Cyber attacks have hit several New Zealand organisations this month, disrupting their online services.
The Distributed Denial of Service (DDoS) attacks were the same kind of cyber attack that affected the NZX
around this time last year.
The SMC asked experts to explain how DDoS attacks work and how organisations can protect themselves.
Dr Rizwan Asghar, School of Computer Science, University of Auckland, comments:
“Recently, New Zealand banks, including Kiwibank and ANZ, MetService, NZ Post, IRD, and Vocus (a large Internet
infrastructure provider in New Zealand) are among organisations that have been hit by DDoS cyberattacks. Consequently,
users experienced issues with online services since last week. For instance, customers of Kiwibank and ANZ, facing
cyberattacks almost over a week, could neither use banking app nor make online transfers. These cyberattacks are not new
and remind me of a series of DDoS attacks lasting multiple days almost the same time last year.
“Using Distributed Denial of Service – in short DDoS – attacks, attackers aim to make the target system down such that
it is not available to serve legitimate users, thus causing inconvenience, which could lead to financial loss for
organisations due to service outage. Although DDoS attacks can be launched by groups and states equipped with the
required resources and tools, an expert hacker can also generate attack traffic by controlling vulnerable devices
connected to the Internet. Most of these devices are vulnerable because there are security loopholes that are not
patched. Many owners are unaware that their devices are contributing to cyberattacks. In the absence of perceived harm,
owners are not motivated to patch their devices, unfortunately.
“There could be different motivations behind DDoS attacks. Some of these motivations are financial, political, or a
newbie hacker can attack just for fun. DDoS attacks are used as a service now. As a result, an individual, with little
or no knowledge, can trigger up to a couple of million DDoS attacks for as little as NZ$10. All this calls for the
defences against DDoS attacks more than ever. Large organisations can have in-house strategies for such defences.
Another possibility is to use DDoS protection services offered by the Content Delivery Network providers. The
fundamental issue is most New Zealand businesses are SMEs, and they might lack resources to implement cybersecurity
“In the future, New Zealand organisations should be ready for a protection plan and properly respond to potential
cyberattacks that are likely to be more sophisticated. In my personal view, to save online businesses from the risk of
cyberattacks, the New Zealand government should create cybersecurity awareness campaigns and find ways to support them
proactively. Otherwise, a passive approach, by the New Zealand government and organisations, to dealing with
cybersecurity issues would result in a huge loss to New Zealand’s digital economy.”
No conflict of interest.
Dr Kenneth Johnson, Department of Computer Science, Auckland University of Technology, comments:
“Distributed denial of service (DDoS) is a very simple form of cyber-attack. The attacker overwhelms the victim’s
server/website by sending many millions of data requests very rapidly. This means that the victim’s website for example
cannot respond to legitimate requests. In these attacks, the victim’s data is not accessible, stolen or destroyed.
“This is a particular issue if the victim’s website is supporting transactions e.g., banks or shopping sites or
responding to queries like a weather site. The distributed bit means that the attacker uses malware to take over lots of
third-party computers to send the requests – these are then called ‘bots.’
“These may have been infected by phishing or other attacks. This means the attacker is both concealed – because the
requests are coming from a very wide range of computers and also doesn’t have to use computing power or network
bandwidth to mount the attack. In many cases the owners and users of the third-party computers won’t know that their
computer is being used this way at all, and any computing device attached to the internet including routers etc. can be
“There has been a huge increase in the number and scale of DDoS attacks over the last few years. This is driven by more
criminal gangs being interested in using them and probably by the move to home working, which may have made some
computers more vulnerable to being taken over and used as botnets because of less-secure home networks and more shared
“When attacks coincide with strict lockdown measures, it makes it harder to do commerce, shop online, and do our work
“To defend against DDoS attacks, the victims can increase their capacity to deal with requests, but this is normally a
losing battle as the attackers can increase the number of bots they use at virtually no cost to them. More practically,
websites and ISPs can identify and filter out these illegitimate requests as they are identified, and CERT and security
companies are constantly improving these approaches.”
No conflict of interest.