DDoS Attacks Affect Cloudflare and Bitcoin Exchange

ddos_bomb

In the aftermath of the Mt.Gox withdrawal freeze, reports of DDoS attacks against various Bitcoin exchange sites have emerged.  These attacks, which have caused Slovenian based exchange site Bitstamp to freeze withdrawals, follow Monday’s 400 Gbps DDoS bomb on Cloudflare.  While the targets and techniques of each scenario differ, the shared methodology and timing of the events suggests a potential connection, yet to be fully explored.

Cloudflare Attack: What is NTP?

On Monday evening, Cloudflare detected a massive 400 Gbps worth of bad requests, amounting to the largest DDoS attack the content delivery network had ever seen.  The attack used Network Time Protocol (NTP) reflection, a technique that leverages the monlist command, a feature found in older versions of NTP that have not been updated.

NTP runs on port 123 UDP and is a timing protocol.  It’s used to sync the times of all the computers on a given network, and after it is set up most administrators forget about it.

To use monlist, attackers first falsify their IP address to match the victim’s.  They then send the server the monlist command which queries the server for a list recent hosts that have connected to the server.  That list – which can be up to 600 hosts long – is then sent to the victim’s IP address.  Rinse, wash, repeat, and the victim’s website is overloaded by traffic, to the point where it becomes inoperable.

NTP reflection is an extremely efficient means of enacting a DDoS attack because it amplifies its initial request into a response that is quite large and is directed at someone who never even requested it.

Bitcoin Attack: Transaction Malleability

As of Tuesday evening, an unidentified attacker is also conducting a DDoS strike on Bitcoin exchange sites.  This attacker is not using NTP reflection but instead taking advantage of the transaction malleability issue publicized by Mt.Gox on February 7th.  The attack is essentially overloading Bitcoin transaction registers with altered tracking hashes and confusing Bitcoin traders’ wallet software.  One affected exchange site, Bitstamp, has followed Mt.Gox’s lead and frozen withdrawals.

The connective thread between this DDoS attack and Monday’s strike against Cloudflare is scale.  400 Gbps worth of fraudulent traffic requests is simply massive; and, flooding multiple Bitcoin exchange sites with thousands of rewritten tracking hashes is no small feat either.   The timing of these events is also an important factor:

  • Feb 7th: Mt.Gox sets the Bitcoin community into a panic by freezing withdrawals over an issue said community has known about for 3 years.
  • Feb 10th: One of the largest DDoS bombs known to man is dropped on Cloudflare (400 Gbps).  This attack includes IP addresses related to French hosting company OVH, who noted a ~350 Gbps attack at the time; and, the attack leverages an issue that had been identified over a month before.
  • Feb 11th: Another DDoS attack is launched on various Bitcoin exchange sites, leveraging transaction malleability – the very issue mentioned in the Mt.Gox press release.

What you can do to protect yourself

The timeline of these recent events correlates 2 well publicized vulnerability reports with 2 very effective DDoS attacks.  The takeaway?  Hackers read vulnerability reports!  The solution?  You should read them too!  More than this, though, you should respond to them before they are leveraged.

In the case of NTP, this response would be to update your NTP to version 4.2.7, where the monlist command is not included at all.

In the case of Bitcoin…the right response really depends on how much faith you’ve got in the cryptocurrency’s future.  DDoS attacks like Tuesday’s are indeed orchestrated with the intent of scaring novice traders into pulling out of exchange sites entirely and decreasing the Bitcoin’s worth.  That means pulling out is not without consequence, and at the end of the day that’s why this week’s developments have been so widely publicized.

In the coming weeks, it will interesting to see if these two DDoS attacks are indeed connected, and who (or how many) are behind the strike.  For now, Emsisoft is here to help you stay up to date, informed, secure, and ideally un-interrupted from doing what you like to do on the web.

UPDATES:

Feb 13th: Cloudflare publishes a blog post entitled Technical Details Behind a 400Gbps NTP Amplification DDoS Attack.  According to the post, Feb. 10th’s DDoS attack utilized “4,529 NTP servers running on 1,298 different networks.”  The full list of involved networks can be viewed in a Cloudflare gDoc here.

Feb 13th: Silk Road 2 is hacked!  Transaction malleability is leveraged yet again to steal 4474.26 Bitcoins, worth $2,747,000, from the online black market’s escrow account.   Perhaps the Mt.Gox announcement has done some good after all!