Author Topic: An Odd DoS Attack (Read 11422 times)

Renegade · « **on:** October 09, 2012, 11:30 AM »

Well, this is a bit of an odd DoS attack:

http://www.cnbc.com/id/49333454

A single mysterious computer program that placed orders — and then subsequently canceled them — made up 4 percent of all quote traffic in the U.S. stock market last week, according to the top tracker of high-frequency trading activity. The motive of the algorithm is still unclear.

The program placed orders in 25-millisecond bursts involving about 500 stocks, according to Nanex, a market data firm. The algorithm never executed a single trade, and it abruptly ended at about 10:30 a.m. ET Friday.

“Just goes to show you how just one person can have such an outsized impact on the market,” said Eric Hunsader, head of Nanex and the No. 1 detector of trading anomalies watching Wall Street today. “Exchanges are just not monitoring it.”

The attack chewed up 10% of all available trading bandwidth, and never completed a trade.

If that's not a DOS, I don't know what is.

As it's on Wall Street, of course no criminal charges were placed. Go figure.

joiwind · « **Reply #1 on:** October 09, 2012, 11:55 AM »

Someone's testing something ...

Stoic Joker · « **Reply #2 on:** October 09, 2012, 11:55 AM »

As it's on Wall Street, of course no criminal charges were placed. Go figure.
-Renegade (October 09, 2012, 11:30 AM)

...Because it's to much like trying to charge someone with rape at an orgy.

Translation: The ultimate goal of many of these programs is to gum up the system so it slows down the quote feed to others and allows the computer traders (with their co-located servers at the exchanges) to gain a money-making arbitrage opportunity.
-The article

So there are many of these programs floating around - Sounds to me like it's just business as usual - What made this one worth reporting?

mahesh2k · « **Reply #3 on:** October 09, 2012, 11:56 AM »

Maybe someone is writing a worm to collapse trading market. They just tested it ? lol. That's all I can think of here.

SeraphimLabs · « **Reply #4 on:** October 09, 2012, 12:00 PM »

That whole thing about people hoarding sever space next door to wall street is borderline fraud too.

Apparently a 2ms difference in trading speed is sufficient to make millions of dollars a year manipulating the markets.

Something like this just goes hand in hand with that- by swamping the outside lines, the inside traders get an even bigger time advantage.

f0dder · « **Reply #5 on:** October 09, 2012, 02:05 PM »

As it's on Wall Street, of course no criminal charges were placed. Go figure.
-Renegade (October 09, 2012, 11:30 AM)
...Because it's to much like trying to charge someone with rape at an orgy.
-Stoic Joker (October 09, 2012, 11:55 AM)

TaoPhoenix · « **Reply #6 on:** October 09, 2012, 02:32 PM »

Should it be called a DDOS? Was it Distributed?

When I saw DOS I was thinking someone had a weird program from 1988 or something.

Stoic Joker · « **Reply #7 on:** October 09, 2012, 02:51 PM »

When I saw DOS I was thinking someone had a weird program from 1988 or something.
-TaoPhoenix (October 09, 2012, 02:32 PM)

You mean like this?

C:\DOS> Attack!!

It probably would help if it was written as DoS (Denial of Service), but I'm really not sure if that is the proper form.

40hz · « **Reply #8 on:** October 09, 2012, 04:12 PM »

Sounds to me like some recent change made to somebody's automated trade robot had a coding error in it, and it took whoever owned it a week to notice it (or more likely get called by whoever was watching it to see what it was up to) and finally pull the plug. That might also explain why no criminal investigation was conducted.

It's not like they don't know who's program caused it. From the sketchy news it doesn't look like the program tried to stealth its identity either. Which makes me less suspicious as to its "motives" since you can't place a stock order anonymously. You need to sign onto an account before you can do that. A genuinely malicious program would have come at them from hundreds of different directions under thousands of different IDs.

Nope. Definitely sounds more like a big brokerage or investment fund had a bad program slip the leash on them. (CNBC often seems to looking for an "enemy action" story lately - even when there isn't one.)

Renegade · « **Reply #9 on:** October 09, 2012, 06:07 PM »

...Because it's to much like trying to charge someone with rape at an orgy.
-Stoic Joker (October 09, 2012, 11:55 AM)

Hahahah~!

It probably would help if it was written as DoS (Denial of Service), but I'm really not sure if that is the proper form.
-Stoic Joker (October 09, 2012, 02:51 PM)

Fixed.

Sounds to me like some recent change made to somebody's automated trade robot had a coding error in it, and it took whoever owned it a week to notice it (or more likely get called by whoever was watching it to see what it was up to) and finally pull the plug. That might also explain why no criminal investigation was conducted.

It's not like they don't know who's program caused it. From the sketchy news it doesn't look like the program tried to stealth its identity either. Which makes me less suspicious as to its "motives" since you can't place a stock order anonymously. You need to sign onto an account before you can do that. A genuinely malicious program would have come at them from hundreds of different directions under thousands of different IDs.

Nope. Definitely sounds more like a big brokerage or investment fund had a bad program slip the leash on them. (CNBC often seems to looking for an "enemy action" story lately - even when there isn't one.)

-40hz (October 09, 2012, 04:12 PM)

Maybe I'm a bit cynical, but it seems to me that Wall Street *is* malicious intent.

The program accounted for 4% of all trade orders, and all of those orders were bogus. That's a huge volume of fake orders.

Like, who the heck wakes up and says to themself, "I think I'll enter 200 million fake orders this week!"

A genuinely malicious program would have come at them from hundreds of different directions under thousands of different IDs.

Not so sure about that. This seems to me to be more about gaming the system. That's what I meant by "an odd DoS" attack. It's not DDoS, but rather simple DoS. The aim doesn't seem to be to bring the system down, as you would expect with a DDoS, but rather to create latency or to simply clog up the system.

I don't know exactly how latency would affect the system, but then again, we're talking about the same criminals that thought up a way to give massive number of mortgages to anyone and everyone that could sign on a dotted line, then package up and securitize those mortgages, con some corrupt ratings people into labeling them as high-grade investments, fraudulently sell those off to different firms, including retirement funds, bet that those investments would tank, wait for the entire bubble to burst, then con the government into bailing everyone out for gambling, and walk away with trillions of dollars in their pockets.

What does that say about that crowd?

They're smart. Damn smart. They know how to take advantage of things. Their intelligence is only exceeded by their criminality.

So, I have a very hard time believing that any kind of manipulation there is "innocent" or "just testing the waters". If they are testing, I think it would be naive to assume that they're testing in the same way that we would test some software -- they're testing to see if they can move in for the kill.

But then again... I *might* be cynical...

40hz · « **Reply #10 on:** October 09, 2012, 07:42 PM »

So, I have a very hard time believing that any kind of manipulation there is "innocent" or "just testing the waters". If they are testing, I think it would be naive to assume that they're testing in the same way that we would test some software -- they're testing to see if they can move in for the kill.

But then again... I *might* be cynical...
-Renegade (October 09, 2012, 06:07 PM)

Maybe just a little bit?

I've done contract work for one of the biggest financials out there. One thing I've learned watching that industry is how amazingly closely orders, trades and other transactions are monitored for exactly that.

If somebody was deliberately trying to clog the pipes or introduce trading delays by rapidly submitting and then canceling orders, the regulators would be on them in a heartbeat or two. You really can't do that and get away with it. Trying to game the exchanges is illegal. You can even get your ass hauled in for giving what might be considered misleading information or comments to the press.

If you say "no problem" like Jamie Dimon of JP Morgan/Chase said during the "London Whale" debacle, you'd better be right. Or at least have a "very high up" somebody like Ina Drew to offer as a sacrificial victim when it finally hits the fan. Which is one reason why big financial institutions are notoriously tight-lipped. It's often less for strategic reasons than it is to avoid saying anything that turns out to be wrong later - and then be accused of trying to mislead investors when you made the comment.

The people running these institutions know that. So do the exchange and network cops.

Not to say these people are innocents. They're "the friendliest group of great white sharks you'll ever have the pleasure of swimming with" as one account manager put it. But nobody working for a financial institution is going to be stupid enough deliberately try to cause network delays for an exchange without covering their tracks very carefully before they even try it. It's simply too easy to get caught trying something that obvious and basic.

When these guys commit crime, they do it big, and they do it subtly. And they'll generally only "push the envelope" or stray into gray legal areas when they do. Outright violations of rules and regulations are very rare. Not because they're good guys at heart. It's because it always comes out. And there are just too many ways to legally abuse the system and make a fortune for it to be worth knowingly and deliberately breaking the law. The odds are stacked too much against you. And these guys understand odds.

Renegade · « **Reply #11 on:** October 09, 2012, 07:50 PM »

^^ Are you saying that they understand the concept of "plausible deniability"?

(Still cynical...)

40hz · « **Reply #12 on:** October 09, 2012, 08:17 PM »

Not so much that as knowing (for the most part) how far things bend before they break.

As you noted earlier, they are very smart.

And deniability doesn't get you off the hook when a law is clearly broken. Don't know how it works where you are, but over here, not knowing the law is not accepted as a valid defense.

Also - most people directly involved in this field need to get a license from the SEC in order to sell financial products or offer investment advice. The tests mostly cover relevant securities laws. So if they ever do break the law, they can't argue they didn't know the rules.

About the only thing plausible deniability might accomplish is having some securities regulator decide not to pursue charges. Once you're charged with something, however, the law swings into action and the only form of deniability you're allowed after that is to enter a plea of "not guilty."

Stoic Joker · « **Reply #13 on:** October 10, 2012, 06:57 AM »

I'm cynical, and going by what the article linked to said:

“My guess is that the algo was testing the market, as high-frequency frequently does,” says Jon Najarian, co-founder of TradeMonster.com. “As soon as they add bandwidth, the HFT crowd sees how quickly they can top out to create latency.” (Read More: Unclear What Caused Kraft Spike: Nanex Founder.)
-The article

(emphasis mine)

Now that seems to rather clearly imply that this type of behavior is not uncommon ... So why all the hubbub about this particular instance?

It's nice to think that Criminals follow rules... but it doesn't really alter the fact that once one goes past a certain level of power. There really aren't enough folks around to watch/prevent one from stretching the rules out just enough to accommodate whatever little project(s) is/are deemed "necessary". Because fear (as always) does a fine job of keeping the underlings in line.

Renegade · « **Reply #14 on:** October 10, 2012, 07:50 AM »

I'm cynical, and going by what the article linked to said:
“My guess is that the algo was testing the market, as high-frequency frequently does,” says Jon Najarian, co-founder of TradeMonster.com. “As soon as they add bandwidth, the HFT crowd sees how quickly they can top out to create latency.” (Read More: Unclear What Caused Kraft Spike: Nanex Founder.)
-The article
(emphasis mine)

Now that seems to rather clearly imply that this type of behavior is not uncommon ... So why all the hubbub about this particular instance?

It's nice to think that Criminals follow rules... but it doesn't really alter the fact that once one goes past a certain level of power. There really aren't enough folks around to watch/prevent one from stretching the rules out just enough to accommodate whatever little project(s) is/are deemed "necessary". Because fear (as always) does a fine job of keeping the underlings in line.
-Stoic Joker (October 10, 2012, 06:57 AM)

I think it was because it went on for an entire week and accounted for a massive percentage of the total trade order volume.

40hz · « **Reply #15 on:** October 10, 2012, 08:36 AM »

I think it went on for an entire week more because the regulators were watching it closely to see exactly who/what it was and what it was trying to do before they said anything. The last thing you (usually) want to do when you have a 'bogey' in your network is disconnect them too quickly. And definitely not before you attempt find out who they are and what they're up to.

Kick them off or shut them down too soon and they will always come back.

Stoic Joker · « **Reply #16 on:** October 10, 2012, 08:47 AM »

Okay... I'm just having a bit of trouble with the "massive" 4% part. Sure on a tech news site 4% of what size pipe would be reflexively factored ... But this is the financial section of NBC news. $:-\$

I think it went on for an entire week more because the regulators were watching it closely to see exactly who/what it was and what it was trying to do before they said anything. The last thing you (usually) want to do when you have a 'bogey' in your network is disconnect them too quickly. And definitely not before you attempt find out who they are and what they're up to.

Kick them off or shut them down too soon and they will always come back.
-40hz (October 10, 2012, 08:36 AM)

(Somebody's done this before...

) Now this makes sense ... But I still find the absence of the customary Head-on-a-Stick a bit troubling.

40hz · « **Reply #17 on:** October 10, 2012, 09:03 AM »

(Somebody's done this before... )
-Stoic Joker (October 10, 2012, 08:47 AM)

Perish the thought!

But I still find the absence of the customary Head-on-a-Stick a bit troubling.
-Stoic Joker (October 10, 2012, 08:47 AM)

That's why I don't think it was intentionally done. At least from what information has been released about it so far.

Renegade · « **Reply #18 on:** October 10, 2012, 09:19 AM »

Okay... I'm just having a bit of trouble with the "massive" 4% part. Sure on a tech news site 4% of what size pipe would be reflexively factored ... But this is the financial section of NBC news. $:-\$
-Stoic Joker (October 10, 2012, 08:47 AM)

It wasn't 4% of network traffic - it was 4% of orders.

It's like if you run an online shopping mall and 4% of all orders come from 1 person, and they're all canceled. No amount of bandwidth adjustment or additional bandwidth changes that it was 4% of all orders. Bandwidth is an entirely separate issue.

And it was 4% from a single source.

So, imagine whoever does that sets up a few more accounts... How many would a spammer have? A few hundred to start anyways.

You then go from 4% with 1 account, to something like 400 accounts making up about 94% of all transactions.

THEN bandwidth and all that gets funky fried chicken time with heart-stopping gravy butter-balls of doom.

40hz · « **Reply #19 on:** October 10, 2012, 11:37 AM »

Okay... I'm just having a bit of trouble with the "massive" 4% part. Sure on a tech news site 4% of what size pipe would be reflexively factored ... But this is the financial section of NBC news. $:-\$
-Stoic Joker (October 10, 2012, 08:47 AM)

And it was 4% from a single source.

So, imagine whoever does that sets up a few more accounts... How many would a spammer have? A few hundred to start anyways.

You then go from 4% with 1 account, to something like 400 accounts making up about 94% of all transactions.

THEN bandwidth and all that gets funky fried chicken time with heart-stopping gravy butter-balls of doom.

-Renegade (October 10, 2012, 09:19 AM)

But the orders in question wouldn't come in from a bunch of individuals. Those would only hit a licensed brokerage house trade desk. And you can't just willy-nilly set up accounts with them. You need financial references and a verifiable tax ID. And the brokerage systems themselves watch the activities in those accounts very carefully for games or anomalies. You also need a balance in you account (i.e. cash) - or access to credit in the form of a margin account - to even place an order. You can't just go in and say "I want 100,000 shares of Apple" and expect to see that order reach the exchange unless you have the money in your account to pay for it. All trying to place an order for a trade above what you're good for will get you is a warning if you're lucky, or the suspension (or termination) of your account if you tried to pull something really jive. You'll only get one or (maybe) two warnings at best before a brokerage will close your account.

It's the brokerage house orders actually hitting the exchange's system that they're talking about. That means it's brokerage to exchange orders which could affect the processing latency of the entire exchange - not just an individual brokerage house's system. Which is why you'd need to have access to the exchange order desk from a member brokerage in order to have that effect.

And you can't do that secretly - or by setting up 400 individual accounts. The exchange knows exactly who has access to their systems, along with knowing precisely when, where, and how such access is granted. So barring some high-level outside hacking team (likely covert or otherwise government "sponsored" to have the talent and resources needed) it's only one of the licensed traders that could have caused a flood of order/cancellations such as were reported.

And apparently they already know who it was. So all that remains is determining if it were an honest mistake, a technical glitch - or something more serious.

It will all come out in the end. And new system checks and safeguards will be put in place as a result.

Beyond it being newsworthy due to the fact it happed at all, I don't think there will end up being much "inside story" to report when the dust finally settles. Expect a wrist slap and possibly a fine at most.

Stoic Joker · « **Reply #20 on:** October 10, 2012, 11:52 AM »

It wasn't 4% of network traffic - it was 4% of orders.
-Renegade (October 10, 2012, 09:19 AM)

Ah! (damn it) ...Just told on myself then. I went straight to BW out of habbit, because order counts are accounting's friggin problem.

TaoPhoenix · « **Reply #21 on:** October 10, 2012, 12:15 PM »

40hz with the winning analysis again.

This is why I am starting to get grumpy at news, it's not worth reading the "half articles" anymore without waiting a week for the "other half" to hit.

Renegade · « **Reply #22 on:** October 10, 2012, 09:31 PM »

@40hz - Ah. That makes more sense then. I was thinking of a direct connection. I should have known better.

Renegade · « **Reply #23 on:** October 11, 2012, 11:07 PM »

Here's a bit of interesting stuff on that attack:

http://www.businessi...ng-last-week-2012-10

A trader explained to us that this is a high frequency trading firm's way of baiting buyers interested in purchasing a specific stock and forcing them to reveal their positions. Once the potential buyer has put out their bid, the HFT cancels the order and the buyer is left out in the open. Usually, its a set-up for another trading strategy the HFT is about to execute.

That sheds a bit more light on things.

And for fun, a graph:

http://www.nanex.net/aqck2/3614.html

40hz · « **Reply #24 on:** October 12, 2012, 06:39 AM »

^Yup. One automated system baiting other automated systems. Core War comes to Wall Street. Don't you just love hedge funds? $:-\$

Of course the exchanges could stop this nonsense fairly easily by instituting a minimum time per transaction of something like 3 seconds. Or requiring all orders be locked for a minimum of 10 seconds before allowing them to be canceled.

But that would cut onto the exchange's transaction fee revenue stream. So there will probably need to be the threat of the Feds imposing some new rules before the exchanges decide to 'voluntarily' set up some restrictions on so-called fast trades.

Nice to know considering that if you, as an individual investor, did something similar, you'd likely get your trading account closed by your brokerage house since they take a very dim view of transaction cancellations. Which is doubly interesting since the laws governing securities trading have the establishment of a "level playing field" for all investors as their primary goal. (The necessity of requiring a level playing field was one of the first lessons learned following the first US stock market crash.)