How mystery DDoSers tried to take down Bitcoin exchange with 100Gbps crapflood

El Reg talks to anti-DDos bods - who UNMASK the target...


Exclusive Web security firm Incapsula helped a Chinese Bitcoin trader to weather a ferocious denial-of-service attack last month when the volume of inbound traffic to the site peaked at 100Gbps.

The attack against BTC China, a platform where both Bitcoin and Chinese yuan are traded, lasted nine hours and is one of the fiercest on record. But unlike the even bigger 300Gbps attack against Spamhaus back in March no amplification techniques were used in the assault against BTCChina.

Incapsula previously disclosed the appearance of the 24 September attack...

... but only revealed the nature of the assault and named the intended victim during an interview with El Reg on Wednesday.

The attack against BTC China took the form of a SYN flood rather than the DNS amplification-style attack thrown against Spamhaus or more modern application-layer attacks. The attacker balanced the assault between small, high frequency SYN packets, and large, low-frequency SYN packets.

The exchange is currently the third largest in the world.

DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server, with the details of the request forged so that they appear to come from the IP addresses of the intended victim. Only open public-facing DNS servers respond to spoofed requests but there's more than enough of them around to make the tactic viable. Attackers' requests are only a fraction of the size of the responses.

The tactic is more sophisticated than the old school "caveman with a club" SYN flood attacks thrown against BTCChina.

The circumstances of the BTC China attack mean that the unknown assailants had a huge amount of bandwidth at their disposal. "This amount of fire power isn't cheap, or readily available, signifying a big step up in resources pulled together to launch this type of attack," according to Incapsula.

Incapsula co-founder Marc Gaffan told El Reg that the attack was most likely powered by network of compromised servers rather than zombie PCs drones. Commandeering insecure WordPress server installations and the like as a resource for DDoS attacks has become a fairly widespread hacker tactic over recent months.

It's unusual for a 20+ Gigabit attack to last for anything more then an hour. The assault against BTC China was the longest 50+ Gigabit attack Incapsula has ever faced down. "This was a progressive attack," Geffen told El Reg. "The attackers either ran out of resources or money. It's also possible they gave up after they realised they were not making headway."

Geffen added that the BTC China attack was "fairly sophisticated" at least by the standards of old school SYN Flood attacks. "The attackers didn't just use one big cannon," he said.

Bobby Lee chief exec of BTC China told El Reg that the DDoS attack was the first the exchange has faced in two years of operation. He said the effect of the assault was to slow down legitimate access to its site - users complained of patchy access or site unavailability during the time of on an attack in a Reddit thread here. Lee added that he had no idea who might have been behind the attack or their purpose.

"They attackers were out disrupt things," he said. "We don't have a suspicion they were out to cause a [more general] Bitcoin crash."

However, Lee did say that he thought it unlikely that the attack on BTC China was part of a more widespread campaign to attack BitCoin exchanges by hackers hoping to undermine confidence in the currency. Cybercrooks launched DDoS attacks on other exchanges during the summer in a bid to trigger a mass panic-driven sell off of the volatile currency. The tactic allowed them to buy Bitcoins when its price dipped before selling it at a profit once confidence in the market returned.

Although the attack against BTC China was rare in both its magnitude and duration, the increased availability of bandwidth means the scale of attacks is growing all the time, according to Incapsula.

"Even if your network provider has enough bandwidth to keep your site up, DDoS attacks not only suffocate your resources, but your neighbours as well. If you're too noisy, you may be evicted (dropped by your service provider)," it warns.

Rival DDoS mitigation firm Arbor Networks separately published an attack trends study on Wednesday showing that the average volume of traffic in DDoS attacks in the year to date stands at 2.64 Gbps, up 78 per cent from 2012. There's been a fourfold-plus (350 per cent) growth in the number of attacks hitting more than 20Gbps so far this year, as compared to the whole of 2012.

The largest monitored and verified attack size increased significantly to 191Gbps – an August assault against a mystery target not named by Arbor. ®

Narrower topics


Other stories you might like

  • Investors start betting against Bitcoin with short-trade products
    Some crypto-bros keep the faith in the face of market onslaught

    ProShares, the issuer of exchange-traded funds with around $65 billion under management, has launched the first short Bitcoin exchange-traded product in the US, offering a way for investors to make money from the ongoing cryptocurrency meltdown.

    Dubbed the ProShares Short Bitcoin Strategy, the ETF is set to launch on the New York Stock Exchange under the ticker BITI. Bitcoin declined to $17,601.58 over the weekend, according to Coin Metrics. It has lost 70 percent of its value since last November's highs.

    Speaking to the Financial Times, Nate Geraci, president of wealth management firm The ETF Store, said there would be "a rather robust market" for the short funds.

    Continue reading
  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Crypto market crashes on Celsius freeze, inflation news
    Not a good moment to look at that digi-coin portfolio, fam

    The cryptocurrency world is experiencing what can only be described as a meltdown, with prices plummeting today to lows not seen since the end of 2020.

    The plunge is likely due to several factors including general economic uncertainty as seen in the stock market, inflation, bearish conditions and loss of confidence in crypto-coins, and scared money and bots being spooked by whales selling.

    It definitely did not help that crypto-lending biz Celsius Network put a freeze on withdrawals, swaps, and transfers Sunday night. Soon after Bitcoin tumbled 10 percent, Ethereum lost 19 percent of its value, and fan-favorite Dogecoin shed nearly 15 percent of its value, or about $0.01, since then. 

    Continue reading
  • Malaysia-linked DragonForce hacktivists attack Indian targets
    Just what we needed: a threat to rival Anonymous

    A Malaysia-linked hacktivist group has attacked targets in India, seemingly in reprisal for a representative of the ruling Bharatiya Janata Party (BJP) making remarks felt to be insulting to the prophet Muhammad.

    The BJP has ties to the Hindu Nationalist movement that promotes the idea India should be an exclusively Hindu nation. During a late May debate about the status of a mosque in the Indian city of Varanasi – a holy city and pilgrimage site – BJP rep Nupur Sharma made inflammatory remarks about Islam that sparked controversy and violence in India.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading

Biting the hand that feeds IT © 1998–2022