Huge DDos Attacks on World’s 3rd Largest Bitcoin Exchange. How its Related to Your Website.

In recent months, one of the most in-depth and complex DDoS attacks yet witnessed by website security firms took place.  The target was the world’s 3rd largest BitCoin exchange – BC China.

What is the Bitcoin?

Put simply, the BitCoin is a form of peer-to-peer digital currency.  Use of the BitCoin has grown substantially since its introduction back in 2008, to the extent that it’s now recognised by such noted internet vendors as WordPress, OkCupid and Reddit, as well as Chinese internet giant Baidu.

The BitCoin website provides a service to thousands of people around the globe, meaning that had the attack been successful, thousands of dollars worth of currency could have been lost.

What was the attack?

The attack, which was documented by website security firm Incapsula (the firm responsible for mitigating the threat), was a complex and multi-layered DDoS assault that encompassed a number of different techniques:

A small scale SYN flood attack. This peaked at around 60 GBps and lasted for approximately an hour.  This was the initial phase of the overall assault.

A more in-depth volumetric HTTP flood.  This second section of the assault was measured at 10M requests per second, and specifically targeted several resource-heavy pages.

A targeting of the BitCoin site’s AJAX objects.  These objects are sometimes not protected by conventional bot filtering methods (such as JavaScript challenges) and attacks can have a direct impact on the website’s database.  As such, they represented a viable target.  The fact that they were located in a ‘registered users only’ area gave an indication that the attacker was familiar with the site’s architecture.

A final, almost transparent set of HTTP floods designed to capture session cookies.  Because of the use of a Botnet system, which consisted of an actual compromised PCs, these attacks (when tested) showed as being legitimate human visitors.  It was only the spike in traffic that alerted Incapsula to the assault.

Fortunately, a hijacked computer being used as part of the BotNet network had compatibility issues with the Trojan being used to control it, and identified itself to the user.  As a result, the innocent party was able to provide Incapsula that led to the identification of the responsible Trojan.  The security firm were then able to create a suitable patch in order to block it, and the BitCoin exchange was fully protected.  Without the mitigation skills of Incapsula, it could have been put out of action for days.

How could the DDoS attacks affect my website?

The attacks on the BitCoin website represent examples of DDoS attacks that could happen to any computer.  Essentially, these come in two main forms:

Network layer attacks have been in circulation for longer.  Essentially, a network layer DDoS floods a website or server with packets.  The aim is simple: to overwhelm the server to the extent that it’s unable to deal with the amount of browser sessions open, and as a result will have to cease its operations.  Even on a small scale (i.e on a level where the server is just about still able to function) this will greatly slow down the website, causing legitimate visitors to get frustrated and abandon their legitimate browser session.

Application layer attacks are a more recent type of assault, and can be even more dangerous.  They disguise themselves as legitimate visits to the website (often through the use of transparently activated software, which in itself is designed to mimic visitors), and as a result can be incredibly tough to identify, especially on a site which attracts thousands of normal visitors per day.  They also use far less bandwidth and require less overall resources to operate.  Rather than bombing the site as a whole, application layer attacks will target specific parts of a website, such as a request of information form, causing them to slow dramatically.

On some occasions, the latter form of attack might make use of other software which was designed to mimic the activity of a legitimate visitor to the website, with the simple purpose of helping to test the site to.  However, it can also be used in order to disguise an attack from DDoS mitigation services.

Conclusion

The attack on the Bitcoin website is a warning to website owners of exactly how powerful a modern DDoS attack can be.  Fortunately, those in charge of managing the currency’s exchange already had a mitigation system in place.  Any website operator that relies heavily on their network should make similar precautions.

Amanda Walters – This article was written by Amanda Walters, an experienced freelance writer and regular contributor to Huffington Post. Follow her here: @Amanda_W84