DDoS Attack

Eric Wurstrow and Benjamin Vandersloot, two researchers, belonging to the University of Michigan and Colorado Boulder University, have recently published a paper that demonstrates how they have developed an alternate cryptocurrency “DDoSCoin” which rewards users that participate in DDoS attacks.

However, this only functions when a TLS-enabled (Transport Layer Security) website is targeted by the user. It rewards the users/miners that use their computers as part of a DDoS attack.

The TLS is a protocol that ensures secure Internet communication. The paper was presented by the research scholars at the Usenix 2016 conference.

The researchers made it clear that they were not publishing of how the mining the cryptocurrency can lead to DDoS attack with proof but were publishing just a concept in its nascent stage.

However, it is interesting to note that the DDoSCoin helps in bandwidth provision to the target domain thus reducing the resources problem to a great extent.

The researchers also hope that other researchers will contribute to solving the resources problem.

DDoSCoin – The Background

When mining for Bitcoins, the miners actually contribute a huge amount of computational power that helps to maintain a ledger that keeps track of every Bitcoin transaction that has ever taken place.

Bitcoins are paid out as an incentive to these miners. However, this computational power has been largely unused.

DDoSCoin is a cryptocurrency that rewards a miner for opening many TLS connections to targeted specific web servers.

That is, miners take part in a DDoS attack against specific websites by flooding them with many requests and rendering them unavailable temporarily.

The model developed by these two scholars works only with websites that used TLS version 1.2. It is also true that about half of the top one million websites in the world use this version of the protocol.

Further, it is predicted that there would be many more websites in the future that use TLS than the present. This makes it easy for miners to earn their rewards.

Participating in DDoS Attack and Earn Reward

The server comes up with a parameter provided by the client during the handshake along with other values provided by the server from the key exchange of the connection.

This fact helps to identify whether the client has participated in a DDoS attack against the web server and prove its connection with the specific web server.

The value that the server sends back in return is, however, not predictable and is a random distributed one.

Therefore, only users who have proved that they took part in a DDoS attack will be rewarded the cryptocurrency.

When mining for DDoSCoins, the miners choose their victim through consensus. The target of choice is decided by the team of the DDoS attack participants.

Miners who possess DDoSCoin block could thereafter trade them with other digital currencies such as Bitcoins, Ethereum, etc. Much like Bitcoins, DDoSCoins can be exchanged for Bitcoins without the requirement of a third-party intermediary.

Even if DDoSCoins are pushed out of exchanges, it will not prevent illegal transactions using the currency from taking place.

The two researchers acknowledged that theirs was an idea that would encourage malicious behavior.

They also claimed that they tested their work on their own websites. When the creators ran the miner code for the test rounds, the server CPU utilization reached a 100 percent quickly on all the four cores.

A quad-core TLS server was used. The attacker, however, required only 30 percent on one core by itself.

This, in effect, created about 3000 TLS connections in a second which, in turn, slowed down the web server’s response times to a significant extent.

The server was tested with the miner running and without the miner running to observe the differences.

The paper that was presented also cited various methods by which the victim servers can defend themselves against DDoSCoin miners’ attacks.

Servers can stop this attack by disabling TLS version 1.2 entirely and use previous versions such as TLS 1.1 or TLS 1.0. It is also possible that the earlier versions of the protocol (TLS1.0) may be susceptible to a specific attack; however, a majority of the modern clients of today can mitigate such attacks.

Disabling TLS 1.2 does have disadvantages in that some negotiation methods of encryption cipher modes with clients are lost, and this may reduce performance in those cases where hardware acceleration is implemented for such modes. It is also possible that websites can take action against such mining operations.