Security Experts:

NASDAQ and BATS Web Sites Fall Victim to DDoS Attacks

Both the BATS and NASDAQ exchanges were under constant assault early this week, thanks to a flood of packets sent their way by an unknown group or person. These recent attacks are just the latest in a string of attacks that have hit the UN, CIA, and others.

NASDAQ spokesperson Joseph Christinat told SecurityWeek that the NASDAQ website became under attack on Monday, with the attack lasting for a period of about 24 hours. The origin of the attack was unknown. Throughout the day on Tuesday, if the NASDAQ domain loaded at all, it was sluggish. The situation has been resolved, Christinat said, reminding that there was no hacking, and that trading operations were not impacted.

At the same time NASDAQ was targeted, the webste for BATS (the third largest U.S. equity market) was offline as well, with spokespersons reporting that the DDoS attack had no effect on trading systems. Likewise, NASDAQ stood firm on the point that only the corporate website was impacted, and no information was taken.

In related news, Radware, an application security and availability vendor, issued a warning to customers concerning alleged DDoS attacks on websites in Israel, and other high value domains on Tuesday.

“In the last couple of days, the infamous Anonymous hacker group has released a threat against Israeli websites. Based on ERT experience with blocking Anonymous attacks in Israel and all over the world, we are releasing here a short list of security-policy recommendations. Attacks are expected against Israeli government, public institutions, and other high profile websites starting of today, Tuesday February 14,” an email obtained by SecurityWeek explains.

Related Resource: The Business Case for Managed DDoS Protection

The email goes on to list basic attack vectors and offers guidance for customers that may be forced to deal with them. Given that the advice would apply to anyone charged with defending a network, we’ve pasted it below.

1. It is time to activate all security appliances. Switch all security appliances in the network to Block mode—including Anti-DoS, IPS and WAF. Make sure all equipment is updated with the latest signature/definition releases.

2. Monitor Security Alerts. Examine alerts and triggers carefully. Tune existing polices and protections to prevent false positives and allow you to identify real threats if and when they occur.

3. ***Take packet captures. This is very important.***

Be able to take real-timepacket captures. It does not need to be a state-of-the-art capture monster. Even a PC running Wireshark connected to a mirror port on the router will do. Prepare and educate your personnel on how to run the packet-capture tool.

In case of an attack that evades the current protection, this is going to be the most useful way to gather information. (Upload the captures as you get them to radware.filepile.com, and send us the links you get from the uploaded file.)

4. Protect your network from volumetric attacks—Use MSSP. Keep your pipes from saturation by routing traffic through Anti-DoS–protected service providers. Make sure security polices at the service-provider level are up to date and defined properly.

5. Protect your network from volumetric attacks—Block unused UDP ports.

Open ports are prone to volumetric UDP floods. Block all unsupported UDP ports at the service provider, emphasizing UDP/80 and UDP/443.

6. Protect your web application—Deploy WAF. If you do not have WAF in your environment, this is a very good time to do so.

7. When all hell breaks loose, contact ERT.

These DDoS attacks come on the heels of a recent weekend rampage where supporters of Anonymous launched DDoS attacks against one-hundred and eleven Mexican websites, some of them related to Mexico’s mining industry – others related to Mexico’s Senate and Ministry of Interior, as well as Alabama’s state website, the UN, and even the CIA.

Related Resource: The Business Case for Managed DDoS Protection

Related Reading: DDoS Attacks - Size Doesn’t Matter, Says Radware

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.