Stock exchange sites suffer DoS attack

Stock exchange operators Nasdaq and BATS saw their Web sites attacked for over 24 hours on Tuesday, blocking access to sites although trading was not affected, report said. Security watcher noted such denial-of-service (DoS) attacks "impossible" to prevent, though.

In a Reuters report Tuesday, representatives from Nasdaq and BATS confirmed the DoS attacks but both noted that their trading systems were not affected.

"The Web site wasn't hacked, nobody got any information. What they did was try to block access for our users," Nasdaq spokesperson Joseph Christinat told the newswire. He added that the attacks started since late Monday but Nasdaq has yet to locate the attack's origins nor say when the problem will be resolved.

BATS also confirmed the attacks, saying: "Our trading systems were not affected and there were no exchange customer disruptions associated with the incident."

Both Nasdaq and BATS Web sites have since returned to normal as of the time this article was published.

DoS attacks common but impossible to prevent
One security observer said such DoS attacks are common but "impossible to prevent". Stephen Cobb, security evangelist at ESET, told ZDNet Asia that the use of DoS attacks against high-profile Web sites is a familiar tactic employed by some hacktivist groups.

"Perpetrators of these attacks flaunt the law and abuse technology in order to deny other people access to legitimate Web sites, thereby drawing attention to a cause or to themselves," he said. "A real world analogy might be a street protestor with a bull horn shouting down other people or a human barricade blocking access to a building."

According to Cobb, DoS attacks are "relatively easy" to execute but "impossible to prevent" because they merely simulate large amounts of traffic visiting a Web site. The defense against such attacks is load balancing and tracking down the attackers and shutting them down, said Cobb.

However, he added that the need to act within the law might slow down the progress of tracking down the perpetrators.

Eric Chan, regional technical manager for Southeast Asia and Hong Kong at Fortinet, pointed out that DoS attacks might prove more dangerous than just blocking access, though. He said: "Once a hacker gains access to the Web server, they'll be able to access to other internal resources and servers. These resources could be a database server hosting customer's confidential information."

He also believed that there are security products to minimize DoS attacks. Software such as Web application firewall (WAF) and intrusion prevention systems (IPS) can prevent DoS and hacking attacks on Web sites, he said, adding that companies can also use a patch management system to ensure that their Web servers are properly protected against any known vulnerabilities.

"For customers concerned with DoS attack, they can either install an IPS or subscribe to 'clean pipe' services from their Internet service providers," Chan added.