Technical Report of Scaleswap DDoS Attack

Dear Community,

This report focuses on the nature of the incident (DDoS attack) during our first IDO pool on 25 June 2021. It provides a general overview of DDoS attacks, how it played out in Scaleswap and the explanation of what the team has improved since.

I. DDoS — Background

One of the biggest security threats in any network is a DoS (Denial of Service) attack. A DoS attack means that users won’t access the resource they need in the network, potentially causing a massive dip in business productivity. For example, if the business gets its revenue through the website, a DoS attack on the web server can have dire consequences.

It is relatively more straightforward for attackers to carry out a DoS attack than other cyberattacks. It can be complicated for security administrators to detect DoS attackers among legitimate increases in traffic. The simplicity of carrying out such an obstacle has made DoS attacks a huge problem in today’s IT security space and a massive challenge for organizations of all sizes.

DD0S (Distributed Denial of Service) is a form of DoS attacks. It is launched from numerous compromised devices often distributed globally in what is referred to as a botnet. Other Denial of Service (DoS) attacks use a single internet-connected device (one network connection) to flood a target with malicious traffic.

Types of Attacks

Penetration test specialists can target any part of the TCP/IP stack to succeed in their goal of network downtime. To protect ourselves from any DDoS attacks during the launch, we generate realistic attacks beforehand, simulating the most common attack trends. The system is typically tested for the following categories; each category has a unique approach to deny access to the target.

Volumetric (GBS)

Network (PPS)

Application (RPS)

The easiest way to prevent access to a target is to consume all of the network bandwidth that the target of the attack had available.

This is the goal behind a volumetric DDoS attack.

The attacker launches an attack designed to cause network congestion between the target and the rest of the Internet.

Protocol DDoS attacks are designed to exhaust resources available on the target or a specific device between the target and the internet.

Attackers also attempt to prevent access by exploiting vulnerabilities in the application layer. These vulnerabilities can be found within an application layer protocol as well as within the application itself. Attacks on unpatched, vulnerable systems do not require as much bandwidth as either protocol or volumetric DDoS attacks to be successful.

It’s hard to accurately compare the danger of GBPS (Gigabit Per Second), PPS (Packets Per Second), and RPS (Requests Per Second) attacks, as it depends on varying factors. The main factors that influence the attack are the victim’s services and the inbound traffic capacity. Basically, the larger the attack (e.g. bandwidth, PPS, or RPS, depending on the attack type) is, the greater the damage.

II. General Cybersecurity State of Scaleswap

Scaleswap IT department takes Information Security and Cybersecurity serious. Scaleswap also managed to conduct several security audits with a renowned blockchain cybersecurity partner Hacken.

Scaleswap has a well-protected backend and a Web Application Firewall (Cloudflare) to mitigate the risks of intrusions and other attacks.

The authorized audits collected :

• The core application Smart Contract audited with the highest security score https://hacken.io/wp-content/uploads/2021/05/ScaleSwap_06.05.2021Report_Audit.pdf
• Token Smart Contract audits with the highest security score
• Web application security assessment with the result: “highly secured.”

III. The Scaleswap IDO DDoS Audit Report

Background of the DDoS Incident

The community was notified that Scaleswap planned the IDO event on 25.06.2021 at 10:30 UTC, and it expected more than 30k visits based on the general awareness of the project.

DDoS Incident

A high volume of application traffic (HTTP GET requests) appeared with a high-velocity gradient at the time of pool start. Around 7m requests have been made within a short period to the application website, bypassing the Cloudflare web firewall. Unfortunately, Cloudflare recognized them as humans.

Out of 7m requests, only 12k requests have been blocked or challenged by Cloudflare. That means that even the most malicious requests came through.

Scaleswap back-end was unprepared for such a high number of “human visits” and reacted to some users with errors. These users were caught during the downtime of the Scaleswap backend and, unfortunately, didn’t get a chance to participate fairly in the IDO pool.

IV. Conclusion

This type of DDoS attack can be considered as an “HTTP GET Flood” attack, mimicking real users.

The reason why some users experienced the out-of-service behavior: Scaleswap architecture and infrastructure were not yet optimized to handle such a high number of parallel requests.

Info: What is “HTTP GET Flood”

A “HTTP GET Flood” occurs when an attacker, or attackers, generate a significant number of continuous HTTP GET requests for a target website in an attempt to consume enough resources to make the server unavailable for legitimate users. In this case, the attacking IP addresses never wait for a response from the target server, despite the server attempting to respond to all incoming requests. This results in connections being left open on the webserver. A large enough number of incoming HTTP GET requests to the target web server eventually exhaust all available server resources and results in a successful DDoS attack.

V. Mitigation and Security Hardening of Scaleswap

Without disclosing the details of the hardening of our systems, the following measures were taken:

• Redesign of the architecture and infrastructure of the application to handle much higher numbers of concurrent users in case the attacker will bypass the Web Application Firewall.
• Fine-tuned Web Application Firewall with much higher bot recognition sensitivity.
• Continuous bug bounty program with HackenProof.
• DDoS resistance testing.

Application layer attacks are blocked by technology that monitors visitor behavior, known bad bots, and challenges suspicious or unrecognized entities with JS test, cookie challenge, and, when necessary, CAPTCHAs.

As noted above, Scaleswap has taken all necessary measures to prevent any further potential cyber-attacks from malicious hackers. In collaboration with Hacken CyberSecurity Services, many white hat hackers are currently running all possible vulnerability tests on the platform, continuing until the next IDO date.

Scaleswap would like to reassure its users that the platform is optimized in an up to date manner with all protection layers needed to carry out a successful IDO launch.