Competency, Mitigation, and the Value of Time: Network Attack Case Study on CoinPayments.net
CoinPayments is a digital currency payment solution that allows merchants to accept Bitcoin, alongside over differing 1350 “altcoins”, in their store through the use of easy-to-use plugins, API’s, and POS interfaces. Encompassing over 2,000,000 users across 182 countries, CoinPayments.net is the most comprehensive multi-cryptocurrency platform in the world. CoinPayments offers an industry low transaction fee of only 0.5%, which is the source of its rapid growth in relevance. Additionally, the CoinPayments gateway leads the crypto-payment industry by being the first and largest cryptocurrency payment processor; available on all major e-commerce platforms in the world including:
All of the reasons listed above, not counting myriad others, are why CoinPayments would be (and has been) a prime target for network attacks by malevolent actor(s); high visibility within a subculture frequented by “hacktivists”, monetary incentive, and ineffective network defenses.
CoinPayments and other vulnerable institutions may not survive continued attacks that occur in the manner to be described, or may survive with heavy losses due to excessive downtime; the experiences of those previously impacted should serve as a warning call for any online entity that isn't already serious about network protection to take notice.
What follows is a summary by Path’s Emergency Response Team as experienced from the front lines. It describes the attack on CoinPayments in detail, how it was remedied, and pertinent discussion.
The Network Attack on CoinPayments: A Timeline
I. As previously described, CoinPayments is a digital currency payment processor with around 2,464,500 unique vendors across 182 different countries. Each of these millions of unique vendors relies upon CoinPayments API (Application Programming Interface) and access to it to perform any functional payment processing. This API reliance and the details inherent will play a major role in the story to come, the story of CoinPayments and CloudFlare.
II. CloudFlare.com is one of the 10 largest “DDoS Vendors”, the closest thing to a household name in the space and its namesake is "free DDoS mitigation provider.” This “free” option is quite enticing to a vast amount of users; CloudFlare even plainly states “Every day, more than 10,000 new customers sign-up for [our] service.” So this enormous success begs the question of how exactly they accomplish their stated mission of being the “free DDoS mitigation provider” in an industry not particularly known for being inexpensive. Note: CloudFlare does indeed have a $200USD/month “Business” plan, but that will be discussed further.
III. Before we move forward, the functionality of traditional DDoS (Distributed Denial of Service) mitigation must be understood. Traditional DDoS mitigation services work by analyzing the packets coming in, spotting unusual patterns, and (temporarily) blocking the origin of that traffic. They never need to know exactly what the traffic contains; they only need to care about the patterns in which it is received. This means that you can tunnel TLS-encrypted traffic (Transport Layer Security) through a DDoS mitigation service just fine, without the mitigation service ever seeing the plaintext traffic and you will still be fully protected.
IV. In juxtaposition to the traditional mitigation functionality outlined above, CloudFlare uses a reverse proxy with a very fast connection. Furthermore, Layer 3 & Layer 4 attacks (those aimed at the underlying network infrastructure, rather than the application or protocol itself) will only ever reach up to the point where it's handled by a server rather than fully passing through, and in a "reverse proxy"-type setup, that server is CloudFlare. They're not actually “mitigating” anything, it just is configured so that they are on the other side of the connection and due to their large capacity, can “take the brunt of the hit.”
IX. The amount of revenue lost by all vendors associated with CoinPayments during this downtime is incalculable, and should be one of the many reasons why more attention is paid to network security in all facets by any firm in any industry with an online presence.