Feeds

How mystery DDoSers tried to take down Bitcoin exchange with 100Gbps crapflood

El Reg talks to anti-DDos bods - who UNMASK the target...

Seven Steps to Software Security

Exclusive Web security firm Incapsula helped a Chinese Bitcoin trader to weather a ferocious denial-of-service attack last month when the volume of inbound traffic to the site peaked at 100Gbps.

The attack against BTC China, a platform where both Bitcoin and Chinese yuan are traded, lasted nine hours and is one of the fiercest on record. But unlike the even bigger 300Gbps attack against Spamhaus back in March no amplification techniques were used in the assault against BTCChina.

Incapsula previously disclosed the appearance of the 24 September attack...

... but only revealed the nature of the assault and named the intended victim during an interview with El Reg on Wednesday.

The attack against BTC China took the form of a SYN flood rather than the DNS amplification-style attack thrown against Spamhaus or more modern application-layer attacks. The attacker balanced the assault between small, high frequency SYN packets, and large, low-frequency SYN packets.

The exchange is currently the third largest in the world.

DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server, with the details of the request forged so that they appear to come from the IP addresses of the intended victim. Only open public-facing DNS servers respond to spoofed requests but there's more than enough of them around to make the tactic viable. Attackers' requests are only a fraction of the size of the responses.

The tactic is more sophisticated than the old school "caveman with a club" SYN flood attacks thrown against BTCChina.

The circumstances of the BTC China attack mean that the unknown assailants had a huge amount of bandwidth at their disposal. "This amount of fire power isn't cheap, or readily available, signifying a big step up in resources pulled together to launch this type of attack," according to Incapsula.

Incapsula co-founder Marc Gaffan told El Reg that the attack was most likely powered by network of compromised servers rather than zombie PCs drones. Commandeering insecure WordPress server installations and the like as a resource for DDoS attacks has become a fairly widespread hacker tactic over recent months.

It's unusual for a 20+ Gigabit attack to last for anything more then an hour. The assault against BTC China was the longest 50+ Gigabit attack Incapsula has ever faced down. "This was a progressive attack," Geffen told El Reg. "The attackers either ran out of resources or money. It's also possible they gave up after they realised they were not making headway."

Geffen added that the BTC China attack was "fairly sophisticated" at least by the standards of old school SYN Flood attacks. "The attackers didn't just use one big cannon," he said.

Bobby Lee chief exec of BTC China told El Reg that the DDoS attack was the first the exchange has faced in two years of operation. He said the effect of the assault was to slow down legitimate access to its site - users complained of patchy access or site unavailability during the time of on an attack in a Reddit thread here. Lee added that he had no idea who might have been behind the attack or their purpose.

"They attackers were out disrupt things," he said. "We don't have a suspicion they were out to cause a [more general] Bitcoin crash."

However, Lee did say that he thought it unlikely that the attack on BTC China was part of a more widespread campaign to attack BitCoin exchanges by hackers hoping to undermine confidence in the currency. Cybercrooks launched DDoS attacks on other exchanges during the summer in a bid to trigger a mass panic-driven sell off of the volatile currency. The tactic allowed them to buy Bitcoins when its price dipped before selling it at a profit once confidence in the market returned.

Although the attack against BTC China was rare in both its magnitude and duration, the increased availability of bandwidth means the scale of attacks is growing all the time, according to Incapsula.

"Even if your network provider has enough bandwidth to keep your site up, DDoS attacks not only suffocate your resources, but your neighbours as well. If you're too noisy, you may be evicted (dropped by your service provider)," it warns.

Rival DDoS mitigation firm Arbor Networks separately published an attack trends study on Wednesday showing that the average volume of traffic in DDoS attacks in the year to date stands at 2.64 Gbps, up 78 per cent from 2012. There's been a fourfold-plus (350 per cent) growth in the number of attacks hitting more than 20Gbps so far this year, as compared to the whole of 2012.

The largest monitored and verified attack size increased significantly to 191Gbps – an August assault against a mystery target not named by Arbor. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.