This week's cyber-attack on the New Zealand Exchange (NZX) resulted in severe outages and trading being halted for hours.
The NZX declared on Tuesday that it had been hit by a Distributed Denial of Service (DDoS) attack originating from offshore. The exchange was forced to halt trading as the sheer volume of malicious traffic overwhelmed its systems. Richard Groves, Vice President of A10 Networks, commented that attackers are increasingly using exploit lists and automated bot nets to launch sustained, high-volume DDoS campaigns against high-profile targets. The attack demonstrated that even well-resourced financial institutions are not immune to this type of disruption.
The volumetric DDoS attack crashed the NZX's external connectivity for four consecutive days, preventing investors from accessing the market and halting all trading activity. The incident drew the attention of New Zealand's Finance Minister Grant Robertson, who offered government support and resources to assist the exchange in restoring operations and strengthening its defences.
Understanding the Attack
Groves explained that the NZX attack was a classic example of an amplification attack — a technique in which the attacker exploits publicly accessible servers to magnify the volume of traffic directed at the target. By sending small, specially crafted requests to vulnerable servers (such as DNS resolvers or NTP servers), attackers can generate response traffic many times larger than the original request, all of which is directed at the victim's infrastructure.
A common misconception is that migrating infrastructure to the cloud provides inherent protection against DDoS attacks. While cloud providers offer significant scalability and resilience, Groves noted that the underlying infrastructure remains exposed if proper DDoS mitigation is not implemented. Cloud migration changes the architecture, but it does not eliminate the attack surface. Organisations must ensure that their cloud deployments include dedicated DDoS protection services, properly configured firewalls, and traffic scrubbing capabilities.
Mitigation Strategies
One of the most concerning aspects of DDoS attacks is their frequent use as a smokescreen for more targeted intrusions. While security teams are consumed with responding to the DDoS assault — which is highly visible and operationally disruptive — attackers may be simultaneously conducting quieter, more sophisticated operations designed to exfiltrate high-value data. The DDoS attack serves as a diversionary tactic, drawing attention and resources away from the real objective.
Groves outlined several best practices for mitigating DDoS attacks. At the network level, routers and switches should be configured to rate-limit suspicious traffic and drop malformed packets. The NetFlow protocol is an essential tool for monitoring network traffic in real time, enabling security teams to track the volume and origin of SYN packets and other indicators of a DDoS attack in progress. This visibility is critical for detecting an attack early and initiating response procedures before the impact becomes severe.
Black hole routing — in which traffic destined for a targeted IP address is redirected to a null interface and effectively discarded — is a blunt but effective emergency measure that can protect the broader network at the cost of temporarily sacrificing availability for the targeted service. Subscription-based DDoS mitigation services, which scrub malicious traffic before it reaches the target's infrastructure, provide a more surgical approach and are increasingly considered essential for organisations that cannot afford extended downtime.
In the aftermath of the attacks, the NZX announced that it would be transitioning to Akamai Technologies for its web hosting and content delivery, citing the need for enterprise-grade DDoS protection. The move highlighted the growing recognition among organisations that DDoS mitigation is not an optional add-on, but a fundamental requirement for any internet-facing service.
The NZX incident also underscored the need for international cooperation in combating DDoS attacks. The attackers operated from offshore, exploiting infrastructure across multiple jurisdictions. Effective response requires coordination between national cybersecurity agencies, law enforcement, and private sector organisations across borders.
While security teams are consumed with responding to the DDoS assault, attackers may be simultaneously conducting quieter, more sophisticated operations designed to exfiltrate high-value data.
The NZX 50 index fell 0.24% in the wake of the attacks, a modest decline that nevertheless reflected the broader impact on market confidence. While the immediate financial impact was contained, the reputational damage and the erosion of confidence in the exchange's resilience may prove more lasting. For investors and market participants, the incident served as a stark reminder that cyber risk is market risk — and that the security of financial infrastructure is a shared concern.