FX Broker Suffers DDoS Attack, Hong Kong Partner Turns to Prolexic

A report by Florida-based Prolexic, a distributed denial of service (DDoS) protection service, says that Layer 7 DDoS attacks, the most serious kind, increased steadily from 17 percent in Q3 2011 to 21 percent in Q4 2011 to 27 percent in Q1 2012. Interestingly, the Q2 2012 report shows that Layer 7 attacks subsided to 19 percent.

Before online businesses start jumping for joy, note that Prolexic president Stuart Scholly believes the dip is but a temporary vacation. As security companies like his lock into a battle with hackers, the advantage of each side will wax and wane. It is also only Layer 7 attacks that are down; Layer 3 and 4 attacks, which target the infrastructure of the website rather than flooding the site itself, are up.

"Have viruses gone away?" he asks. "No. There's probably more viruses than ever before. It's going to follow that very same trend."

Hacking is a more proletarian hobby than it used to be. Whereas it used to require significant knowledge of coding, networking, and infrastructure, weekend warriors can now rent a botnet for $50 a day and get tutorials online, according to Prolexic.

"Hackers are, by definition, early adopters and innovators," says Rob Rachwald, director of security strategy at security solutions provider Imperva. "If a company has old tech in place that worked a year ago, chances are a hacker has figured out a way to bypass that defense."

One new client turned to Prolexic after witnessing a Layer 7 attack firsthand. Global eSolutions (Hong Kong) Limited, a provider of trade execution technology via personal computer and mobile devices, saw one of its clients, an online foreign exchange (FX) and contracts for difference (CFD) trading firm headquartered in the UK, become a target after management did not respond to a ransom demand from cybercriminals. Initially, Layer 3 and Layer 4 volumetric floods interrupted web site availability for approximately four hours. A second, more damaging Layer 7 attack occurred three weeks later, rendering the trading platform almost inaccessible to online traders.

Global eSolutions IT technicians detected the DDoS attack when they noticed that the sessions and memory status of the firewall were abnormally high and bandwidth was fully consumed. They found that there were over 80,000 different IPs accessing the network. First, Global eSolutions tried to block some of the IPs that looked suspicious. When that didn't work, the firm requested that its two ISPs in Asia black-hole the traffic to its site. This action made it impossible for most legitimate traders and users to access the FX trading platform and other applications, damaging the company's reputation and customer trust.

It was part of a series of attacks during that period against FX traders in the Hong Kong area. Similar company types are often hit in waves, including, in the past, purveyors of spas, perfume, and chocolate.

Prolexic's detection software attempts to sniff out DDoS attacks before they disable a website. Once a problem is detected, all traffic to that site is routed by its PLXrouted service to its cloud-based mitigation platform. It will filter out the non-suspicious IP addresses, then scrub out the malicious traffic using 20 different technologies ─ 10 proprietary ─ and return all clean traffic back to the original site. It continues to monitor for weeks, as DDoS attacks are often long-term campaigns that see several different Layer 7 vectors.

The Bottom Line
While some customers approach his firm only after attempting to squelch the problem on their own, Scholly says an increasing number are buying PLXrouted before ever seeing a threat.

"Historically most people would come to us during or after an attack," he says. "Now most customers are coming to us about a business continuity plan. They see enough in the press about Anonymous and other types of denial of service attacks, or they may have others in their vertical who have been attacked, and they start instituting things early. This becomes an extension of disaster recovery (DR) planning."

While companies that provide services like eCommerce, software as a service (SaaS), and online banking understand the value of their website to their business, many others think they can live with a downed site for a few hours. But think of the brand damage that's done from customers not knowing if a successful hack is just a DDoS or is a scarier theft of data.

While DR involves planning for every eventuality from earthquakes to yeti attacks, DDoS is much more realistic. Since these come in industry-specific waves, any firm that sees a competitor get shut down should dig up a protection mechanism as quickly as possible.