Bitcoin: its infrastructure against an Adaptive Botnet

Bitcoin is back onto another historic rise, and yet its infrastructure is still vulnerable to an Adaptive Botnet attack. Now this posting is more of an off-the-cuff, open thought brain storming discussion and not an academic article (yet) just to give fair warning. I do provide references to back up my thoughts, however.

But wait, “Bitcoin’s decentralized network is too big to fail,” is the common reply to any form of discussing an attack against its infrastructure. Which is true to some extent, but this is not entirely true. There are two items to bring up about this. One is that nearly half of the infrastructure resides with five companies, AntPool, BTC.com, BTC.top, F2 Pool and ViaBTC, which does make one wonder the validity of the original point of decentralization with Bitcoin. But that is not the main point, actually. The main point is the second half of the infrastructure, which is comprised of systems that for the most part exist on immature systems or systems that have immature security postures. Namely, wallets on personal computers.

Destroying Bitcoin does not need to be achieved by complete destruction of its network, but rather destroying the confidence people have with the Bitcoin system. A decentralized unregulated network, which can be used on home systems poses a number of problems. Unlike most banks that have regulations in place should there be a loss of money, there are no such assurances with Bitcoin with home systems.

The one I am bringing up is of an adaptive botnet that seeks and destroys those nodes or systems hosting wallets. I use the word ‘adaptive’ in the sense of the use of machine learning to allow for such botnet to essentially keeping itself alive (using a different blockchain as its own form of Command and Control – C2) and change up its attack parameters, such as changing from the default port of 8333, to others.

The first step (ok, for simplicity sakes just jumping ahead to the actual attack stages) for a botnet to conducting its attack is to determine its targets. Bitcoin does quite a job of hiding the IP addresses of its nodes, and especially for those taking extra precautions, such as using TOR. But an IP address will be discovered and especially if a node is compromised by the botnet. So how easy is it to find IP addresses that have or are using Bitcoin.

Bitnodes (bitnodes [dot] io)

This site provides a nice global visualization of Bitcoin nodes (10907 nodes as of this time). And to boot, the source code is available on GitHub. This link below provides the listing of the Leaderboard of IP addresses:

Then there are other sites, such as Blockchair that provides a listing of IP addresses (8117 count as of this time)... (and looks like it is based on Elasticsearch) -->

Another possibility, is using a Bayesian method as detailed in the article, "A Bayesian approach to identify Bitcoin users" by Péter L. Juhász, József Stéger, Dániel Kondor, Gábor Vattay and Ivan Olier. The theory looks sound from reading it. Though there is an admittance that this isn’t 100% accurate due to multiple users having the same IP address. However, accuracy for a botnet attack does not need to be high, and therefore why I believe this approach has merit.

In theory, though execution will be difficult, a system created from the codes of DoublePulsar and ExternalBlue could be modified to hunt down and attempt to exploit those nodes/wallets. Or rather than to exploit, could aim at conducting DDoS attacks. There are challenges of course, one example is that most home networks have Dynamic IP’s and thus the IP may no longer be valid (This can be rectified by a secondary confirmation check prior to attack). Others can be of using effective security appliances, which would be especially true for well-funded nodes/wallets.

As with any cyber-attack, the goal is generally to find the weakest link in any network, and with the Bitcoin network is the home systems. Attacking home systems and if done so, even if just to make their system run slow or Internet access to a crawl; requiring the expenditure in costly security services (DDoS protection for example) and systems, will cause a loss of confidence to the general user.

Is this all possible, yes it is. There was one botnet as of last year, the MasterMana bot, already executed to attack wallets, but this relied on phishing attacks. This attack hoped that a recipient would have a wallet on their system, rather than by finding the IP address. Again, accuracy is not important to a botnet attack. A very good detailed report of this bot can be read from Prevallion (web search for "MasterMana BotNet - Prevailion Blog").

The other example at what can happen was with the successful botnet attacks against BitMEX, causing a loss of confidence. Bitcoin dropped by $1,800 (from approximately $5,500 at the time). Bitcoin did recover quickly from the crash, but this does show the effect from one attack, against one exchange.

The other aspect to this is with the price manipulation of Bitcoin, as what has been seen before. Along with sending out FUD (Fear and Utter Doom/Doubt), like this posting, but unlike this posting, makes the news, the price drops; which allows for a lower price to be bought. However, Bitcoin can be shorted nowadays…

Which I can completely understand if I am being perceived as conspiring to bring down Bitcoin just for a short. That is not the case, as I expect Bitcoin to keep going up into December. But can expect whoever unleashes as botnet against the nodes, will be so doing.

So why bring this up?

Well, I am very surprised at how Bitcoin is coming back. I had thought it was a revolutionary idea, but when studying and working with its network, there are some inherent problems with it. Which is what made me surprised at how strong it is coming back, even with PayPal accepting it. I do believe blockchains have a use, some of which has yet to be realized, even as messaging, but Bitcoin itself is not going to achieve its lasting goals.

So, this is providing some thoughts with the vulnerability of its infrastructure, as oppose to regulated systems, such as SWIFT. Of course, cybersecurity comes into play and should be the mainstay, but even today, cybersecurity has yet to be fully integrated and made effective for all organizations. When dealing with home-based systems, and even mobile devices, effective security measures are less.

There are a number of points and questions that I do need to discuss about this matter, but those are for future postings. For example, how can a botnet use a blockchain as a form of C2? That is has already been proven actually, and I will be talking, I mean typing, about that blockchain as well.

And to also provide unrealized measures or systems that can counter such a botnet.

I am open to any questions, even statements to prove I am wrong. I find difference of opinions leads to better results.

More to follow.