How mystery DDoSers tried to take down Bitcoin exchange with 100Gbps crapflood
Exclusive Web security firm Incapsula helped a Chinese Bitcoin trader to weather a ferocious denial-of-service attack last month when the volume of inbound traffic to the site peaked at 100Gbps.
The attack against BTC China, a platform where both Bitcoin and Chinese yuan are traded, lasted nine hours and is one of the fiercest on record. But unlike the even bigger 300Gbps attack against Spamhaus back in March no amplification techniques were used in the assault against BTCChina.
Incapsula previously disclosed the appearance of the 24 September attack…
Yesterday we prevented a ~100Gbps DDoS. The attack’s load was distributed across our 350Gbps network. (see image) pic.twitter.com/80lpHs9UMg
— Incapsula.com (@Incapsula_com) September 25, 2013
… but only revealed the nature of the assault and named the intended victim during an interview with El Reg on Wednesday.
The attack against BTC China took the form of a SYN flood rather than the DNS amplification-style attack thrown against Spamhaus or more modern application-layer attacks. The attacker balanced the assault between small, high frequency SYN packets, and large, low-frequency SYN packets.
The exchange is currently the third largest in the world.
DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server, with the details of the request forged so that they appear to come from the IP addresses of the intended victim. Only open public-facing DNS servers respond to spoofed requests but there’s more than enough of them around to make the tactic viable. Attackers’ requests are only a fraction of the size of the responses.
The tactic is more sophisticated than the old school “caveman with a club” SYN flood attacks thrown against BTCChina.
The circumstances of the BTC China attack mean that the unknown assailants had a huge amount of bandwidth at their disposal. “This amount of fire power isn’t cheap, or readily available, signifying a big step up in resources pulled together to launch this type of attack,” according to Incapsula.
Incapsula co-founder Marc Gaffan told El Reg that the attack was most likely powered by network of compromised servers rather than zombie PCs drones. Commandeering insecure WordPress server installations and the like as a resource for DDoS attacks has become a fairly widespread hacker tactic over recent months.
It’s unusual for a 20+ Gigabit attack to last for anything more then an hour. The assault against BTC China was the longest 50+ Gigabit attack Incapsula has ever faced down. “This was a progressive attack,” Geffen told El Reg. “The attackers either ran out of resources or money. It’s also possible they gave up after they realised they were not making headway.”
Geffen added that the BTC China attack was “fairly sophisticated” at least by the standards of old school SYN Flood attacks. “The attackers didn’t just use one big cannon,” he said.
Bobby Lee chief exec of BTC China told El Reg that the DDoS attack was the first the exchange has faced in two years of operation. He said the effect of the assault was to slow down legitimate access to its site – users complained of patchy access or site unavailability during the time of on an attack in a Reddit thread here. Lee added that he had no idea who might have been behind the attack or their purpose.
“They attackers were out disrupt things,” he said. “We don’t have a suspicion they were out to cause a [more general] Bitcoin crash.”
However, Lee did say that he thought it unlikely that the attack on BTC China was part of a more widespread campaign to attack BitCoin exchanges by hackers hoping to undermine confidence in the currency. Cybercrooks launched DDoS attacks on other exchanges during the summer in a bid to trigger a mass panic-driven sell off of the volatile currency. The tactic allowed them to buy Bitcoins when its price dipped before selling it at a profit once confidence in the market returned.
Although the attack against BTC China was rare in both its magnitude and duration, the increased availability of bandwidth means the scale of attacks is growing all the time, according to Incapsula.
“Even if your network provider has enough bandwidth to keep your site up, DDoS attacks not only suffocate your resources, but your neighbours as well. If you’re too noisy, you may be evicted (dropped by your service provider),” it warns.
Rival DDoS mitigation firm Arbor Networks separately published an attack trends study on Wednesday showing that the average volume of traffic in DDoS attacks in the year to date stands at 2.64 Gbps, up 78 per cent from 2012. There’s been a fourfold-plus (350 per cent) growth in the number of attacks hitting more than 20Gbps so far this year, as compared to the whole of 2012.
The largest monitored and verified attack size increased significantly to 191Gbps – an August assault against a mystery target not named by Arbor. ®