Choose your provider carefully! Wave of DDOS attacks hit retail brokerages this week. FinanceFeeds research
“We see and deflect ddos attacks on clients every day. We saw a big one on Friday aimed at a brokerage and we continue to deflect and mitigate it for them.” As internet-distributed malice continues, it is extremely important to improve your brokerage’s security. Here is the full investigation
Distributed denial of service attacks – or DDOS attacks – on commercial technological infrastructure are a bugbear which has blighted the world of international business for some considerable length of time.
This terminology refers to the attacking of a corporate information technology system in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet.
Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled, and has been a common method used by those with malicious intent toward a specific industry, or on a more macro scale, a company toward which a grudge his held, or to attempt to eradicate competition.
Whilst it is a great shame that in this age of sophistication and the availability of all resources from which to educate oneself continuously that fully grown adults still feel the somewhat primitive need to attack their competition via malicious activities rather than raise their own standards to be able to be part of a diversified range of services that contribute to a great and continually advancing industry sector, it unfortunately does exist.
This week, the increase in DDOS attacks on retail brokers has been a subject of investigation by FinanceFeeds, and something to be wary of, especially from within the boardroom of retail FX brokerages toward whom these have been directed.
This time, one of the channels via which the attacks have been distributed is via ancillary services such as VPS providers, once again highlighting the need for brokerages to ensure that they form partnerships with only the very well recognized firms in the industry that are specialists and understand how to develop their topography as well as their support and protection systems in a way that is completely tailored toward the infrastructure used within retail FX brokerages and its connection to the outside world – usually liquidity providers and automated trading systems.
In FinanceFeeds experience, there are three bona fide, industry-standard providers in that sector, those being oneZero, PrimeXM and Gold-i.
All three of these companies fully understand how to design and host an industry-specific liquidity management system and order execution solution that is completely integrated with the retail platform and is completely aligned with the systems used in the liquidity providers and live market to which it connects.
If taking a full solution from a brokerage with its own proprietary software, then that should be firmly stuck to, without attaching unsupported third party systems to it.
This week, FinanceFeeds has gained information from several brokerages that this particular wave of DDOS attacks was distributed via VPS software provided by ancillary third party VPS providers, creating a deployment via that channel into the technological and hosting solutions of brokerages.
VPS software performs a function by which it virtually positions the trader within close proximity of a trading server used by their brokerage, with the intention of reducing latency when executing trades and ensuring less requoting due to distance related time lag, and in some cases provide a better market access advantage in order that retail traders can execute trades quicker than competing traders attempting to execute the same trade.
Opinions vary on their necessity and effectiveness, however it is absolutely clear that security needs to be a matter of concern these days.
In one case, disruption occurred for two days last week, those being Thursday and Friday, with several brokerages having raised complaints to their liquidity provider and prime brokerages, who then narrowed it down to the commonality of using the same VPS provider as an externally provided solution.
One of the pitfalls in this particular sector is that in many cases, VPS software is the fruit of ‘garden shed’ programmers who have either retired from, or moved on from large software firms outside the FX industry and are effectively fringe enterprises with very little staff, and whose operators are idealistic programmers with little commercial acumen.
FinanceFeeds is aware of one particular firm which promises to host an entire MetaTrader 4 terminal and its externally developed EAs (!!!!) on one virtual server, however its owner is not experienced in how to structure critical partnerships with bona fide companies within the electronic financial services sector and in desperate attempts to offload the entire loss-making company to anyone whatsoever, strikes up partnerships with fraudulent HYIP operators with very little system security – let alone the potential damage that can be done to customer trading accounts.
One particular VPS programmer that FinanceFeeds approached last week explained “We see and deflect DDOS attacks on clients every day. We saw a big one on Friday aimed at a client of ours, and currently we continue to deflect and mitigate it for them. Brokers are attacked every day, and this has become commonplace for our industry now.”
In October last year, FinanceFeeds obtained back office reports which demonstrated that for approximately one hour, FX industry technology provider Integral Development Corporation experienced a service outage that lasted for approximately between the times of 8,43am and 10.50am on October 18, 2016.
FinanceFeeds contacted senior executives at Integral Development Corporation in order to establish the cause of this and to gain perspective on how it was resolved, however no reply was proffered, thus FinanceFeeds conducted investigations via trading logs and back office systems reports of several industry partners.
Whilst the reports from the back offices at various sources confirmed the outage, it is important to research the cause, which according to various industry information gathered by FinanceFeeds deduced that the cause of the outage was rectified in planned maintenance later in the day, itself taking 15 minutes longer than usual.
According to several industry sources, the outage occurred during the morning, however, at approximately 5.00pm Eastern Standard Time, during the period which is a period colloquially known as ‘roll’, which is when a number of server restarts happen and many traders in jurisdictions outside North America are inactive, Integral Development Corporation conducted maintenance which included a resolution to the cause of the outage earlier in the day.
This calls into question whether a back up system should be in place which diverts to an emergency server farm in the case of such an outage. Such systems have been commonplace in financial technology infrastructure for many years, including during my early years from 1991 onwards when infrastructure providers were continually testing uninterruptable power supplies (UPS) and uploading entire data sets onto DAT tapes constantly, to be able to switch to other servers in the event of an outage.
In this case, many customers did not complain about the outage, and indeed service was restored promptly.
Whether this was a DDOS attack or not was never confirmed, however in the summer this year, such a pattern re-emerged, this time with retail brokerages in Japan.
In June, Kabu.com Securities, a subsidiary of Mitsubishi UFJ Financial Group Inc, fell victim to a DDoS attack. The cyber attack happened early this morning, according to a report by the company confirming the incident.
The cyber attack targeted the website of the company, which was unavailable for about 36 minutes today. At 9:00, abnormal traffic was detected through the DDoS protection service and the company immediately launched an investigation. At 9:02 it became difficult to access Kabu.com’s website.
At 9:28, the company confirmed that the cause for the abnormal traffic is a cyber attack. At 9:38, the team managed to block the malicious cyber attack and the access to Kabu.com’s website was restored.
During this wave of attacks, Saxo Bank, equally a fintech company as it is a brokerage, moved from a reactive to a proactive protection setup, meaning that its service will be presented at a new IP address.
The company stated in July this year that in order to ensure resilience against the ever-growing threat of cyber attacks, it was making adjustments on how the SaxoTraderGO platform is exposed to the external world. With regard to that, Saxo moved from a reactive to a proactive protection setup, meaning that its service will be presented at a new IP address.
At that time, the firm stated that should white label partners be currently using CNAME entry in their DNS for their Login URL towards Saxo, no action from their end is required and the change will be transparent when the IP address is changed by Saxo.
If the partners were using A-Record towards Saxo, they would have needed to change their DNS configuration from A-record to a CNAME.
Further to that, Japan’s Hirose FX confirmed that it was subjected to a DDoS attack on Monday, September 18, 2017.
The services affected included the corporate website, as well as Hirose FX’s trading tools, such as the LION FX platform. Logging into the platform and accessing the website was hampered for more than an hour on Monday morning. The services were restored at 11:28.
Outside of Asia, Canada’s Questrade was also subjected to a DDOS attack this summer.
It is important to note here that all of these waves of DDOS attacks have been experienced at the retail broker end of the entire infrastructural topography of the FX industry, hence it is worth being very careful how your firm is connected to both the outside world and to its providers.
Once again, reiteration of the need to stick to proven industry standard providers, those being oneZero, Gold-i and PrimeXM is very important, especially given that many DDOS attacks have been successful in disrupting Japanese brokers, those which do not use MT4 and therefore tend not to use the aforementioned providers, and those which have experienced it recently in Western markets have complained that it has been distributed via ancillary VPS providers.
Mind how you go…..