More Bitcoin Exchanges Forced Out of Sync After Massive DDoS Attack

An anonymous reader tipped us to news that several Bitcoin exchanges have joined Mt Gox in suspending withdrawals after being forced out of sync with the Bitcoin network at large. After Mt Gox blamed transaction malleability for forcing them to suspend withdrawals, miscreants started flooding at least Bitpay and Btc-e with bogus transactions. Quoting the Bitcoin Foundation: "Somebody (or several somebodies) is taking advantage of the transaction malleability issue and relaying mutated versions of transactions. This is exposing bugs in both the reference implementation and some exchange’s software. We (core dev team, developers at the exchanges, and even big mining pools) are creating workarounds and fixes right now. This is a denial-of-service attack; whoever is doing this is not stealing coins, but is succeeding in preventing some transactions from confirming. It’s important to note that DoS attacks do not affect people’s bitcoin wallets or funds. "

Don't we see this all the time?

[Minwee]

If I didn't know better I would suspect that the best time to invest in BTC futures would be about five seconds before the DDoS stopped.

I'll leave you to guess who is in the best position to profit from that.

Yeah right

[StripedCow]

It’s important to note that DoS attacks do not affect people’s bitcoin wallets or funds.

Unless of course the exchange rates start dropping because of a declining confidence in the currency.

Re:the value in Bitcoin is in transactions

[StripedCow]

Now that the NSA can't store and process user's private data, they have to do _something_ with those datacenters, right?

Re:Is this the begining of the end for BTC

[tlhIngan]

No. The network will never approve these transactions. My understanding of the problem is that exchange's use custom wallet software that can be fooled before enough confirmations come through potentially allowing an attacker to sell coins that don't exist for dollars. This has temporarily made bitcoin less liquid (as far as exchanging for country backed currencies) which has driven the price down.

  The issue will likely be fixed by a combination of exchange software upgrade and, eventually, long term tweaks to the bitcoin protocol that will fix this type of attack.

No, the issue is that a bunch of fake but close-enough transactions are flooding the exchanges to de-sync them. They're trying to verify the transactions with the real blockchain, but in doing so, they fall behind, have to process a new batch of fake transactions and compare them against the real chain, etc.

Basically there's a point where the flood of fake transactions overwhelms the ability to figure out what's real and what's not. No extra money is being created unless the exchange follows the fake transactions. However, if you're trying to exchange money, it means your real transaction is now backlogged and the exchange can only get further behind as they sort out the mess.

It's like how a regular DDoS works - except the information being sent is fake and the server is bogging down under the load trying to figure out if it's real or not.

It's a classic resource starvation attack - each fake transaction consumes resources because it has to be verified against the real blockchain. But in the time to do that, more fake transactions come in so the server can do nothing but fall behind. And you intermix in real transactions which have to be processed properly as well.

I suppose a real life equivalent is a bank - where you have people trying to cash in fake cheques or exchange fake currency - it takes time to verify and fail the transaction, but even with all tellers open, there'll be a point where more people (legit and otherwise) arrive faster than they can handle so the lines get turned into crowds.

Re:But, but....

[bobbied]

Everyone was saying, "Bitcoin is just like currency, man, only better."

It is, especially if you are trying to pump, dump or crash and buy the things for profit. If a DOS attack can drive the price down and DOS attacks are fairly easy to do, you can bet somebody will try it.

Re:Government(s) intervention?

[bobbied]

Some of the best hackers work for governments. This may be an attempt to destroy digital currency so that people are forced to contend with the historical money makers.

I'm not into conspiracy theories. Government doesn't really care about BTC, as long as you are not using it to do shady things. This is just common hacking by brighter than average people with less than ideal morals who are out to make a buck. *Somebody* has figured out that money can be made doing this. Now if they are clearing millions or just enough to pay for the pizza is the real question.

IF the government wanted to end BTC, there are better and easier ways that would be a lot less complex and straight forward. No, this is just some yahoo's who figured out how to make a few bucks by tweaking things. More will come though, as organized crime gets into this technique. The swings will get bigger and bigger until they "fix" the processing of transactions to avoid the problem (assuming they can).

I'd be (and I am) out of BTC trading with any money you cannot afford to loose.... Way too risky, even for the kids inheritance money.. If you want to use your slot machine mad money here, it might be better odds, but just barely. (Not as entertaining though.)

Re:Is this the begining of the end for BTC

[QilessQi]

Hmm. If I recall correctly, flooding a country with counterfeit currency to destabilize its financial system has actually been done (or at least proposed) before.

What's interesting about this DOS attack is it doesn't matter if every single counterfeit transaction is discovered as such and rejected... what's being attacked is the efficiency of the system itself. If transactions get inefficient enough, the currency becomes burdensome to use, so people forgo it and turn to other mediums of exchange.

(Whether you're a BTC fan or not, it's fascinating to watch Bitcoin's pristine mathematical world rocked by thousands of years of lessons-learned in real world financial competition. Vires in Numeris indeed.)

Re:Government(s) intervention?

[mythosaz]

Interestingly enough, this potentially benefits legitimate BTC speculators.

We see what's going on. We know that BTC is under attack, and we know it's going to drop, and we suspect it's going to rebound. Time for tech-savvy legitimate investors to make a few gambles as well -- if you're the type that's already gambling on BTC.

One of the things about BTC is that, since it's unregulated, you can't just freeze the exchange rate until the storm blows over. Anarchy!

No, it's not a conspiracy.

[Animats]

This isn't a "government conspiracy" sending out bogus transactions. It's some jerk.

If you need to sell Bitcoins right now, Coinbase and Kraken are still up and running. Bitstamp is off line, and Mt. Gox is, as usual, screwed up. Mt. Gox hasn't paid out US dollars since June 2013. Whether they are incompetent, broke, or crooked is a subject of considerable speculation.

There's a technical fix in the works, but it will have the annoying side effect that when you spend Bitcoins in your own wallet, some Bitcoins you are not spending will be tied up for an hour or so. Bitcoin wallets don't really have an "account balance". What they have is a collection of items of different values. When you spend Bitcoins, the wallet software tries to put together a set of items that's over the value to be spent, with one output to the recipient and one output ("change") sent back to you.

Until now, you could can spend that "change" immediately, even though the distributed network hadn't yet confirmed it. It looks like that will be disallowed, and only confirmed items will be usable. The way this looks to the user with a wallet program is that you have a "Balance" and an "Unconfirmed" amount. Soon, when you spend, the "Unconfirmed" amount (which you can't spend) will go up for a while, then go to zero when the network catches up. Bitcoin is a distributed "consistent eventually" system. "Eventually" is about an hour. Longer during busy periods. (That's the next Bitcoin problem. The whole network has a limit of about 7 transactions per second. A few times in 2013, that limit was hit.)

Expect everyone except Mt. Gox to have this straightened out in a few days.

Re:Is this the begining of the end for BTC

[Dachannien]

It's not just the exchanges that have to have confidence behind them. The exchange (or, at least, some Bitcoin owner out there) has to have confidence in the short seller as well. This is because the short seller borrows BTC to sell on the exchange. The short seller is then expected at some point to pay back the lender in BTC to cover the loan. Because of the additional routes for anonymity that Bitcoin provides, the short seller could abscond with the non-BTC currency as long as they can launder it, leaving the lender high and dry.

As you noted, regulations, law enforcement, and substantial recordkeeping on the part of brokerages keep this from being particularly successful in normal equities trading. If nothing else, a brokerage might require a short seller to keep cash on hand sufficient to cover the short sale, and then call in the debt if it looks like their cash on hand is coming close to being insufficient to cover. (Some brokerages let you use a margin account for this as well, if you have good credit.) The short seller would then be unable to run off with the cash because the brokerage would not release the funds until the short sale is covered. This is a solution that some Bitcoin exchanges might have problems with, because they would be keeping government-issued cash on hand in a customer account as well as BTC, which opens up several other cans of worms.

Re: Transaction limits

[DanielRavenNest]

That limit is set by the finite size of a transaction (~ 250 bytes), and the hard limit of 1 MB per block in the block chain. Thus you can fit 4,000 transactions/block. Blocks are generated every 10 minutes (600 seconds) on average, thus ~7 per second.

The block size limit is intended to not overwhelm average PC's running a full bitcoin client (i.e. a node on the bitcoin network). There are several ways to deal with this limit. One is simply to gradually increase it, and migrate from user PC's to a distributed network of servers with more processing capacity. Another is "off chain transactions". For example, Coinbase.com has both 940,000 consumer wallets and 23,000 merchant accounts. So if a Coinbase user shops at a Coinbase merchant, the transfer is internal to their books, and does not need to hit the network. Eventually other aggregators can bundle up multiple user transactions and send it on the public block chain as a single large transaction to another aggregator. The details of who gets what amount can travel as a separate data file between them.

That's pretty much what happens in the traditional banking system. Banks settle up with each other once a day at a clearing house (usually the district Federal Reserve Bank). They add up all the day's checks going between a pair of banks, and then one of them pays the other the net difference. The actual payment goes across a private payment network (FEDwire) that only financial institutions have access to. In the old days, they had to swap piles of physical checks at the clearing house. With modern debit cards and electronic payments, it goes through an "Automated Clearing House" (ACH) which tallies up the amounts, but it is the same idea - lots of small transactions aggregated into one big daily clearing of the net balance between banks.