Feeds

How mystery DDoSers tried to take down Bitcoin exchange with 100Gbps crapflood

El Reg talks to anti-DDos bods - who UNMASK the target...

Beginner's guide to SSL certificates

Exclusive Web security firm Incapsula helped a Chinese Bitcoin trader to weather a ferocious denial-of-service attack last month when the volume of inbound traffic to the site peaked at 100Gbps.

The attack against BTC China, a platform where both Bitcoin and Chinese yuan are traded, lasted nine hours and is one of the fiercest on record. But unlike the even bigger 300Gbps attack against Spamhaus back in March no amplification techniques were used in the assault against BTCChina.

Incapsula previously disclosed the appearance of the 24 September attack...

... but only revealed the nature of the assault and named the intended victim during an interview with El Reg on Wednesday.

The attack against BTC China took the form of a SYN flood rather than the DNS amplification-style attack thrown against Spamhaus or more modern application-layer attacks. The attacker balanced the assault between small, high frequency SYN packets, and large, low-frequency SYN packets.

The exchange is currently the third largest in the world.

DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server, with the details of the request forged so that they appear to come from the IP addresses of the intended victim. Only open public-facing DNS servers respond to spoofed requests but there's more than enough of them around to make the tactic viable. Attackers' requests are only a fraction of the size of the responses.

The tactic is more sophisticated than the old school "caveman with a club" SYN flood attacks thrown against BTCChina.

The circumstances of the BTC China attack mean that the unknown assailants had a huge amount of bandwidth at their disposal. "This amount of fire power isn't cheap, or readily available, signifying a big step up in resources pulled together to launch this type of attack," according to Incapsula.

Incapsula co-founder Marc Gaffan told El Reg that the attack was most likely powered by network of compromised servers rather than zombie PCs drones. Commandeering insecure WordPress server installations and the like as a resource for DDoS attacks has become a fairly widespread hacker tactic over recent months.

It's unusual for a 20+ Gigabit attack to last for anything more then an hour. The assault against BTC China was the longest 50+ Gigabit attack Incapsula has ever faced down. "This was a progressive attack," Geffen told El Reg. "The attackers either ran out of resources or money. It's also possible they gave up after they realised they were not making headway."

Geffen added that the BTC China attack was "fairly sophisticated" at least by the standards of old school SYN Flood attacks. "The attackers didn't just use one big cannon," he said.

Bobby Lee chief exec of BTC China told El Reg that the DDoS attack was the first the exchange has faced in two years of operation. He said the effect of the assault was to slow down legitimate access to its site - users complained of patchy access or site unavailability during the time of on an attack in a Reddit thread here. Lee added that he had no idea who might have been behind the attack or their purpose.

"They attackers were out disrupt things," he said. "We don't have a suspicion they were out to cause a [more general] Bitcoin crash."

However, Lee did say that he thought it unlikely that the attack on BTC China was part of a more widespread campaign to attack BitCoin exchanges by hackers hoping to undermine confidence in the currency. Cybercrooks launched DDoS attacks on other exchanges during the summer in a bid to trigger a mass panic-driven sell off of the volatile currency. The tactic allowed them to buy Bitcoins when its price dipped before selling it at a profit once confidence in the market returned.

Although the attack against BTC China was rare in both its magnitude and duration, the increased availability of bandwidth means the scale of attacks is growing all the time, according to Incapsula.

"Even if your network provider has enough bandwidth to keep your site up, DDoS attacks not only suffocate your resources, but your neighbours as well. If you're too noisy, you may be evicted (dropped by your service provider)," it warns.

Rival DDoS mitigation firm Arbor Networks separately published an attack trends study on Wednesday showing that the average volume of traffic in DDoS attacks in the year to date stands at 2.64 Gbps, up 78 per cent from 2012. There's been a fourfold-plus (350 per cent) growth in the number of attacks hitting more than 20Gbps so far this year, as compared to the whole of 2012.

The largest monitored and verified attack size increased significantly to 191Gbps – an August assault against a mystery target not named by Arbor. ®

Beginner's guide to SSL certificates

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.