Analysis: What to make of today’s DDoS attacks on major NZ websites

on

DDoS attacks were launched today against a number of New Zealand departments and companies, causing website outages.

DDoS stands for Distributed Denial of Service, and means a web-based application or service is overwhelmed by being ‘pinged’ with huge numbers of requests from multiple computers, which effectively grind any web-based application to a halt.

CERT NZ, the government’s cyber security monitoring agency, has not yet commented on any suspected organisations responsible. 

DDoS attacks can be organised by large numbers of individuals – such as when Whale Oil was attacked in January 2014 – or a small number of people may command a large number of computers and achieve the same result.

CERT NZ, and the affected websites, have not commented on whether there is any associated ransomware element to the attacks.

NZ Post and MetService went intermittently offline due to today’s attacks. When theBit attempted to visit the websites at 12.24pm, NZ Post was operative, though MetService was down and directed users to its back-up website. 

Inland Revenue was also attacked according to news reports, though its website remains operative at of 12.30pm.

ANZ and Kiwibank customers were intermittently locked out of their service this morning. 

Today’s DDoS attack follows a September 3 attack on Vocus, the internet infrastructure provider which operates brands including Orcon, Stuff Fibre, Sky Broadband, Slingshot, Engin, Commander and Flip.

On August 24, TheBit also reported on and analysed a ransomware attack on DoC which occurred in July 2021 which – unlike today’s attacks – wasn’t revealed until a month after the incident. 

DDoS attacks on NZ banks and businesses: What you need to know

Independent security analyst and penetration tester Stuart MacIntosh says DDoS protection is a nice offer, but not something an organisation can fully promise.

Q.   Which hardware might have been used in the attack? 

A. Some wireless routers have a vulnerability – such as Realtek chipset home routers. An attacker could hack home-based routers and deploy them in an attack. To avoid a repeat, MacIntosh encourages any owner of a router to upgrade the firmware on the router. See this list which may include your router.

Q.   Does a DDos attack make money for anyone?

A. Yes – the people behind the attack often sell their services on forums in places such as the Dark Web. The motivation for the DDoS attack is unknown without any manifesto or claim, however organisations may occasionally be attacked because they have criticised something which the attacker supports – such as El Salvador’s authorities arresting a Bitcoin critic this month without charge.

Q. Do DDoS attackers live in NZ or overseas?

A. A forensic investigation would be required to find out where the attack came from. A DDoS is directed, but where from is a matter of speculation. Shodan.io is an internet census website, and any device with a publicly routable internet address appears on shodan, which is one way that attackers often select targets.

Q.   Were the attackers successful?

A.  Yes – they interrupted services for hundreds of thousands of users. 

Q. Did overloading at one site affect a whole network?

A. Hopefully a forensic report will be made public by NZ Post to explain this, as NZ Post is government-owned. 

Q. Did the victim have adequate protection in place before the attack?

A. NZ Post uses RedShield which I have always suspected is rather ineffective against DDoS. As an analogy, the attackers have got a bulldozer, they’re blocking your business, and you can ask them nicely to stop by telling them you have RedShield, but they are unlikely to stop.

Q.   Does the victim have adequate protection in place following the attack?

A. Major sites can be expected to use DDoS protection services, however these services may or may not actually prevent or mitigate a DDoS. As an analogy, the attackers have got a bulldozer, they’re blocking your business, and you can ask them nicely to move it, or move your business next-door, but this involves changing addresses and redirecting mail.

Q.   Did the victim respond to the attack swiftly enough?

A. MetService promptly directed users to a backup website on World Wide Web 2. We hope that most of these organisations have backup websites. 

Conclusion

Today’s problems appear to have been resolved within half a day, which is a reasonably good outcome – though anyone who only has, for example, a Kiwibank eftpos card and no credit card might have been frustrated with inability to pay for what they needed this morning.

It also possible today’s DDos attack may be used as a distraction while an intruder directs its attack towards a more targeted compromise of infrastructure.

Michael Botur
Michael Botur
Writer of journalism, PR/comms, fiction and scripts.