NASDAQ and BATS DDoSed

DMandPenfold writes with a quote from an article in Computer World: NASDAQ and BATS saw their sites disrupted during the day on Monday and Tuesday respectively. The sites host company news and share price data, as well as vital information on live service status on the exchanges. It is understood, however, that while the websites were affected, the stock exchanges continued to trade as normal with no change to trading. A spokesperson at BATS said the exchange's site had been hit with 'an external Distributed Denial Of Service incident.' Our trading systems were not affected and there were no exchange customer disruptions associated with the incident.' ... NASDAQ told the Wall Street Journal that on Tuesday it experienced 'intermittent service disruptions on our corporate websites.' It is not known who initiated the attacks. In 2010, NASDAQ's Directors Desk online scheduling application was compromised by hackers. An FBI investigation found that the stock exchange's aging software and out of date security patches played a key part in the problems."

Aging and out of date?

[JustAnotherIdiot]

You mean people on wall street take shortcuts? That's crazy talk.

Legacy Systems

[alexander_686]

Ok, there are a lot of bean counters on Wall Street that like to keep operating costs at a bare minimum.

That being said, whenever you upgrade the main trading desks all members need to update theirs. And I know a lot of them are running under legacy systems. i.e. very hold, highly customize platforms, using lots of different systems, patched over the years, sketchy documentation, and some are still on big iron. So guaranteeing thousands of firms will shift over cleanly is kind of a big hurdle.

The exchanges

I knew it

[kiwimate]

9:36 am - a story is posted on Slashdot: Megaupload Co-Founder Allowed Bail [slashdot.org].

11:18 am - a story is posted about outages to high profile web sites.

And to think that people were asking what harm could it do to give the Megaupload guy access to the internet...

thats a joke

[unity100]

right ?

Taking bets?

[sgt scrub]

I got $10 on it being robotraders.

Re:

[MacGyver2210]

I would be interested to know the possibility of simulating a robotrader DDoS attack by manipulating the data sources the robotraders query for stock information.

Re:

[Anonymous Coward]

I would be interested to know the possibility of simulating a robotrader DDoS attack by manipulating the data sources the robotraders query for stock information.

The automated traders use a low-latency multicast stream of market data (level 1 or depth of book) coming off of the exchanges. Stays totally within financial infrastructure / datacenters so unless you somehow got into the exchange hardware / software it would be impossible.

Re:

[alexander_686]

It does not sound like it is.

It would be hard. DdoS is a brute force attack, and the markets are fairly resilient when it comes to stuff like this. In the past 30 years there have only been a handful of incidents where the volume has overwhelmed the trading floors – and that involved either a large number of people or 9/11.

Price data is generated by trading activity. i.e. In order to overwhelm the pricing side one would need to generate a lot of offers (i.e., offer to buy/sell the stock – you do

Re:

[alexander_686]

You would lose.

The article syas that trading is unaffected - it's the public facing internet that is getting harmmered - not the internally facing conections that the robotraders use.

And a lot of robotrades don't use NASDAQ or BATs, but use islands (private exchanges) instead.

Anybody know what technique was used here?

[Ponga]

I'd be curious to know if a particular application-level vulnerability was used in this event. There has been several vulnerabilities of late related to Java/Apache/PHP such as the hash-collision vulnerability with exploit code here http://www.securityfocus.com/bid/51193/info [securityfocus.com] that has demonstrated to be very effective - so much so that a single host can bring down a relatively large site by exhausting CPU on the web server.... does anyone know the particulars of this event??

Re:

[account_deleted]

Comment removed based on user account deletion

DDoS

[chill]

The attack was directed against the web sites, not the trading machines. The original "notice" is here: http://pastebin.com/it77tAvs [pastebin.com]

This was a small bot net DDoS attack. Whether or not this could have been dealt with more efficiently by better routers/firewalls or HA configs, I don't know.

IMHO this is some script-kiddie types who are in it for the lulz. What it demonstrates is even the room-temperature IQ types can get a hold of some fairly potent DDoS tools. So, serious attention needs to be paid to upgrading their infrastructure and IT security in general.

It is a good time to be in the IT Security field, if you're looking for work.

Re:

[VortexCortex]

IMHO this is some script-kiddie types who are in it for the lulz. What it demonstrates is even the room-temperature IQ types can get a hold of some fairly potent DDoS tools. So, serious attention needs to be paid to upgrading their infrastructure and IT security in general.

Although that may be the right response, it's also likely to produce the wrong response: Outlaw pen-test suites, and require a license and background check for anyone using said software... Making your own "high frequency" site scraping software? You're probably a terrorist...

I do agree though, its not just Wall Street, but also 6th Street. You would (or wouldn't) be surprised at the lack of security in the businesses handling our mortgages and other loan origination work. Hell, I know for a fact that