With the number of ICOs currently happening on the market, it is crucially important to ensure the security of offering and smooth transactions. In August, we at TokenStars had to delay our ICO due to a series of DDoS attacks by unknown criminals. As ICOs are still an unchartered territory, it is quite a common problem and a growth pain that token crowdsale platforms may face.

Together with our partners at Wallarm, an YCombinator-backed application security platform, we have managed to cope with an attack within a few days. As security for our token holders is our key focus, we decided to explain how those attacks can affect ICO and which precaution measures to take to mitigate the risk of attacks.

It is worth considering for anyone who is currently working on an ICO to make sure their platform is ready to take and process orders.

What is DDoS and how it affects ICO

A distributed denial of service (DDoS) attack is one of the hardest to prevent and cause a serious risk for any ICO. During DDoS, the website is flooded with queries executed by a distributed network of malware-infected computers (botnet). Eventually, the servers run out of resources.

Meanwhile, using DDoS attacks as a smokescreen, scammers try to execute even more dangerous security breaches — for example, to access the control panel of the website through an attack on the site administrator, or to mass mail a link containing an attack vector to users and potential ICO token buyers.

Pavel Stukolov CEO TokenStars

“Along with a rising number of initial coin offerings, we witness a massive surge in cryptocurrency cybercrime. Almost 10% of all Ethereum investments in ICOs this year (or $150M in value) were hijacked by thieves. In their attempts to establish control over ICO websites or to steal from coin buyers, criminals often stage DDoS attacks as a distraction. We at TokenStars were lucky to quickly resolve a similar issue with the help from our partners at Wallarm. To mitigate DDoS-related risks, we recommend to anyone who is currently working on an ICO to put their security first.”

In the first case, the cybercriminals can gain a complete control the website and most likely change the purse address for the coin buyers. In the second scenario, scammers replace the content of the users’ page and use the original website address for the more effective phishing attack.

Most typical attacks that ICO owners face, include:

1. Volume based attacks. They happen when the number of queries is so high that it saturates the bandwidth of the attacked site and drains the network capacity.

2. HTTP flood and other application level attacks. In that case, the main load is on the app server. Here it is crucial to separate bots from real users: installing cookies, javascript or flash flags, captcha.

3. Protocol attacks. Those drain actual server resources, or the resources of firewalls and load balancers.

It’s also important to consider that:

a) apart from DDoS robots, the website is crawled by search engines and should be allowed to do so.

b) bots could be programmed to go around security measures, so the solutions like cookies or javascript are mostly aimed to increase the cost of attack for scammers

c) the load from security measures should be lower compared to the case when the bot overcomes it (primarily, in terms of captcha optimisation).

Which security measures to take

1. Install anti-DDoS services. Advanced DDoS protection services, such as CloudFlare, Incapsula, Akamai, or DoS Arrest, help to effectively mitigate volume-based attacks. But don’t fully rely on the third-party services — track their performance and investigate any unusual activity.

2. Use secure hosting. We use Heroku platform with multiple out-of-the box security features. It applies security controls at every layer from physical to application, isolates customer applications and data, and is able to rapidly deploy security updates without customer interaction or service interruption. Key hosting requirements also include scalability.

3. Install web application firewall. WAFs like the one by Wallarm generate security rules and verify the impact of malicious payloads in real time. Although make sure it doesn’t impose excessive rules.

4. Look after your code. Quality control of the code and being ready to scale should become a priority. Additional smart contract and website code audit is recommended. We are planning to verify the code via newalchemy.io.

5. Keep an eye on your website. Track any changes on your web pages, their size and content changes. The tighter and more frequent is the control, the quicker you’ll find out if anyone attempts to make unauthorised changes.

And — be ready to react. If despite all the measures DDoS attack happens right before or during your ICO, be ready for this. Develop a splash page informing the visitors that the website is under attack and the team is doing everything possible to resolve the issue. Meanwhile, recommend your potential buyers to visit your social platforms and support chats to get the most up to date information and answers.

Good luck with your secure ICO!

P.S. Our token sale has started! Join to receive early bird bonuses of the first days.