itself is rendered useless.
There is also a threat to the data pipes to the datacentres around New Zealand – as Matthews says, attackers can shut down that pipeline and all sites hosted in that datacentre would be taken offline.
So what should be happening?
Matthews, along with cybersecurity expert Dr Hossein Sarrafzadeh suggest that there are a number of strategies that should be put in place.
1.Increasing the capacity of the pipelines for data coming into New Zealand. This at least provides some degree of protection against this level of attack by giving the ability to filter the attacks as they come into the country.
2.Creating and resourcing a specific team to focus on protecting our digital borders. The GCSB has a small role to play in this but they are not sufficiently resourced to address or prevent this kind of attack from occurring. Currently they are set up to provide advice to critical infrastructure, rather than the hands-on work to stop a cyberattack.
3.Working in conjunction with international partners to take down the malicious operators is key. We need to work with other countries including our Five Eyes partners to put together an effective approach that effectively tracks down the perpetrators. DDoS attacks reportedly more than halved globally after the FBI acted in 2018 to shut down 15 of the most active websites that sold control over botnets.
In the meantime, there are a number of resources available for New Zealand businesses to tap into and ensure the highest degree of security for your own digital estates.
Helpful resource from the GCSB’s National Cybersecurity Centre, (set up by Dr Sarrafzadeh) here: NCSC Incident Management Guide
Recommendations for Handling a DDoS Attack from the National Cybersecurity Centre
The NCSC recommends following the steps provided below, replicated from the Australian Cyber Security Centre. It reflects best practice developed in response to previous denial of service activity.
Preparing for denial-of-service attacks
Before implementing any measures to prepare for denial-of-service attacks, organisations should determine whether a business requirement exists for their online services to withstand denial-of-service attacks, or whether temporary denial of access to online services is acceptable to the organisation.
If organisations wish to increase their ability to withstand denial-of-service attacks, they should, where appropriate and practical, implement the following measures prior to any denial-of-service attacks beginning:
• Determine what functionality and quality of service is acceptable to legitimate users of online services, how to maintain such functionality, and what functionality can be lived without during denial-of-service attacks.
• Discuss with service providers the details of their denial-of-service attack prevention and mitigation strategies. Specifically, the service provider’s:
-capacity to withstand denial-of-service attacks
-any costs likely to be incurred by customers resulting from denial-of-service attacks
-thresholds for notifying customers or turning off their online services during denial-of-service attacks
-pre-approved actions that can be undertaken during denial-of-service attacks
-denial-of-service attack prevention arrangements with upstream providers (e.g. Tier 2 service providers) to block malicious traffic as far upstream as possible.
• Protect organisation domain names by using registrar locking and confirming domain registration details (e.g. contact details) are correct.
• Ensure 24x7 contact details are maintained for service providers and that service providers maintain 24x7 contact details for their customers.
• Establish additional out-of-band contact details (e.g. mobile phone number and non-organisational email) for service providers to use when normal communication channels fail.
• Implement availability monitoring with real-time alerting to detect denial-of-service attacks and measure their impact.
• Partition critical online services (e.g. email services) from other online services that are more likely to be targeted (e.g. web hosting services).
• Pre-prepare a static version of a website that requires minimal processing and bandwidth in order to facilitate continuity of service when under denial-of-service attacks.
• Use cloud-based hosting from a major cloud service provider (preferably from multiple major cloud service providers to obtain redundancy) with high bandwidth and content delivery networks that cache non-dynamic websites.
• If using a content delivery network, avoid disclosing the IP address of the web server under the organisation’s control (referred to as the origin web server), and use a firewall to ensure that only the content delivery network can access this web server.
• Use a denial-of-service attack mitigation service.
Responding to denial-of-service attacks
Organisations that wish to attempt to withstand denial-of-service attacks, but have not pre-prepared should, where appropriate and practical, implement the following measures, noting that they will be much less effective than had they been able to adequately prepare beforehand:
• Discuss with service providers their ability to immediately implement any responsive actions, noting service providers may be unable or unwilling to do so, or may charge additional fees for services not covered in contracts.
• Temporarily transfer online services to cloud-based hosting hosted by a major cloud service provider (preferably from multiple major cloud service providers to obtain redundancy) with high bandwidth and content delivery networks that cache non-dynamic websites. If using a content delivery network, avoid disclosing the IP address of the origin web server, and use a firewall to ensure that only the content delivery network can access this web server.
• Use a denial-of-service attack mitigation service for the duration of the denial-of-service attacks.
• Deliberately disable functionality or remove content from online services that enable the current denial-of-service attack to be effective (e.g. implement a pre-prepared low resource version of the website, remove search functionality, or remove dynamic content or very large files).
We know all of this is daunting! If you are concerned about the security of your digital estate, get in touch with the team at Prodigi for a security audit and the best practice services we can provide including 24x7 support, monitoring, cloud hosting and CDN/DDoS mitigation.