Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Jaron Lukasiewicz & Nir Halutzy: Inside Bitcoins Berlin 2014 – Opportunities and Challenges of Bitcoin Exchanges
Episode Date: March 20, 2014This episode is part of our coverage of the Inside Bitcoins conference which took place in Berlin February 12 and 13, 2014. This episodes features two talks with different perspectives on Bitcoin exch...anges. In the first segment, Jaron Lukasiewicz, CEO of Coinsetter gives a talk on the interesting business opportunities in and around the Bitcoin exchange ecosystem. Then, Nir Halutzy, Account Executive, Incapsula talks about some of the security challenges exchanges face every day and takes us through an actual DDoS mitigation scenario. This episode is hosted by Brian Fabian Crain and Sébastien Couture. Show notes and listening options: epicenter.tv/eb-inside-bitcoins-berlin-05
Transcript
Discussion (0)
Hi, I'm Brian Fabian Crane and I'm here with Sebastian Guter.
On February 12 and 13th, we attended the Inside Bitcoin's conference in Berlin.
After two months of podcasting together, it was the first time we met in person.
We had lots of fun, interviewing many people from the Bitcoin community,
attending interesting talks and capturing Bitcoin at this unique moment in his history.
This is one of a series of episodes about this conference.
This episode features two talks with different perspectives on Bitcoin exchanges.
In the first segment, Geron Wukashevich, CEO of Coinsetter, gives a talk on the interesting
business opportunities in and around the Bitcoin Exchange ecosystem.
Then, near Haluzzi, account executive at Encapsula, talks about some of the security challenges
exchanges face every day and takes it through an actual VDOS mitigation scenario.
Next to the draft immediately right now.
So here he comes.
All right.
So Jaron Lucasovic,
it's the chief executive office
for Point Center,
which offers a high performance
leverage trading platform for Bitcoin.
Prior to Point Center,
and this is a tokenometer.
He spoke in New York.
He also spoke in Vegas,
and it was quite popular there,
so I expect you're going to be a popular here.
Let's give a big round of applause.
You guys here?
If he's promising him,
So, John, I'm just going to talk about the Bitcoin exchange ecosystem, but I think there's a more pressing issue on everyone's mine.
So instead I'm actually going to be talking about doggy point mining today, I hope that's not a good one.
Just kidding, we're going to talk about Bitcoin.
How do I do this forward?
I have to get a rest of the same thing.
Is it down?
Yeah.
So, first of all, my name is Sharon Lopezovich.
I'm the CEO of the Coin Center.
We're in ECN-style Bitcoin Exchange based in New York City.
We've created base of the bill of second latency exchange,
and we're aggregating a number of other exchange.
on top of it to provide a direct source
with the authority to institutions,
high frequency traders, stuff like that.
And, you know, it's been a really exciting year.
We're currently in a growing public data,
and it's going really well.
We're also very much in the middle of a lot of
regulation that's going on in the United States
and dealing with a lot of those issues,
and that's one of a few things we're going to talk about today.
So, you know, what we've noticed over the last few months is anyone was at, you know, some of the earlier Bitcoin conferences, I actually didn't wear us due to those.
There are a lot more suits now over space right now.
And, you know, you can visibly see this.
So you're seeing a huge entrance of high net worth individuals.
As a company, you know, we're starting to be contacted by brokerage houses, especially, I would say.
and there's a lot of retail and institutional interest in Bitcoin
but I would say that even just through second market
you can see that Bitcoin is growing
and smart money is really moving into the space.
Another thing that we've seen is
people who are interested in Bitcoin,
a lot of them have really become a distributed group of arbitrages.
So these are people who just, you know,
looked at the exchanges,
They said, oh, yeah, I can make money by moving it around,
and I'll look at the prices.
It's very simple.
These people are becoming smarter and smarter,
really taking advantage of the different APIs that exchanges have.
Another thing that they're also finding, though,
is that a lot of the part of charge opportunities
in the Bitcoin space that they think exists at first
don't actually exist.
I think pretty much every week I'm ready
and find a new person asking, you know,
why is the price on top so much higher?
Or that used to be the case that's obviously been a very
extraordinary couple of weeks now.
But when you look at
all the different, the price differentials
between the exchange, it definitely comes down
in banking issues related to each
exchange immediately.
You know, when we look at exchanges
we can aggregate, you know,
bit stamp is the only one we've aggregated
to date. And I think when you look
at how people
view bit stamp, again,
extraordinary week, but
you know, bit stamping is definitely
consider to be the market price because
it's the only exchange it really has
a free market,
very little
banking problems, and
historically no big
financial problems.
You know, one, you know,
we're also hearing, just
interestingly, a number
of billionaires have been
buying up large, their point stakes.
This is something that we've been hearing
pretty,
consistently over the last few months.
You have a number of people
who are pitching Bitcoin
to high-networked individuals
using, you know, I think
that pitch is usually something like
put 1% of your network into it
and you can't double your wealth in five for 10 years.
People really are starting to
enter the market under this premise.
And
finally, you know,
a bid stamp, private deals have
typically happened slightly below bit stamp.
And what you've seen is
that private deals have started to happen above the stamp, which really shows that the demand
for Bitcoin, the demand for Bitcoin, especially by high-end worth individuals, was growing.
And I think that's one of the best examples of it.
So, you know, I think when I gave a similar speech in Las Vegas in December, China was really
entering the market.
A lot has changed.
So, you know, if you can trust Chinese statistics in December, there were a lot of, you
70% of the market.
It's now down to 51% of trading,
but China is obviously still a very important
part of the Bitcoin ecosystem.
This is a Bidea
trends.
That spike was December.
You can also see that
Google searches,
Bidu searches that are happening in China
have calmed down immensely.
And I think
based on this slide, I'm about to show you,
it really shows that China
doesn't necessarily have
the driving effect that it did a couple of months ago.
So this is a slide I showed in the December Bitcoin Conference in Las Vegas.
You can visibly see that China was driving war prices, and it happened three times.
You know, one thing we noticed, we have an intent we put on kind of translating or maybe
this translating Chinese news articles.
and one thing we noticed is that
U.S. articles were consistently
interviewing and quoting people in China
and people in China were consistently quoting
me and people in the U.S.
What we figured out is that pretty much no one had a clue
what was going on, and it was kind of a self-propagating
cycle in December.
China was driving a self-up, they didn't really know why,
they were buying Bitcoin, but they were,
and that was driving the world prices up.
Now, since then, the chart has changed dramatically.
So, you know, alongside the waning interest and just, you know, Bitcoin searches, search engine searches, you know, you can see that, you know, the market has fallen with that.
And since then, BTC, China, and BSTAMP have basically been in parity in terms of prices.
That lasts even today.
So that's a very interesting thing to think about.
You know, it tells you that the market has, you know,
the arbitragetics have really done their part, at least for the time being.
And, you know, one other thing that I think many of us have noticed,
but is kind of hard to explain is that the Bitcoin market has remained extremely resilient.
You know, every week for the past couple of months,
we have bad news after bad news and the market price stays up.
It's a pretty bullish sign.
Finally, you know, so we're a U.S.-based Bitcoin Exchange and, you know, doing our best to operate legally and I'm trying not to go to jail.
So, you know, we've really been working hard on getting, you know, learning about the regulation in the country and how to operate and accept customer funds.
That's definitely been a long learning process, and it's still not finished.
Even with talk of a bit license right now, you know, no one really knows what that means.
Currently, it doesn't mean anything.
So, you know, it's a challenge to operate a business when, you know, you are, you know that you're going to have to pay for regulation.
You know it's coming, but, you know, you're also trying to show investors that you're getting that uptick in business.
And so that's something that has a U.S. have been changed.
We're not necessarily alone in that.
It's one of the challenges that you have to work really hard at.
The current environment in the U.S., you know, we're about six to 12 months from a solid regulatory framework.
You know, right now you do see second market really leveraging their broker-dealer license,
and I think that there's a lot more to come there.
But, you know, for most companies, it's still going to be a wait-and-see approach.
the best thing you can do is really prepare your technology for that day that you're allowed to operate.
Second, support from banks has continued to deteriorate.
We're actually one of the few Bickling companies that have a U.S. bank account.
It took us three months to get.
It was very, very difficult, and our bank is our alternate regulator.
Right now, it's an operating account with a promise to help us get MSB licenses.
but, you know, what you're constantly seeing is, you know, most companies aren't getting these bank accounts.
And on the other side, you're also seeing traders have a lot of issues.
So, you know, I find us, you know, connecting people with Maltese banks just because, you know,
if they're running a Bitcoin trading practice out of, you know, maybe their Chase account,
these are getting shut down and, you know, it happens overnight.
So, you know, I think the banking situation will improve, but right now we're at a sort of an odd point where, you know, banks are very scared to work with Bitcoin companies.
And probably for good reasons, you know, I think compliance low, you have a lot of inexperienced in-experience of Bitcoin space still.
Another thing that, you know, we've really learned is, you know, we expect that money transmission, money transmission is obviously,
a part of the regulatory mindset that we have to take.
But money transferter licenses, as was discussed in the Bit License hearing, really don't
fit Bitcoin companies.
One of the biggest issues that I've noticed is in some states, if you hold Bitcoins,
you would also have to hold an equal amount of U.S. dollars or be bonded for it.
And this is something that really doesn't make a lot of sense, and it would be completely
not feasible to run a business like that.
So that really shows you that it's not just going to be an overnight process where companies go get money transfer or licensing.
The laws are going to have to change, and that's going to take regulators' time to create those laws.
Second, you know, I look at, I think there's still a big learning for the regulators.
So looking at, comparing for instance, coin-based blockchain, a regulator will look at both of these companies and say these are companies holding customer funds.
and they both need to be regulated.
But a deeper look into blockchain will show you that blockchain,
as a company, doesn't necessarily hold customer funds.
They're actually much more similar to a desktop wallet.
So, you know, what is the regulation that Armory would have to face
versus blockchain?
Should those be different?
In my opinion, probably not.
So, you know, really, I think it's also going to take a lot of time
for regulators to come to grips with issues like that.
I mean, this whole financial revolution
that's happening right now is based off
of minimizing the
place that the third parties have
as a trusted third party.
You know, blockchain is a great example
of a company minimizing
that, and
I think that this is still very early
days. Regulators
are going to have a lot of catching up to do.
You know,
finally,
another very difficult
question. This is brought up in a bit
license hearings is dark wallet technology, all point mixing.
These are things that are going to exist.
While we have one faction of the space really pushing towards getting licenses and creating
regulation for companies like ours, you have another faction really working hard on, you
know, pushing Bitcoin to the anonymous limits.
That's going to happen.
So, you know, how is regulation going to play with that?
will companies that don't have public ledgers that are easily
that you can decipher, are those technologies going to become illegal?
Or will they not?
You know, there are a lot of unanswered questions here.
And, you know, I think despite all this uncertainty,
U.S. companies, first I speak with, you know,
Bitcoin is global, and I speak as a U.S. citizen than the U.S. company.
but in the U.S., currently, foreign companies are winning.
That's not going to be sustainable.
In the end, when you look at the regulation
that's going to be coming into the space,
U.S. companies are going to win,
so the companies that can survive right now
with the technology that will be needed
to quickly run when regulation starts to kick in,
those are going to be the companies that win.
And, you know, I also strongly believe
that Sunday banks will acquire Bitcoin exchanges,
So while they hate Bitcoin right now, you know, over the long run,
they're going to see that there's a strong profitant sector to owning a Bitcoin exchange,
especially as this becomes a backbone to period of repayments
and even international money transfers.
You know, owning that exchange transaction of profits associated with that is going to be very important.
And what, you know, some of the large for its companies and the banks don't see yet,
is that we're really creating a customer basis for them,
and someday they'll see that.
You know, finally, I just want to touch upon a view I have about alt coins.
And this is where I start talking about doggie coin and the alt that up.
But just kidding.
But, you know, when I look at an alt coin,
you know, you have a lot of interesting alt coins coming out right now.
What is really important in an all coin for it to succeed over the long run is that it has a useful infrastructure above it.
So looking at a lot of the distributed securities exchanges coming out and technologies like that,
though those are very big case points.
I think we're just touching the beginning of this in general.
Ripple would be another system that you look at if banks demand their payment network,
the XRP is brought up in value just by consequence.
So looking at any sort of distributed public ledger, if you think that that ledger has used to people and will we use,
you know, that that's a decent bet, at least that that that alt coin below it may rise the value.
And with that, I'm happy to answer any questions.
It didn't depend.
You work with this?
It wasn't clear.
Yeah.
No.
But, you know, we work with.
we work with
Farkasi Bank in Malta, our U.S.
Bank, we know.
What president?
Thank you.
Did you say where you're from?
Yeah. Alice, I'm
from New York. So
I was interested
you put up the
China Exchange trading volume.
How, from an exchange
perspective, do you know what's fudged
and what's real in terms of
volume? There's a lot of accusations of
4B, fudging at volume
over the last few months
and, you know, it only
dropped when there was a lot of attention.
Yeah, Wobie's crazy.
You know, we've tried to do a little bit of research,
and I think we came up with a very similar
thought that
possibly the majority of their
trading is just completely evaporated.
So, you know, that's a tough thing
in showing a global statistic.
Someday, I think we'll figure
that out, especially as more and more
companies linked to exchanges,
those issues, you can't really
apparent because the actual liquidity there doesn't necessarily match when they're displaying
in terms of transaction volume.
Dustin Brandt from Munich.
I have a question on the typical American customer.
What do you think?
How many, what percentage of American customers and the Bitcoin trading volume is
handled through American companies like Coinbase or local bitcoins?
And tell them how many people and which kind of people are really going overseas to
the transactions using Bitsdam or other exchanges?
Well, an important thing to think about with Coinbase as well is the backbone to
Coinbase is Bitsam.
So, and that's pretty common for any other workers in the space.
And pretty much every, you know, Bitsam is a liquidity source for everyone right now,
CoinSutter as well.
So, you know, I would say, I haven't looked at CoinBase's recent transaction volume,
I assume maybe it's something like $60 million a month.
I'm sure it's public somewhere.
But, you know, I think the important thing to think about is, you know,
if in Sam or a lot of these other exchanges are operating,
you know, accepting U.S. customer funds,
offering full exchange with Bitcoin, you know,
and they are subject to, you know,
what FinCEN said laid out in March,
I think it's going to be very tough for them
to get money transfer their licenses,
given that they're not based in the U.S.,
given that they've been operating in legally for so long,
and even if they get those licenses,
they're going to have a huge, huge fine.
So millions of dollars worth.
And I know Nate's, he's pretty cheap,
so I don't know if he might not go into the U.S.,
but, I mean, it's pretty early to say,
but I think when you look at other industries
that are regulated in the U.S.,
especially in financial services,
it tends to be protective of
US companies and they try to push
non-US companies out.
Yeah, Robert from Sweden.
How do you think the environment
that will look like in half one year?
It'd be just a few exchanges
or a lot of them so you have like one exchange
in every jurisdiction.
Yeah, I
bifurcate the industry into
like a full order book exchange
That's what the coin setter is.
That tends to be the back-the-bone of liquidity,
and that's also excluding maybe futures and options market
that companies in the space,
such as coin set, maybe working on as well.
But, you know, I think the full order book exchange,
that will be just a few companies.
Those are very difficult to build.
You know, I can tell you I thought we're going to build ours
in three months.
with many more features.
To build a really low latency system that is well tested and works properly,
I mean, that takes you nine to 12 months.
So I think there will only be a few really good for Word of Book exchanges,
half of it, who can get the licenses.
On the kind of like cash to Bitcoin side,
I think that's going to be a very decentralized market.
So we recently saw it happen in the UK, I believe, with Barclays of Boyd, Barclays.
I think you're going to start to see
stuff like that happen at Wells Fargo.
So I think you're going to see that.
You're going to see a lot of Mamasuos pop up.
That cache to Bitcoin component,
I think that's actually a really important part of the space.
I mean, you know, I used my ATM card
and pull out euros when I came here
and I really look at
more and more people are going to hold Bitcoin
or at least use the Bitcoin infrastructure in some form.
to pull cash out when they go to a country.
And also put it back with that, that's another tough part.
So pretty early days, but I think that that side of the business,
any company that kind of deals with people in person,
those are going to be very decentralized.
Hey, awesome presentation.
All right. Thanks a lot.
Good job.
It seems to be a very popular topic about you with regards to Bitcoin.
In another text on Bitcoin exchanges.
We actually protect two of the largest bitcoin exchanges that speaks to China and BitStem.
So first a little bit about in Capsula, we define itself as a web application delivery in the cloud.
So what we do is we offer different services that relate to website security and website acceleration.
That includes Demos litigation, web application firewall, CDN, load balancing, and lots of other
services.
So first a few words
about DDoS in general.
Dinos is a very popular and
common type of attack on websites.
And the
purpose of these attacks is to deny
service for real business to the website.
And usually it's done by generating
false traffic in different ways
to the website. So that's a very general
definition. Actually, there's hundreds of different
ways of how to generate Didos.
And it's actually, it's also evolving together
with the internet. So the methods that
are used to generate a text and the volume
of the text keeps growing and keeps
changing all the time.
In general, you
can divide the type of text,
these attacks, through three categories.
The first category is called volume-based
text, or volumetric attacks.
And the purpose of these attacks is to generate
very large amounts of traffic, to send
them to a web server or
a website, and
simply clog the
pampments or the
capacity of the server.
There's different ways to do that, but usually the technique uses
called amplification. So if the hacker has access to a certain amount of bandwidth,
say 10 megabits per second, they're actually using, they're not sending it directly
to the attack website, they're using other servers, like DNS servers, and they get
there to send the traffic to the attack website. And when they do that, they actually increase
their capacity.
So they can actually generate a much larger attack
than the enemies that they control.
So the only way to deal with these kinds of attacks
is to have enough capacity or infrastructure
to take in the attack.
It doesn't matter if you can tell that this is junk traffic
or that this is the volumetric attack,
you're still going to get clogged.
So you need to have enough capacity to take in the attack
while letting the legitimate traffic in.
The second type is actually the two first categories are sort of similar.
They usually call them network attacks because they all happen on the network there,
not on the application there.
And the second type is protocol effects.
These are the text that try to abuse other resources of the server, not the bandwidth.
So it could be networking resources, it could be connections,
it could be the firewall, something to do with the networking on the server.
The most common type of attack there is called skin floods.
That's where the hackers, they open a lot of connections with the attack server,
and they never close them.
So you get a server that keeps opening connections until they reach their capacity.
Then when real visitors try to connect to the server, they can't.
And the third type of attack is called application there.
This is where the hackers use usually HTTP traffic.
that seems to be like real visits to the website.
There's different ways to do that
with different levels of sophistication.
But the problem there, these attacks usually
are much smaller.
They don't require a lot of bandwidths,
but they're much harder to mitigate
because it requires being able to tell the difference
between the fake traffic, the robotic traffic,
and the real visitors to decide.
So you don't want to block everyone
when you're under attack
that defeats the purpose.
We want to be able to let the real visitors
in and blocked the robotic
so I'm going to present the case here
of one of the attacks we recently mitigated
it was one of the most sophisticated attacks
we had to deal with
it actually lasted a long time, it lasted several
weeks. It really never
died down, it's still happening
on occasions, but the major
waves have managed
to mitigate.
The target of this attack,
I'm not going to be able to say the name of the company
it's one of our customers.
They're a trading platform,
versus a trading platform.
And they're actually a multi-tenant environment.
So they allow businesses to open a trading platform on their infrastructure.
And that creates vulnerability for them
because if one of the tenants in the environment gets hit,
everyone suffers.
This is actually what happened with this effect.
One of the brands, one of the trading brands on their platform got hit.
And that caused problems for the entire system.
So the first wave of this attack was a volume-based attack.
It was a seam flag of 30 gigabits per second.
That's actually quite a lot of traffic,
but it's not a huge attack in their standards.
We see attacks of 100 gigabits per second,
and we can evolve that.
But the thing that was interesting about this phase of the attack
is that the hackers weren't used in amplification.
So what they told us is they have access to a lot of resources.
If you can generate 30 gigabits per second,
second of traffic, just using
your own resources without amplifying the traffic
that means you have
a huge amount of resources
which in this context it means
they have possession of a very large
botanids where they used
to generate the attack.
Sorry to interrupt but can you please explain
what DNS amplification
could you please explain what
DNS amplification is?
The DNS amplification is one of the
methods I talked about before to generate
polymetric attacks and what they do is
they query open DNS servers with queries that the response for which is very large.
Like they ask, all the information you can give me about the DNS.
And then they spoof the return after.
So instead of you getting the answer back, you spoof it to the attack website.
So what you get is a lot of DNS servers sending answers to a website
that never asked the question.
Okay, so what we need to mitigate this phase of the attack.
is what we usually do with the volumetric attacks,
we divide the traffic.
I mentioned we are CDN,
so we have data centers all around the world,
and we use networking protocols
to divide the attack traffic between them.
So this is how we can absorb.
Now, each one of the servers,
we have redundant servers
that are meant to take in DDoS traffic.
So this is how we managed to take the attack.
Also, we did some blacklisting of the IPs
that we could identify to me.
generating the attack.
So then the second
phase of the attack, and here the actors already started
to use application bare attack.
So what they did is they used adject requests
to
access a resource, a very
heavy resource
on a customer's application.
So the reason they used
adjax is not by coincidence.
Some of the techniques that we use
to teleport box from humans, you can't use them with Ajax.
Because what we do a lot of the times
if we send JavaScript code to a visitor,
and we try to see whoever is on the other side
can process the JavaScript.
So real browsers can process JavaScript.
What's usually we can't.
But when it comes to Aljavs, we cannot use this means
because Ajax inquest don't process JavaScript.
So the hackers were already becoming aware
that the customer is on PAPSula
and they became aware of some of the means.
that we were using, so they used objects to confuse us.
Also, the resource they were accessing was something that only registered users from the application
would access.
So what they did is they got a hold of a list of registered users, so they can use them
to access the resources.
That was another indication that this attacker was well prepared for the attack, and then they
prepared an attack.
So the way we blocked this part of the attack is, since we could,
use the normal means of use, which is JavaScript and cookie tests.
What we did is we used behavioral detection.
So this is a filtering method we use where we try to identify behavioral aspects of the
visits that tell us that there are bots.
So, for example, we could look at the rate that the request are coming,
at the variance of the rate of requests of someone is accessing the reasons every second
that tells us, you know, maybe it's a robot, maybe it's not a human.
It's also about the parameters that go into that.
Also reputation techniques, so we will start identifying IPs
or combinations of IPs, headers, and so on.
And that helped us identify the attack of the crisis.
So they took care of the second phase of the attack.
And after a while, it was the third phase of the attack.
And what happened in these phases, the others were starting to use their botnet,
were actually opening out real browsers on infected computers on the bottom that they were controlling.
So the way it was supposed to work is the browser was supposed to open without a UI.
So whenever got infected by the virus, we actually open up a lot of browsers, but the users would not see them.
But it turns out that the hackers, they had a bug in the virus, and on Vista machines, it opened out the browsers with the UI.
So what we had is a lot of people that started seeing 20 browsers open up at the same time.
And since we were already mitigating the attack, they would see Capsula's logo on the browsers.
So what that caused is a lot of people thought we were the virus that was affecting them.
So we got started getting a lot of hate calls.
A lot of angry people calling us saying,
I never installed in Capsula, why are you with my computer?
Why are you opening browsers on my computer?
So how we did we handle that part of the attack?
So what we did eventually is we got in touch with one of the people who were infected
and we got a hold of the trojan, of the virus itself.
Then we started reverse engineering it to see how it worked.
So they gave us some information about how the control center for the attack
was sending comments to the bots.
And using that and started to create signatures to identify the bots.
So that helped us block this wave in the attack also.
So when the end up died down came the fourth wave of the attack,
that was the most intense part of it.
And what the hecklers used in this case,
they use something called headless browsers.
So headless browsers are software that imitated browser.
It's more advanced than a simple bot
because it can really do anything in browser can do,
including they perform JavaScript.
with hand of cookies and so on.
The specific type of
headless browser used here was the phantom
JS. This is the open source code.
Usually it's used for a low test team
and stuff like that. But in this case
it was used for an attack.
And the traffic
sent in this place of the attack was huge.
So it was 150 hours
where we saw 180,000 different IPs used.
700 million requests
per day.
And you can see in the animation that I was also distributed globally.
And also we noticed that the packets were also getting more and more sophisticated,
and they noticed that we were using behavioral filters to block Bintech.
So what they did is they started to try and counter our behavioral filters
by adding a lot of randomality in how the bots were used.
So things like the rate of requests were randomized, the IPs that were used,
everything was randomized to seem like real people.
So what we did actually in this case
to mitigate the attack
is what we couldn't use, again,
we couldn't use the JavaScript test
and cookie tests we usually do because
headless browsers can handle them.
And we couldn't use behavioral,
who was hard to use behavioral,
because the hackers were trying to avoid that.
Luckily, we're not used to phantom JS,
or it's not new to us.
We have a lot of information about non-bots like Phantom DS.
And we create what we call signatures for these kinds of bots.
So a signature can be a combination of attributes like headers,
whether the header is written in lowercase or uppercase,
you know, in coding how the output handles encoding,
and then that helps us identify these blocks.
So this is a filter that exists in our system,
been there for a long time.
So we can easily identify
that the requests were coming from Phantomjs.
Now, with the regular customer,
we don't usually block that, because it could
be a legitimate request.
But since this was a huge attack being
allowed to our customer, we changed the rules
so every Phantom GS would
pop up a CAPTCHA for the visitor.
So
this gave a chance
for people who were
falsely identified as Phantom
JAS to redeem themselves by giving up the capture.
Surprisingly, that hardly happened.
Most of the, almost all the requests were blocked and managed to fill up the capture.
So this is how we blocked this phase of the attack.
Okay, so, and this was the last major phase of the attack.
They're actually, this customer keeps getting hit by smaller waves.
So the hackers never entirely give up.
But nothing that really has an effect on the customer.
So I'm going to mention some, because the five commandments of Divis mitigation is,
are like conclusions from this case, and other cases that help mitigate,
of what you should look for in the Divis litigation service.
So the best commandment is absorb all that is cast upon you.
That means that that relates to the volumetric attacks.
And really the only thing you can do against this attacks is have enough infrastructure.
If you get in a solution, a business mitigation solution that has under,
100 gigabits per second capacity, you're not doing anything.
So you need to get a service that has a very large capacity to take these attacks.
Second commandant, doubt should be invisible.
So that means your regular visitors should be unaware that you're being attacked.
Otherwise, if you're mitigating an attack and the regular visitors get locked or they have
some negative effect on their browsing experience,
and again, you're not doing anything.
Especially when it comes to trading systems,
you don't want people thinking that you're being attacked,
it gets them worried when they know that you're under attack.
So we call it false positives.
With every mitigation process,
some of the real visitors are going to get identified as bots and blocked.
But you should try and get a service
that minimizes the rate of false.
positive.
The third amendment
that he used
innocent step forward.
So in those cases
that do happen
when real people
get blocked,
you need to give them
a chance to redeem
themselves.
That usually
would be a capture,
feeling up a capture.
Or if they get
completely blocked,
you need to give them
a chance to contact
you or someone
and say that
they didn't block.
So just blocking them
without any
message or any
information on
why they can block
is not going to work.
The fourth
commandment,
respect the Internet
God.
So,
So just categorically blocking all the bots.
It's also not a good solution
because there are those bots that you do want to let in,
like Google Bot and other search engines.
And if you block them for, say, several days,
you're going to get hurt.
Your website is going to get hurt just as much as from the GIMS.
So you need to be aware of the kind of bot that accesses your website
and only block those, you know,
what we call the bad points.
And if it's a commandment, if a precise detection, is divine.
that means
we usually don't want to be in Ditos mode
always. Our customers
they're either on a regular mode
or Didos mode. So
if you're always on DOS mode you're going to get a lot
of false positives and you're going to pop up catches
to people. You don't want that
but you also don't want to monitor your
website all the time. So we need some sort of
an automated system
that will trigger DOS mode when it's required.
Usually it's a rate limit. It's something that measures
the number of bots that enter your web
website per second and then when a certain level gets exceeded, you should go into
new slot.
That's it.
Questions?
Since we are handling with Bitcoin, I wonder if these mitigation services, they have to
know the actual traffic, right?
So you have to read a cookie or something like that.
Since you are using these cookies for instance to use.
instance to check if user has
open the capture and something like that.
But then if we are the business,
we want to protect our customers from
the daily ceiling,
we use H-S and so
the traffic has to be routed to your
services, right? So you know the content
of the users. So if they put in their password,
for instance, you know their password, right?
We know it, but we don't keep you. We don't save the information
on our service. We filter it and we let it through.
Okay, I probably do that, but in Bitcoin it's always about provable trust.
So how can we prove to the user that the password is not stored in any other places?
Well, the first of all is, if it's HTTP and it's going to be HTTP also while you want encapsula.
So it's going to be encrypted from the visitor to be it from encapsula to your server.
So that's, you know, just like any other HTTP communications, it's encrypted.
And as I said, that part of the way where we decrypted and filter the traffic, we don't say it.
So that's dead on our reputation.
Okay, thank you.
This is all about DOS.
All about something like additional security, like clouds that it has, like a SQL injection, cross-site scripting, and
DOS is just a base, it's primitive, I mean, it's all, it's been around for a long time.
out that there's a much bigger trust than just lost.
I mean, if you, if we go with them,
your DNS, change the NS is there any additional
airsa security?
Yeah, well, actually, the topic of this presentation was Dinos,
but we do a lot more than that, and it's a good question.
We do, what you're talking about is a web application file.
That's the thing that blocks SQL injections,
prox-sidesprick and all that.
We're actually, I haven't spoken about it,
but we're a subsidiary of Imperba,
which is a provider of web application firewall
and it's a well-known company in this field.
And we started as a company
that offers their web application firewall technologies
for the cloud.
Only then we added DDoS and the other services.
But that's still, that's a major part of our service.
And any enterprise account gets
the web application firewall is wrong.
Hi.
This is service tailored in any way to Bit
ecosystem or exchanges
over just a generic
indoor convention service?
It's generic, but it can be
tailored, not Bitcoin in general,
but to a customer.
So the part
that's a web application
by what that has spoken about
is customizable to your
specific application. So if you have
certain patterns in your API
then seem to be a tech.
You can exclude them or you can
add other patterns that you worry about.
So it's very customizable.
Part of it is done by us
where we have managed service.
But you can also do it yourself.
So you have custom rules that you can add
to the webbiscan file and then feed them to your
specific application.
Actually, I got the mic.
Can I ask you a great question?
You mentioned that
you don't really store any packets,
but in cases, but you host
the SS Hub certificate, right?
Yeah.
And what about cases where a client
has an EB certificate?
Does that invalidate a EB certificate if you're the one who's actually hosting a certificate?
So we have two options of how to host a certificate.
One of them is a encapsula generated certificate,
in which case the visitor is not going to see your branded certificate,
and see ours.
And it's a son certificate, so it's going to be joined with a lot of other remains.
But for enterprise customers, you have an option to upload your own certificate
to our servers, and then the user is going to see your certificate,
Just as the same as they have to get directly to your side.
Thank you.
And what is the source of one number that I got right?
I think it's something like 10,000 layer 7 web protocol requests per second.
I'm asking because I'm like the rest to me that seems something that on a system that scales out,
I could be easily handled.
But I'm worried will tomorrow or next,
nearer we see an attack
plus 10 million
sub-requess per second
right so
if you have a mitigation
service especially a cloud-based
mitigation service and it doesn't matter
from your point of view because these
requests are another money
in the cloud before the
intervention server so
it's actually our problem
it's a request where I think if you just
else said there's a high risk
of both models
Oh?
Yeah, but the rate of false positive doesn't depend on the number of the press.
It depends on how well we know to tell them apart from real ones.
It's a measurement that we use to check ourselves to see how well we can tell apart what from humans.
But it doesn't, it depends on how well our rules do that doesn't depend on the number of Congress.
Yeah, thanks for the presentation.
Just a very small short question.
Is there any way to get these guys?
To get this guy?
Yeah.
We don't deal with that.
We don't even try to get them.
We try to only block the attacks.
I'm not aware of any service
that has the approach of trying to identify
the source and then getting them.
It's too complicated, it's too hard,
and a lot of ways to identify themselves.
It's just a matter of blocking.
Let me just put a question for my question.
What is better typically the motivations
for these kind of attacks?
The two main motivations are commercial, so competitors, business and political.
Another question, if, for the web front end, we would use an mitigation service like yours.
Is it any possible to get, like, with an API ID addresses or something like that,
all the bots you think are that are bots right now,
so we can just block on our other services that are not webbexed.
if they try to attack us from the same locations.
Is it possible to get this IPs?
Yeah, I'm sorry, I said to get APIs to what?
API is to get the IP addresses, for instance,
from the services that you think right now are trying to attack us,
so it can block on other and all the framework gateways
on other, for that.
So yeah, first of all, we offer APIs.
You can also, we have a dashboard for users.
You can see we have like an API.
then we're going to see exactly who try to
add to the
divorce server and you get
the IP list for there or even the APIs
well congratulations
of keeping people's interests this later today
right before the drink reception
so we're not sure.
Let's give it on the ground
we hope you enjoyed this episode
about Inside Bitcoins Berlin.
If you liked our coverage of the conference
please consider tipping us
at Epicentorbitcom
slash tips. You can also subscribe to a weekly newsletter at epistenderbidcoin.com slash newsletter.
We really enjoyed providing you coverage of this conference. We're excited about the journey we're on
with Epicenter Bitcoin. And we're grateful to have you as our listener.