DDoS targets in the Bitcoin ecosystem

Posted on February 27, 2014 - 16:26 by ccondon

StopBadware focuses on Web-based malware, but one of our strengths is that we work with a diverse community of security experts whose areas of expertise often extend beyond our own. Our friends and research contacts at SMU are presenting a paper at Financial Cryptography 2014's Bitcoin research workshop in Barbados next week; they'll be discussing empirical analysis of denial-of-service attacks in the Bitcoin ecosystem. 

They've made some interesting findings on changes in Bitcoin DDoS targets over time: "We find that 7% of all known operators have been DDoSed, but that currency exchanges, mining pools, gambling operators, eWallets, and financial services are much more likely to be attacked than other services." Currency exchanges and mining pools are also "much more likely to have DDoS protection such as CloudFlare, Incapsula, or Amazon Cloud." (Full paper here.)

Bitcoin DDoS targets over time

Research courtesy of Southern Methodist University's Marie Vasek (who doubles as StopBadware's operations technologist), Micah Thornton, and Dr. Tyler Moore. If you're attending FC '14, be sure to check out their talk next week! 

Great report on DDoS attacks

A group at the Berkman Center—led by StopBadware's co-founder and Board member emeritus, John Palfrey—just released a great report about the impact of distributed denial of service (DDoS) attacks on the websites of independent media and human rights organizations.

From a badware standpoint, there were several interesting bits. For example:

[A sysadmin for a human rights site] reported that attackers hacked into his site to insert malicious code with the intent of triggering anti-virus warnings for the site and thereby scaring users from accessing the site and slowing their Internet connections by causing them to download large packages of Trojan horse software.

This is the first we've heard of Google's or others' badware detection and warning systems being used deliberately for a de facto denial of service attack. Of course, because such attacks may often go unreported, it's likely there have been others. It's worth noting that this doesn't invalidate the use of such warning systems—the targeted site's visitors really were at risk once the site had been compromised. The core problem is the set of conditions that allow the site to become compromised in the first place. This is often due in part to a lack of technical/security expertise at the organization:

A main theme that we have heard from respondents [to a survey of organizations likely to be targeted] was the need to bridge the divide between technology organizations capable of protecting against attacks and the independent media who need protection.

The report also touches on a number of other themes of interest to the StopBadware community, such as the importance of disrupting botnets, the threat of targeted malware attacks, and the challenges of identifying the perpetrators of attacks. If you are interested in understanding more about DDoS attacks—how they work, how organizations can help protect themselves against them, or what the security community can do to help the targeted organizations—I urge you to read the whole report. (PDF)