In our previous blog post, we discussed some of the security vulnerabilities to your ICO and cryptocurrency account. We will now focus on cryptocurrency exchanges and discuss where the currency is vulnerable after successful completion of the offering and how those vulnerabilities can be secured from attacks.
You can trade Fiat or cryptocurrency for other cryptocurrencies at one of the many cryptocurrency exchanges. The choice of an exchange is based on different variables, including the types of assets supported, trading volume, fee differentials, and local regulatory considerations.
The number of exchange subscribers is growing rapidly corresponding to the growing popularity of cryptocurrencies. U.S.–based Coinbase exchange has grown so rapidly that it handles more accounts than stock brokerage Charles Schwab. The exponential growth of Bitcoin and other cryptocurrencies has taken many of those exchanges by surprise, and they are often not scaled or have not built a secure environment. The success of the exchanges makes them a naturally attractive target to cybercriminals. Now let’s delve into the details of some of the attacks witnessed of late on leading cryptocurrency exchanges and describe how such attacks can be thwarted.
Attacks on Currency Exchanges
As reported in the latest Incapsula Global DDoS Threat Landscape Report, three out of four cryptocurrency sites using our services were targeted by a DDoS attack. While those attacks were all successfully mitigated by Incapsula, there were several notable examples of successful attacks on cryptocurrency exchanges reported on traditional media and amplified on social media.
- Hong Kong–based Bitfinex exchange, which until recently was the leading exchange for US dollar–bitcoin trading volumes, faced recurrent attacks and was down for up to an hour several times.
The cause is a DDoS attack. A person or group is intentionally trying to cause the platform to not operate normally. The level of DDoS protection is being adjusted to fend off the attack.
— Bitfinex (@bitfinex) December 4, 2017
In addition to this volumetric attack, there was recently an application layer attack, consisting of a large amount of small transactions, described by Bitfinex as “we experienced ddos in the form of malicious microdeposits and withdrawals”. Such layer 7 attacks are particularly sophisticated and difficult to mitigate, and as such are also now more frequent.
- The Bittrex exchange was also recently a victim of a DDoS attack, demonstrating that complex attacks have the capability of penetrating certain dedicated DDoS mitigation solutions.
DDOS attack was detected and being mitigated right now. Sorry for the inconvenience.
— Bittrex (@BittrexExchange) November 24, 2017
- Earlier last year, the Poloniex and Kraken exchanges were attacked at the same time.
Site under heavy DDoS. We are working to mitigate the attack. Status updates at: https://t.co/mRoBgqEeJW
— Kraken Exchange (@krakenfx) May 7, 2017
After the events, some users found that they lost money either through margin orders that were not filled, or by panic sale of holdings triggered by the concurrent exchange attacks.
Due to account takeover threats that they cannot mitigate in a customer friendly manner, exchanges must request additional authentication. The login experience becomes annoying with these requests, such as a CAPTCHA, email confirmation if visiting from an IP you haven’t used recently, or two factor authentication.
Some exchanges have switched to Incapsula protection after experiencing attacks similar to those described above. Among them are:
Bitstamp – The exchange has been protected since 2013 by the Enterprise plan that includes DDoS protection, and as stated by David Osojnik, Bitstamp’s CTO,
Since selecting the Incapsula plan, all DDoS attacks have been detected and mitigated almost immediately, such that our service has never suffered any availability or performance degradation issues as a result of these attacks.
Unocoin – India’s Bitcoin exchange, has been protected by Incapsula Web Application Firewall (WAF) since July as part of a security upgrade, with many incidents having been flagged and mitigated. As summarized by Sathvik Vishwanath, Unocoin CEO,
Incapsula service has been incredible in helping Unocoin prevent various cyber attack attempts, especially the SQL injection attempts. Their service is unmatched for the price we have paid.
Incapsula DDoS Protection automatically detects and mitigates attacks targeting websites and web applications. The Forrester Wave DDoS Mitigation Solutions Q4 2017 report ranked Imperva as a leader of DDoS protection for the “current offering” and “strategy” categories among DDoS providers covered.
Incapsula is the only service to offer an SLA-backed guarantee to detect and block attacks in under 10 seconds without interrupting performance of the site’s applications. Sites remain fully available with no impact on the user experience, such as CAPTCHA requests or slower page loading. In addition, because all Incapsula points of presence have full scrubbing capabilities, the latency during a DDoS attack is the same as during regular mode. Our new Behemoth 2 platform blocked a 650 Gbps (Gigabit per second) DDoS flood with more than 150 Mpps (million packets per second), with capacity to spare. We expect that capacity to be tested further as the size of attacks continues to increase.
Besides handling large volumetric attacks, Incapsula specializes in protection for these types of DDoS attacks:
- Complex application, or layer 7, attacks that target applications on your web server. These attacks require a smaller volume to be effective, measured in packets per second, but are harder to detect. The Forrester Wave reports Imperva to be among the top ranked in the ability to detect and mitigate application layer attacks.
- Large scale attacks consisting of a huge volume of requests that are orchestrated via the API provided by many sites. API traffic is filtered with minimal false positives. Check these practices to secure your API.
Keeping Your Exchange Available
Even when an exchange is not under a DDoS attack, an unexpected large volume of clean transactions can overwhelm a cryptocurrency site and degrade its service. This is especially relevant for currency exchanges experiencing massive demand due to the rising price of the currencies. Here are a few recent examples of incidents where exchanges were not able to process orders due to overload.
- Coinbase – The site was recently overloaded and frustrated traders who couldn’t execute their trades, as reported in this posting from one trader.
- Bitfinex – A very large number of withdrawals were missed or failed altogether recently due to huge customer demand, as the Bitfinex team explained.
- Chicago Board Options Exchange – The exchange recently launched Bitcoin futures, and the system crashed due to investors overloading the system.
Due to heavy traffic on our website, visitors to https://t.co/jb3O722hoo may find that it is performing slower than usual and may at times be temporarily unavailable. All trading systems are operating normally.
— Cboe (@CBOE) December 10, 2017
Performance, Load Balancing and Security
In addition to the DDoS protection service, Incapsula CDN offers the following services that can help improve the performance of cryptocurrency exchanges when under heavy load.
- Global Content Delivery Network (CDN) improves your site’s speed and performance with its intelligent caching and its high-speed storage and optimization tools. With over 40 PoPs deployed, Incapsula provides significant improvement to page loading time.
- Incapsula cloud load balancing enables exchanges to easily scale, add servers and failover data centers, and add delivery and forwarding rules from the cloud, with no downtime. This is also a very efficient way to move from hosted services to cloud hosting smoothly and address the exponential growth of crypto exchange sites.
- Credential stuffing and account takeover protection with the ability to define rules that provide additional protection of the login pages prevents bots from performing credential stuffing, even at a low rate. This mitigates the major account takeover threat in the cryptocurrency domain, with hackers using stolen credentials.
- Advanced bot classification and mitigation utilizing advanced rules
- API protection
With these services in place, you can ensure that the site will always be available.