Forgot your password?
typodupeerror
Bitcoin Bug Security

More Bitcoin Exchanges Forced Out of Sync After Massive DDoS Attack 135

Posted by Unknown Lamer
from the just-a-small-bug dept.
An anonymous reader tipped us to news that several Bitcoin exchanges have joined Mt Gox in suspending withdrawals after being forced out of sync with the Bitcoin network at large. After Mt Gox blamed transaction malleability for forcing them to suspend withdrawals, miscreants started flooding at least Bitpay and Btc-e with bogus transactions. Quoting the Bitcoin Foundation: "Somebody (or several somebodies) is taking advantage of the transaction malleability issue and relaying mutated versions of transactions. This is exposing bugs in both the reference implementation and some exchange’s software. We (core dev team, developers at the exchanges, and even big mining pools) are creating workarounds and fixes right now. This is a denial-of-service attack; whoever is doing this is not stealing coins, but is succeeding in preventing some transactions from confirming. It’s important to note that DoS attacks do not affect people’s bitcoin wallets or funds. "
This discussion has been archived. No new comments can be posted.

More Bitcoin Exchanges Forced Out of Sync After Massive DDoS Attack

Comments Filter:
  • by E-Rock (84950) on Wednesday February 12, 2014 @01:00PM (#46229689) Homepage

    More like filling all the bank door's locks with glue.

  • by Martin S. (98249) <Martin DOT Spamer AT gmail DOT com> on Wednesday February 12, 2014 @01:18PM (#46229847) Homepage Journal

    Red Flags
           

    High returns with little or no risk. Every investment carries some degree of risk, and investments yielding higher returns typically involve more risk. Be highly suspicious of any "guaranteed" investment opportunity.
           

    Overly consistent returns. Investments tend to go up and down over time. Be skeptical about an investment that regularly generates positive returns regardless of overall market conditions.
           

    Unregistered investments. Ponzi schemes typically involve investments that are not registered with the SEC or with state regulators. Registration is important because it provides investors with access to information about the company's management, products, services, and finances.
           

    Unlicensed sellers. Federal and state securities laws require investment professionals and firms to be licensed or registered. Most Ponzi schemes involve unlicensed individuals or unregistered firms.
           

    Secretive, complex strategies. Avoid investments if you don't understand them or can't get complete information about them.

    Issues with paperwork. Account statement errors may be a sign that funds are not being invested as promised.

    Difficulty receiving payments. Be suspicious if you don't receive a payment or have difficulty cashing out. Ponzi scheme promoters sometimes try to prevent participants from cashing out by offering even higher returns for staying put.

    Red Flags for Ponzi schemes [investor.gov]

    When will the gullible finally wise up?

  • by tlhIngan (30335) <slashdotNO@SPAMworf.net> on Wednesday February 12, 2014 @01:28PM (#46229939)

    No. The network will never approve these transactions. My understanding of the problem is that exchange's use custom wallet software that can be fooled before enough confirmations come through potentially allowing an attacker to sell coins that don't exist for dollars. This has temporarily made bitcoin less liquid (as far as exchanging for country backed currencies) which has driven the price down.

      The issue will likely be fixed by a combination of exchange software upgrade and, eventually, long term tweaks to the bitcoin protocol that will fix this type of attack.

    No, the issue is that a bunch of fake but close-enough transactions are flooding the exchanges to de-sync them. They're trying to verify the transactions with the real blockchain, but in doing so, they fall behind, have to process a new batch of fake transactions and compare them against the real chain, etc.

    Basically there's a point where the flood of fake transactions overwhelms the ability to figure out what's real and what's not. No extra money is being created unless the exchange follows the fake transactions. However, if you're trying to exchange money, it means your real transaction is now backlogged and the exchange can only get further behind as they sort out the mess.

    It's like how a regular DDoS works - except the information being sent is fake and the server is bogging down under the load trying to figure out if it's real or not.

    It's a classic resource starvation attack - each fake transaction consumes resources because it has to be verified against the real blockchain. But in the time to do that, more fake transactions come in so the server can do nothing but fall behind. And you intermix in real transactions which have to be processed properly as well.

    I suppose a real life equivalent is a bank - where you have people trying to cash in fake cheques or exchange fake currency - it takes time to verify and fail the transaction, but even with all tellers open, there'll be a point where more people (legit and otherwise) arrive faster than they can handle so the lines get turned into crowds.

  • by jythie (914043) on Wednesday February 12, 2014 @02:26PM (#46230521)
    In theory yes, there are exchanges that support short sells, in practice I have heard that they are not terribly reliable and trying to collect generally does not work. Shorting regular commodities tends to work because you have the weight of federal regulation and law enforcement behind it, but few of the exchanges are really mature enough to have that kind of confidence behind them.
  • by Dachannien (617929) on Wednesday February 12, 2014 @03:46PM (#46231425)

    It's not just the exchanges that have to have confidence behind them. The exchange (or, at least, some Bitcoin owner out there) has to have confidence in the short seller as well. This is because the short seller borrows BTC to sell on the exchange. The short seller is then expected at some point to pay back the lender in BTC to cover the loan. Because of the additional routes for anonymity that Bitcoin provides, the short seller could abscond with the non-BTC currency as long as they can launder it, leaving the lender high and dry.

    As you noted, regulations, law enforcement, and substantial recordkeeping on the part of brokerages keep this from being particularly successful in normal equities trading. If nothing else, a brokerage might require a short seller to keep cash on hand sufficient to cover the short sale, and then call in the debt if it looks like their cash on hand is coming close to being insufficient to cover. (Some brokerages let you use a margin account for this as well, if you have good credit.) The short seller would then be unable to run off with the cash because the brokerage would not release the funds until the short sale is covered. This is a solution that some Bitcoin exchanges might have problems with, because they would be keeping government-issued cash on hand in a customer account as well as BTC, which opens up several other cans of worms.

  • by DanielRavenNest (107550) on Wednesday February 12, 2014 @05:42PM (#46232635)

    That limit is set by the finite size of a transaction (~ 250 bytes), and the hard limit of 1 MB per block in the block chain. Thus you can fit 4,000 transactions/block. Blocks are generated every 10 minutes (600 seconds) on average, thus ~7 per second.

    The block size limit is intended to not overwhelm average PC's running a full bitcoin client (i.e. a node on the bitcoin network). There are several ways to deal with this limit. One is simply to gradually increase it, and migrate from user PC's to a distributed network of servers with more processing capacity. Another is "off chain transactions". For example, Coinbase.com has both 940,000 consumer wallets and 23,000 merchant accounts. So if a Coinbase user shops at a Coinbase merchant, the transfer is internal to their books, and does not need to hit the network. Eventually other aggregators can bundle up multiple user transactions and send it on the public block chain as a single large transaction to another aggregator. The details of who gets what amount can travel as a separate data file between them.

    That's pretty much what happens in the traditional banking system. Banks settle up with each other once a day at a clearing house (usually the district Federal Reserve Bank). They add up all the day's checks going between a pair of banks, and then one of them pays the other the net difference. The actual payment goes across a private payment network (FEDwire) that only financial institutions have access to. In the old days, they had to swap piles of physical checks at the clearing house. With modern debit cards and electronic payments, it goes through an "Automated Clearing House" (ACH) which tallies up the amounts, but it is the same idea - lots of small transactions aggregated into one big daily clearing of the net balance between banks.

You are in a maze of UUCP connections, all alike.

Working...