How to Protect Your ICO from DDoS

It is worth considering for anyone who is currently working on an ICO to make sure their platform is ready to take and process orders.

A distributed denial of service (DDoS) attack is one of the hardest to prevent and cause a serious risk for any ICO. During DDoS, the website is flooded with queries executed by a distributed network of malware-infected computers (botnet). Eventually, the servers run out of resources.

Meanwhile, using DDoS attacks as a smokescreen, scammers try to execute even more dangerous security breaches — for example, to access the control panel of the website through an attack on the site administrator, or to mass mail a link containing an attack vector to users and potential ICO token buyers.

In the first case, the cybercriminals can gain a complete control the website and most likely change the purse address for the coin buyers. In the second scenario, scammers replace the content of the users’ page and use the original website address for the more effective phishing attack.

1. Volume based attacks. They happen when the number of queries is so high that it saturates the bandwidth of the attacked site and drains the network capacity.

2. HTTP flood and other application level attacks. In that case, the main load is on the app server. Here it is crucial to separate bots from real users: installing cookies, javascript or flash flags, captcha.

3. Protocol attacks. Those drain actual server resources, or the resources of firewalls and load balancers.

a) apart from DDoS robots, the website is crawled by search engines and should be allowed to do so.

b) bots could be programmed to go around security measures, so the solutions like cookies or javascript are mostly aimed to increase the cost of attack for scammers

c) the load from security measures should be lower compared to the case when the bot overcomes it (primarily, in terms of captcha optimisation).

1. Install anti-DDoS services. Advanced DDoS protection services, such as CloudFlare, Incapsula, Akamai, or DoS Arrest, help to effectively mitigate volume-based attacks. But don’t fully rely on the third-party services — track their performance and investigate any unusual activity.

2. Use secure hosting. We use Heroku platform with multiple out-of-the box security features. It applies security controls at every layer from physical to application, isolates customer applications and data, and is able to rapidly deploy security updates without customer interaction or service interruption. Key hosting requirements also include scalability.

3. Install web application firewall. WAFs like the one by Wallarm generate security rules and verify the impact of malicious payloads in real time. Although make sure it doesn’t impose excessive rules.

4. Look after your code. Quality control of the code and being ready to scale should become a priority. Additional smart contract and website code audit is recommended. We are planning to verify the code via newalchemy.io.

5. Keep an eye on your website. Track any changes on your web pages, their size and content changes. The tighter and more frequent is the control, the quicker you’ll find out if anyone attempts to make unauthorised changes.

And — be ready to react. If despite all the measures DDoS attack happens right before or during your ICO, be ready for this. Develop a splash page informing the visitors that the website is under attack and the team is doing everything possible to resolve the issue. Meanwhile, recommend your potential buyers to visit your social platforms and support chats to get the most up to date information and answers.

Good luck with your secure ICO!

Related posts:

Jasper and Cobain had similar interests. “Jasper” is published by Jane Williams.

Are you thinking of becoming a data scientist? Or maybe you are simply interested in what it takes to become one. A data scientist must have skills in programming, communication and teamwork in order…

It was a beautiful winters day today here in Melbourne and like I do on most second Sundays of every month I found myself at our local farmers market raiding every kiosk to stock pile our home with…