Electrum Servers Remain Under Sustained DoS Attack

Electrum servers are still under a sustained Denial-of-Service (DoS) attack. The wallet developers announced the issue on April 7, 2018.

In correspondence with Bitcoin Magazine, Electrum developer Thomas Voegtlin speculated that the attack may be a form of retaliation from a phishing attacker who has been targeting Electrum in recent weeks. Since his phishing attacks had been thwarted, the attacker could now be resorting to DoS attacks instead, simply to frustrate Electrum developers and users. Voegtlin pointed out that, if this is the case, the behavior “is not rational” given the incumbent waste of the attacker’s resources.

A DoS attack is a fairly straightforward means of disrupting server activity, usually carried out by flooding a server with frivolous requests from a variety of different sources to overwhelm its processing capacity. Attacks of this nature can be carried out by an individual or by a number of actors, as the key method of attack is simply to overwhelm the server itself.

When a DoS attack targets a light wallet such as Electrum, it exploits the fact that users do not need to run their own nodes or connect directly to the Bitcoin network and, instead, connect to Electrum servers. By overwhelming these servers with DoS attacks, the wallets become less usable, as it takes a while to find a working server.

It’s also possible that the DoS is being carried out by the same person (or group) that was behind the phishing attacks in hopes that the DoS attack will increase the chance that the phishing attack can still succeed this way. As part of the phishing scam, users would connect to fraudulent servers. These fraudulent servers would then send users a phony message asking them to update to a new version of Electrum, sending a link to download coin-stealing malware. Voegtlin speculated that, by adding a DoS attack, the attacker may be hoping to overwhelm the legitimate servers of Electrum, making it more likely that users will inadvertently connect to the malicious servers.

Voegtlin suggested that the phishing attack is very unlikely to succeed, however: First, because the phishing attack only works on non-updated Electrum clients, and second, it only works if these clients connect only to malicious servers. Since clients always connect to 10 servers, that is very unlikely, he said. If even one of these servers is non-fraudulent, the phishing attempt will fail.

According to Voegtlin, while there is no ETA for the total fix for the DoS attacks, they are already being countered.

“We spawned more servers and we found how to blacklist botnet IP addresses,” he said. “That means some servers are usable now.” Electrum also plans to ban data-heavy clients as a way of curtailing the processing overload.

Updated versions of Electrum are not at risk of the phishing malware, but they can be affected by the DoS attack.

For now, Electrum suggests that users “disable auto-connect and select their server manually.” Simply waiting a short while often does the trick as well.

“Give it time; sometimes it connects after a few minutes,” Voegtlin added. He also advises users to stay on a server that works for them and not switch.