From 2013 to the first half of 2018, there were many security incidents in the digital currency market, and several major accidents were all due to hacker attacks. Why do hackers succeed every time? Next, Mr. Ant will make a specific analysis:
Let’s first talk about the existing technical architecture of the blockchain, which can be roughly divided into four levels: the underlying hardware, the basic layer, the middle layer, and the application layer. With so many links, as long as there is an error, the security of the blockchain will be threatened or attacked. As an emerging industry, blockchain is still the most traditional attack among various attacks.
From 2011 to 2018, a total of 86 security incidents occurred, resulting in losses of up to 3.55 billion US dollars. Among them, traditional attacks accounted for 66%, smart contract attacks accounted for 22%, and the remaining 12% were consensus protocol attacks.
As for traditional attacks, the most typical examples are hacker attacks and user computer infection with Trojan horses. This is mainly because blockchain technology combines various existing facilities. Although new economics and governance are added, traditional attacks still exist. In particular, centralized exchanges are backed by a web system, so it is naturally inevitable that they will be attacked by traditional methods.
Exchanges and smart contracts are the key targets of attack!
There are four ways to attack the exchange: server attack, host security problem, malicious program infection, and DDoS attack.
As for smart contracts, some people have tested them for a long time. Among the smart contracts of Ethereum, nearly half of the smart contracts have security risks.
Many tokens will be hacked, mainly because of the use of contract loopholes, mostly logic loopholes at the code level. When writing code, if the smart contract development is not fully optimized, it will consume too much Gas, which will cause user nodes to suffer from DDoS attacks.
Of course, regarding smart contract attacks, not only these layers have loopholes, perhaps because the research threshold of some layers is low. In blockchain technology, each layer has a unique attack surface. For each layer of attacks, an in-depth analysis must be done afterwards to find design flaws.
Suggestions for the blockchain financial industry to defend against DDoS attacks
1. Filter unnecessary services and ports You can use Inexpress, Express, Forwarding and other tools to filter unnecessary services and ports, that is, filter fake IPs on the router. 2. Cleaning and filtering of abnormal traffic Through the cleaning and filtering of abnormal traffic by the DDoS hardware firewall, through the rule filtering of data packets, data flow fingerprint detection and filtering, and customized filtering of data packet content, it can accurately judge whether the external access traffic is normal, and further filter out abnormal traffic. Traffic is prohibited from filtering. 3. Distributed cluster defense is currently the most effective way for the network security community to defend against large-scale DDoS attacks. If a node is attacked and cannot provide services, the system will automatically switch to another node according to the priority setting, and return all the attacker's data packets to the sending point, making the attack source paralyzed. Influencing the security enforcement decisions of the enterprise. 4. The perfect combination of the high-defense intelligent DNS analysis system and the DDoS defense system provides enterprises with super detection functions against emerging security threats. At the same time, there is also a downtime detection function, which can intelligently replace the paralyzed server IP with a normal server IP at any time, so as to maintain a never-downtime service state for the enterprise network.
How to solve security problems?
In order to reduce the security risks of smart contracts, the step of testing and verifying smart contracts is very important and must be included in the design of smart contracts. Because the smart contract is not like the traditional generation of friends, which can be repaired. Once it is on the chain, it cannot be changed. If a vulnerability is detected, it can only be fixed by deploying a new smart contract.
The smart contract verification tools are as follows: improve the test documents to standardize the security testing process; fuzz the input of smart contracts; develop mutation tools for smart contracts; search for traces of smart contracts that have been deployed in the blockchain.
The inspection method is firstly testing, relying on the automatic running of the program; secondly, auditing, relying on experts to review; thirdly, formal verification, which requires the use of digital methods.
Little Ant reminds: From the perspective of users, especially non-technical users who have just entered the industry, they do not have the ability to judge the real purpose of Dapp. It is recommended to keep their own keys/assets well.
The digital wallet key is mostly composed of irregular letters and numbers. For convenience, many users like to save it in the scrapbook and copy it directly when using it. However, if your computer is infected with a Trojan horse, hackers will follow the scrapbook, and your wallet will be stolen. It is recommended that users, preferably participate in DApps or games checked by professional security audit institutions, and let the project party open source the code to avoid backdoors or loopholes.
Security is a necessity for the blockchain, and the market craves a sense of security. At present, there are not many blockchain start-up companies, after all, the industry has a high threshold. It is suggested that entrepreneurs should also think about problems from the perspective of attackers.
In conclusion, financial institutions are particularly attractive to attackers as a lucrative target. The bank's online systems were down and unable to provide service, potentially providing cover for other, more stealthy attacks. The surge in these crimes marks a new high for the online world as cryptocurrency-related businesses have boomed in recent years. The fact that countless users transact online and transact large amounts of money every second is seen as an ideal darling for attackers to exploit.
The above describes how servers in the financial industry can avoid DDoS attacks. Although various services such as bandwidth, DNS service, and website hosting are provided, the sensitivity to DDoS attacks depends on the maturity and progress of the CSP protection platform. Any financial business should have a strategy in place for any potential threat. Looking ahead, we predict that the financial industry will face new challenges from DDoS attacks, including virtual banks and electronic currencies.