加密货币交易所 技术架构
This article was created in partnership with Incapsula. Thank you for supporting the partners who make SitePoint possible.
本文是与Incapsula合作创建的。 感谢您支持使SitePoint成为可能的合作伙伴。
The rise of bitcoin is grabbing the attention of hackers who could get rich with a single successful raid. If exchanges are not employing a DDoS solution from companies like Incapsula, they are sitting ducks for highly skilled and highly motivated hackers.
比特币的兴起正吸引着黑客的注意,他们只要一次成功的袭击就可以致富。 如果交易所没有采用Incapsula等公司的DDoS解决方案,那么它们就会成为高技能和积极进取的黑客的避风港。
Willie Sutton, the notorious bank robber was asked by a reported why he robbed banks and Sutton replied simply, “Because that’s where the money is.” Sutton died in 1976 and if he were robbing today, it wouldn’t be banks because that’s where the money isn’t. Today banks (the physical ones) really only have a few thousand dollars on hand for small transactions. Banks keep their customers’ money centralized in digital form surrounded by layers of security, which is governed by state and federal regulations and compliance laws.
有报道称,臭名昭著的银行抢劫犯威利·萨顿(Willie Sutton)为何抢劫银行,萨顿的回答很简单:“因为那是钱。” 萨顿(Sutton)于1976年去世,如果他今天在抢劫,那不是银行,因为那不是钱。 如今,银行(实体银行)实际上只有几千美元用于小额交易。 银行将客户的钱以数字形式集中在安全保护层周围的数字形式,安全层受州和联邦法规以及合规法律的约束。
Today bank branches really only have a few thousand dollars on hand for small transactions. Banks keep their customers’ money centralized in digital form surrounded by layers of security, which is governed by state and federal regulations and compliance laws.
如今,银行支行实际上只有几千美元用于小额交易。 银行将客户的钱以数字形式集中在安全保护层周围的数字形式,安全层受州和联邦法规以及合规法律的约束。
And even with all this protection, banks are still successfully robbed online. It’s not easy. Hacking a bank typically requires a large syndicate with deep pockets such as nation state. Banks don’t publicize successful attacks because it’s bad for business. One well-documented attack which occurred in 2015 was a slow bleed by many institutions in over 30 nations.
即使有了所有这些保护措施,银行仍然可以成功地在网上抢劫。 这并不容易。 入侵一家银行通常需要拥有财大气粗的大型集团,例如民族国家。 银行不公开成功的攻击,因为它对企业不利。 记录在案的一次攻击发生在2015年,被30多个国家的许多机构缓慢流血。
Because banks are so well protected, the next logical frontier for hackers going ‘where the money is’ are coin exchanges, which manage digital currencies and business with initial coin offerings (ICOs). It doesn’t matter that financial experts like Warren Buffet label cryptocurrencies as ponzi schemes that will end badly, they are minting millionaires and billionaires. Bitcoin, litecoin, ethereum and dozens of ICOs have exploded with real value which can be exchanged for real goods and services. When bitcoin shot through the roof in 2018, the Winklevosses became billionaires and 50 CENT went from rags to riches.
由于银行受到了如此良好的保护,因此黑客进入“钱所在”的下一个逻辑边界是硬币交易所,该交易所使用初始硬币产品(ICO)管理数字货币和业务。 没关系,像沃伦·巴菲特(Warren Buffet)这样的金融专家将加密货币标记为会失败的庞氏骗局,他们正在造就百万富翁和亿万富翁。 比特币,莱特币,以太坊和数十种ICO的爆炸式增长具有实际价值,可以将其交换为真实的商品和服务。 当比特币在2018年猛涨时,Winklevosses成为亿万富翁,而50 CENT从破烂变成了富裕。
Early adopters were drawn to bitcoin not to get rich as much as to use it as an online monetary exchange absent a central authority governing online transactions. A secure transaction without a governing authority afforded the buyers and sellers the same anonymity that paying with cash has in the real world. In the real world, a cash transaction can occur without a government, bank or anyone’s knowledge. Cryptocurrency is essentially internet cash.
早期采用者被吸引到比特币,因为没有中央监管机构来管理比特币,致使比特币的致富程度不及将其用作在线货币交换。 没有管理机构授权的安全交易使买卖双方具有与现实世界中现金付款相同的匿名性。 在现实世界中,现金交易可能会在政府,银行或任何人都不知情的情况下发生。 加密货币本质上是互联网现金。
The late adopters to bitcoin are drawn to bitcoin to get rich in the same way people try to get rich on pork bellies. Bitcoin futures began trading in late February 2018. This speculation is causing the cryptocurrency to inflate the price never before imagined, gaining the attention of hackers.
比特币的较晚采用者被吸引到比特币致富,就像人们试图通过猪肚致富一样。 比特币期货于2018年2月下旬开始交易。这种猜测导致加密货币使价格膨胀,使价格空前高涨,引起了黑客的注意。
It was even happening before February. Late last year, mining marketplace NiceHash suspended operations while it co-operates with authorities over ‘professional attack.’ The hack was “a highly professional attack with sophisticated social engineering” that resulted in the theft of approximately 4,700 bitcoin. Mt. Gox was hit in 2014.
它甚至发生在2月之前。 去年下半年 ,矿业市场NiceHash在与“专业攻击”相关部门合作时暂停了运营。 这次黑客攻击是“使用复杂的社交工程进行的高度专业攻击”,导致大约4700枚比特币被盗。 公吨。 Gox在2014年受到打击。
Robbing coin exchanges is much easier than robbing online banks because the hackers don’t need to constantly obfuscating their actions to withdraw the cash. A Cryptocurrency has the anonymity built in Hackers only need to break into the online wallets and pilfer strings of numbers.
抢劫硬币交易所比抢劫网上银行容易得多,因为黑客无需经常混淆自己的行动以提取现金。 加密货币具有内置的匿名性黑客只需要闯入在线钱包并窃取数字字符串即可。
The irony is that without a regulatory authority or an escrow, the strength of bitcoin is also its weakness. Just as the strength of cash is also its weakness. If your wallet is stolen, there is no means to get it back.
具有讽刺意味的是,没有监管机构或第三方托管,比特币的强项也是其弱点。 正如现金的优势也是劣势。 如果您的钱包被盗,则无法取回。
Sitting in comparatively underprotected domains, exchanges and are the new targets for hackers because they are as vulnerable as anyone to a DDoS attack. Eli Feldman at Incapsula points out, that while blockchain technology is resistant to DDoS abuse just by its distributed nature, the crypto wallets and initial coin ICOs are still centralized and vulnerable.
处于相对未受保护的域中,交易所是黑客的新目标,因为它们像任何人一样容易受到DDoS攻击。 Incapsula的Eli Feldman 指出 ,虽然区块链技术仅凭其分布式性质就可以抵制DDoS滥用,但加密钱包和初始硬币ICO仍处于集中且易受攻击的状态。
“Even companies with core business on blockchain require web servers,” wrote Feldman. “These servers are not necessarily used for websites that are accessed via browsers. They can be used for business transactions, client–server APIs, mobile apps APIs and other applications.”
“即使在区块链上拥有核心业务的公司也需要Web服务器,”费尔德曼写道。 这些服务器不一定用于通过浏览器访问的网站。 它们可用于业务交易,客户端服务器API,移动应用程序API和其他应用程序。”
Any business attempting an ICO or that has services which manage cryptocurrencies are vulnerable to hackers who are well prepared to exploit any vulnerabilities. For example, last year Coindash hosted a Token Generating Event that had two phases. The first phase was private where “whitelisted” users were invited to exchange a CDT (CoinDash Token) for an ETH. That was 30 minutes. The second phase was then opened to the public where anyone could do the exchange. But when the public phase started, a malicious attacker switched the official contribution address to a different address. That went on for seven minutes where 43,000 ETH were siphoned to a malicious address.
任何尝试进行ICO或提供管理加密货币服务的企业,都容易受到黑客的攻击,这些黑客已经做好充分利用这些漏洞的准备。 例如,去年, Coindash举办了一个分为两个阶段的令牌生成活动。 第一阶段是私有的,其中“白名单”用户被邀请交换CDT(CoinDash令牌)以获取ETH。 那是30分钟。 然后第二阶段向公众开放,任何人都可以进行交流。 但是当公开阶段开始时,恶意攻击者将官方贡献地址切换到了另一个地址。 持续了七分钟,其中有43,000 ETH被虹吸到一个恶意地址。
That kind of attack could have been prevented with a web application firewall (WAF), which would have caught the switch well ahead of time. A WAF protects not only the service from being attacked through weak spots, but also improve availability for highly-distributed services. It secures the service and frees up many resources to reduce development timelines.
可以使用Web应用程序防火墙(WAF)来防止这种攻击,因为它可以提前捕获交换机。 WAF不仅可以保护服务免受弱点的攻击,还可以提高高度分布式服务的可用性。 它确保了服务的安全性并释放了许多资源,从而缩短了开发时间。
Without adequate protection, the coin exchange site is also vulnerable to a variety of DDoS attacks. From a convention layer 3 attack that shuts the site down completely to a more discrete layer 7 attack that only disrupts the service.
没有足够的保护,硬币交换站点也容易受到各种DDoS攻击。 从常规的第3层攻击完全关闭站点到第7层攻击更离散,后者仅中断服务。
On first blush, a DDoS attack would be counterintuitive to a successful attack because if the service down than the hackers can’t exploit it. Still DDoS mitigation experts are seeing an increasing number of DDoS attacks for various reasons. One like reason is to cause a distraction. In a scenario where hackers have already gained a foothold into the network weeks or months earlier, a DDoS attack will tie up the IT team that does have enough staff to notice or prevent the theft of their digital assets.
乍一看,DDoS攻击与成功的攻击是不合常理的,因为如果服务中断,则黑客无法利用它。 仍然出于各种原因,DDoS缓解专家仍在看到越来越多的DDoS攻击。 一个类似的原因是引起分心。 在黑客已经在几周或几个月前进入网络的情况下,DDoS攻击将束缚确实拥有足够人员来注意或防止其数字资产被盗的IT团队。
For example, late last year, cryptocurrency exchange Bitfinex was slammed with two DDoS attacks. In between the attacks was a ‘flash crash’ that reportedly prompted some traders to report severe losses after the prices of cryptocurrencies NEO, OMG and ETP plummeted by as much as 90 percent.
例如,去年年底,cryptocurrency交换Bitfinex被抨击有两个DDoS攻击。 在两次攻击之间是一次“闪存崩溃”,据报道,在加密货币NEO,OMG和ETP的价格暴跌多达90%之后,一些交易者报告了严重损失。
Coin exchanges and any site looking to make a CTO that does not incorporate a DDoS mitigation strategy in their security profile like the one provided by Incapsula are inviting failure. The service will be attacked. It’s just a matter of when.
硬币交易所和任何希望在其安全配置文件中不采用DDoS缓解策略的CTO(如Incapsula提供的策略)的站点都在引起失败。 该服务将受到攻击。 这只是时间问题。
Willie Sutton would do well as a cyber criminal. Sutton was an early pioneer of social engineering. He would dress as a janitor or delivery man to gain the trust of a jewelry store owner before robbing him. Later, Sutton escaped Eastern State Penitentiary by dressing as a guard, getting a ladder and climbing over the prison wall.
威利·萨顿(Willie Sutton)作为网络罪犯会做得很好。 萨顿是社会工程学的早期开拓者。 在抢劫他之前,他会扮成看门人或送货员,以获得珠宝店老板的信任。 后来,萨顿打扮成警卫,爬上梯子,越过监狱墙逃脱了东部州立监狱。
翻译自: https://www.sitepoint.com/protecting-the-web-assets-of-cryptocurrency-exchanges/
加密货币交易所 技术架构
相关资源:火币交易所架构图.jpg