If the financial world is deemed a battlefield without actual combat, then the cryptocurrency trading arena can be considered a multifaceted battleground that integrates information technology, business intelligence, cybersecurity, and money. If you think that’s an exaggeration, look at the real cyber battle that unfolded around January 9th with the U.S. SEC’s approval of ETFs. Let’s reconstruct the timeline of the attack:
- At the end of December 2023, Reuters reported that U.S. SEC officials revealed expectations to launch exchange-traded funds (ETFs) linked to spot bitcoin trading in early 2024.
- On January 6, 2024, investment management firms, stock exchanges, and the US Securities and Exchange Commission deliberated on the final wording changes to the application for spot bitcoin ETFs, potentially leading to the first approval of these funds in the U.S. the following week.
- On January 9, 2024, hackers targeted the cryptocurrency exchange, which is a client of CDNetworks, aiming directly at the exchange’s login interface. Leveraging extensive global DDoS scrubbing resources and cutting-edge technologies such as AI, CDNetworks swiftly assisted the exchange in mitigating the attack.
- Finally, on January 10, 2024, the US securities regulator approved the first U.S.-listed exchange-traded funds (ETFs) to track bitcoin, marking a pivotal moment for the world’s largest cryptocurrency and the broader crypto industry.
Was it a Coincidence That We Spotted the Attack on the Eve of Bitcoin’s ETF Approval?
The answer is definitely no.
The timing of this attack, which occurred during the peak trading period for the exchange, was extremely sensitive. Three days prior to the attack, Reuters revealed the highly likely approval of Bitcoin ETFs. Then, on the second day following the attack, the U.S. SEC officially approved the listing of ETFs.
Based on the attack and defense details below, it can be seen that the attacker primarily targeted the exchange’s login and order interfaces, undoubtedly determined to render the exchange incapable of executing trades during this critical period.
From the related resources and the complete attack and defense details of this attack, it is evident that this was an organized and planned cyberattack rather than an accidental event.
An Overview of This DDoS Attack
This DDoS attack targeted blockchain exchange platform and lasted 97 minutes. It comprised both network-layer and application-layer DDoS attacks. The traffic associated with the network-layer DDoS attack consisted primarily of SYN Flood and ACK Flood attacks, which reached a peak bandwidth of 1.025 Tbps. The application-layer DDoS attack used HTTP Flood attacks and reached a peak request rate of 2,378,751 requests per second. The attack utilized a large number of botnet/zombie network resources, with an estimated 400,000 IP addresses launching attacks against the exchange’s API interface, according to CDNetworks’ security platform statistics.
1)The peak value of the application-layer DDoS (CC) attack: 2,378,751 RPS
2)The peak value of the network-layer DDoS attack: 1.025 Tbps
3)Target of the attack: The main targets were the login and order interfaces of the exchange, with the intention to disrupt the exchange’s normal operations.
At 11:41 AM EST, domain A began to suffer from an application layer DDoS attack, with the peak number of attack requests reaching approximately 2.37 million RPS within 10 minutes. Because the domain adopted only regular CDN acceleration without enabling security protection services, the attack triggered an interruption in business, which led to a large number of 5XX responses from the origin server. The platform monitoring system then issued an alarm. CDNetworks’ 24/7 support team immediately contacted the exchange’s operations and maintenance team to assist in rapidly enabling security protection services, customizing protection strategies, and activating Expert Emergency Response Services provided by security experts to strengthen the security of all the exchange’s domains.
A Retrospective of the Assault & Its Countermeasures
At 12:10 PM, after successfully attacking CDN domain A, the hacker quickly switched to a new target and launched an application layer DDoS (CC) attack against the new domain B, instantly reaching a peak of 0.19 million RPS.
Due to the prior activation of security protection services for domain B, all attacks were mitigated successfully, and the exchange business was not affected. However, our monitoring platform later detected a decrease in blocking rates, prompting the security expert team to investigate. The analysis revealed that the hacker had adjusted the attack method, initiating a lower-frequency HTTP Flood attack. The security expert team promptly adjusted and optimized the protection strategy for emergency defense.
At nearly the same time, CDNetworks used its AI Central Engine and the business baseline learning derived from the engine to discover that this attack contained a large number of non-browser user agents. As a result, CDNetworks automatically deployed a defensive strategy with User-Agent=cpp-httplib/0.11.1, and sent the identified attack IP to the L3/4 firewall for blocking.
The AI Center Engine used big data analysis to automatically identify the IP addresses associated with the recurring attacks and directed them to the L3/4 firewall for blacklisting. This allowed most of the attack requests to be blocked at the network layer, effectively alleviating pressure on the application layer and mitigating the HTTP Flood attack successfully.
At 12:45PM, After the application layer attack failed, the hackers launched a network layer DDoS attack as a provocation. By 12:50 PM, the network-layer DDoS attack peaked at 1,025,922.25Mbps. Leveraging CDNetworks’ global distributed scrubbing resources, which exceed 15Tbps and boast high-concurrency processing firewall capabilities, the attack was mitigated automatically and the network layer attack essentially ceased 10 minutes later, allowing the exchange’s business to operate normally and stably.
Exploring Our Defense Mechanism in Depth
During this attack and defense process, CDNetworks effectively repelled a meticulously planned DDoS attack by utilizing our powerful globally distributed scrubbing resources and leading protection technologies.
Volumetric DDoS Protection Capabilities
As previously mentioned, CDNetworks harnesses over 2800 CDN Points of Presence (PoPs) resources around the world to establish more than 20 large-scale DDoS traffic scrubbing centers globally. The platform features a scrubbing mitigation capacity in excess of 15Tbps with over 1 billion QPS, making it more-than capable of defending against various types of large-scale DDoS attacks at the network and application layers.
In addition to its enormous mitigation capacity, CDNetworks’ self-developed L3/4 DDoS Firewall also played a crucial role in mitigating the network-layer DDoS attack. By deploying intelligent firewalls and conducting real-time detection and analysis of data packets, CDNetworks Flood Shield can timely and effectively block attack packets, without affecting the normal access to data packets. Given its impressive defense capabilities, Flood Shield can effectively and automatically defend against a range of L3/4 DDoS attacks, including SYN Flood, UDP Flood, ICMP Flood, NTP reflection, SSDP reflection, and amplification attacks.
AI Central Engine
CDNetworks’ AI Central Engine was integral in defending against the DDoS attack mentioned above. The engine is developed based on big data analysis, AI, and machine learning technologies. It proactively analyzed the organization’s business baseline prior to the attack for subsequent comparison, assisting in identifying various abnormal attack characteristics during the attack. For example, in this DDoS attack incident, the AI Central Engine identified that the hackers used a large number of non-browser user agents in the attack. Consequently, the engine issued corresponding protection strategies to enhance the identification triggers at the application layer, and continued to generate protection strategies based on the corresponding trigger frequencies of abnormal behaviors, thereby blacklisting them at the network layer. In doing so, AI enhanced protection with adaptive capabilities, serving as a key feature for continuously safeguarding the security of various institutional businesses.
Emergency Response Services
CDNetworks provides comprehensive 24/7 services through its global local support team to help customers respond quickly to attack incidents, analyze logs, rapidly activate security protection, optimize protection strategies, and ensure the stability of business services. Through our emergency response service, customers can easily cope with various DDoS attacks, particularly ever-changing HTTP Flood attacks, to fill gaps in a customer’s security operation capabilities, bolster DDoS resiliency, and ensure website business continuity.
Lessons to Be Learned from the Surge in BDoS Attacks
With the proliferation of blockchain technology applications, a new breed of DoS attack has emerged: the Blockchain Denial-of-service (BDoS) Attack. These attacks are precisely aimed at blockchains that operate using the proof-of-work (PoW) consensus mechanism, similar to Bitcoin. The rapid spread of these attacks reiterates the need for robust and responsive security measures in the cryptocurrency and blockchain sectors.
Advice for Cryptocurrency Entities
In light of these developing threats, blockchain organizations, particularly those in the cryptocurrency sector, are seeking proactive strategies to mitigate DDoS attacks. We suggest pre-booking bandwidth resources and reaching out to cloud security vendors who have volumetric DDoS protection capabilities. By utilizing AI’s adaptive protection, real-time detection, and rapid defense configuration, it is possible to limit the potential impact and avoid losses.
CDNetworks’ Flood Shield is a proven product that has huge mitigation capacity with abundant resources (see News: CDNetworks Mitigates 2.2M Request-per-second HTTPS DDoS Attacks). Flood Shield is a comprehensive cloud-based DDoS protection service that delivers fast, simple, and effective DDoS protection to ensure the stability of your origin against DDoS attacks—such as SYN Flood, ACK Flood, UDP Flood, and HTTP Flood attacks—in real time. At the same time, Flood Shield provides an acceleration service to legitimate users to optimize the user experience. This solution works as a shield to ensure the stability and reliability of online services and infrastructures.
In the ever-changing world of cyber threats, constant vigilance and sturdy defense mechanisms have never been more critical. This case study reaffirms our unwavering dedication and expertise in protecting digital businesses from increasingly complex attacks, ensuring their smooth operations and data integrity.
