We survived a DDoS attack that peaked at 250k requests-per-second. It cost us $10
With the surge in interest in cryptocurrencies, the door has been opened for bad actors trying to crack blockchain-related businesses. The industry has been among the fifth most attacked by DDoS since the second half of 2017, and it doesn’t look it’s like losing its position anytime soon. Arranging a black market DDoS attack can cost as little as $7 per hour, while the affected company can lose thousands — or even millions — of dollars.
To make sure Crypterium App is ready to resist cyber threats, we have decided not to wait for what can potentially hit us, but to be the first to start a war against ourselves. In other words, we ordered a self-inflicted DDoS attack, that peaked at 250 thousand requests-per-second.
Crypto businesses vs Cybercriminals
A distributed denial-of-service (DDoS) attack is just a too tempting opportunity for cybercriminals to pass up. By overloading a target with bogus traffic, they can render your website or application unavailable. Revenge, politics, cloaking… Whatever reasons are behind the attack, the effort is always worth trying.
Arranging a black market DDoS attack can cost as little as $7 per hour, Kaspersky lab found; while the affected company can lose thousands — or even millions — of dollars. An example is a recent cyber-attack against NiceHash — a platform for the production of crypto-currency — that resulted in a theft of 4,700 Bitcoins. At the same time, another DDoS attack on Bitfinex cryptocurrency exchange had resulted in its losses in the range of around $40 million. Sounds impressive, huh?
With both the number and ferocity of attacks rising, DDoS incidents are a growing danger for the crypto industry. In March 2018, 1.35 terabits per second of traffic hit GitHub, the code-sharing site. It was the most powerful attack recorded to date. Thanks to its resourceful defense, the website went down for only a few minutes and then got back to normal. But things do not end here. Attempted attacks are often correlated with the volume of cryptocurrencies, and it is more likely that massive attacks will occur again once the market meets higher liquidity. So crypto businesses better set on the starting blocks with reliable protection mechanisms ready.
There might be only one way to check whether your website or app is good to go. Yes, you guessed it right — we are talking about self-inflicted attacks, aka stress tests. Typically, such tests are conducted by outsourcing companies that make DDoS for hire. As opposed to real-life attacks, the attacking “botnet” is simulated from a special cloud platform, any risks are controlled and are far outweighed by their benefits.
Stress tests can reveal IT infrastructure breaking points and its stability potential outside of normal usage. In other words, after testing is completed, you know your system can handle whatever comes its way, from a DDoS attack to eager customers flooding your website after a successful marketing campaign or a product release.
In a month, Crypterium is launching its long-awaited feature that will make it possible to pay with crypto at any NFC terminal, or via scanning QR codes. That’s why it was important for us to check our servers’ stability on the eve of the big release — the number of Crypterium’s registered users, that already exceeds 400 thousand, is expected to increase remarkably.
What’s been DDoSed
The first attack Crypterium conducted was designed to target its connection state tables which are present in the hosting server, the essential element of the defence strategy. Now, to skip ahead, there were no unpleasant surprises.
Our IP belongs to Amazon, the absolute leader in term of hosted cloud services. Amazon provides advanced protection from common, most frequently occurring network DDoS attacks, fighting them off automatically. What makes the server even more reliable is that it is capable of resisting new types of attacks. If it indicates an unusual cyber activity, it reacts in just a few minutes.
The second hit targeted the application level. These kind of attacks are the most difficult ones to mitigate because they mimic normal user behavior and can go unnoticed until it’s too late. Moreover, the scenario no longer includes a part for a hosting server, it implies that a website or an app has to process every fake request using its own resources. The application-level attack carried out by Crypterium peaked at 250 thousand requests-per-second.
“For the sake of clarity: one thousand requests per second is what large banks usually experience on the day most people get their paychecks. I used to work at one of the biggest retail banks, and even its rush hours numbers can’t be compared to what Crypterium has managed to carry out,” says CTO of Crypterium Pavel Ivanov. “In a real-life environment, a 250 thousand requests-per-second attack would have meant there were 10 million users simultaneously trying to access the app” — he adds.
How we repulsed the attack almost for free
One of the principles Crypterium’s architecture is based on is called “containerization”. To understand the technology let’s go deeper into the details.
Essentially, containers are resource-isolated single-function services with a virtualized operating system. They can be mixed and matched or even reassigned to perform new tasks. The plug-and-play nature of containers makes them flexible in functionality and gives administrators more control over resource allocation and scaling.
Now think of containers as micro chunks of your rapidly growing application. You’ll definitely need a tool to keep them synchronized, right? This is where container orchestration platforms become useful.
They help to coordinate the chunks by equally distributing the load. Unlike hardware-based solutions, the orchestrator automatically reacts to the growing workload and switch on the exact needed number of containers to overcome the influx. Buffer overflow? Forget about it. The combination of microservices and orchestration engines can digest any amount of requests. If there is no traffic the system will scale unnecessary resources back.
“Going with a system like this is really cost effective. Normally, you don’t need to use all the services you have, so when there is no extra traffic the orchestrator keeps them off, saving you a lot of money as you don’t have to pay for the resources you don’t use” — Pavel Ivanov explains.
Thus, repulsing the DDoS attack cost us next to nothing — Crypterium had to spend less than $10. The sum was just enough to cover additional resources used to cope with the junk traffic.
What if we failed fighting off the attack?
Frankly speaking, we were pretty sure we wouldn’t. But it was crucially important for us to run the attack anyway, as it let us test the app in a near real-life environment. Even if it did happen to be vulnerable, the stress-test would have given us the chance to fix the flaws.
Clearly, the evolution of attacks is not expected to stop anytime soon, but if companies follow Crypterium’s methods for protecting against DDoS, they’ll get the opportunity to keep ahead of the danger.
Crypterium is building a mobile app that will turn cryptocurrencies into money that you can spend with the same ease as cash.
Shop around the world to pay with your coins and tokens at any NFC terminal, or via scanning the QR codes. Make purchases in online stores, pay your bills, or just send money across borders in seconds reliably and for a fraction of a penny.
We survived a DDoS attack that peaked at 250k requests-per-second. It cost us $10 was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.