Mar 15 23:21:41 mircea_popescu https://www.bitinstant.com/ could not connect to remote server. Am I alone ?
Mar 15 23:22:21 Namworld Yes. I hope it's not too lonely out there.
Mar 15 23:23:21 mircea_popescu "Hmm, www.bitinstant.com isn't loading right now. The computers that run www.bitinstant.com are having some trouble. Usually this is just a temporary problem, so you might want to try again in a few minutes." dude it's not even resolving.

Mar 15 23:23:25 jborkl Butterfly Labs getting ddos.
Mar 15 23:25:51 Namworld Would be funny that BFL never delivers...
Mar 15 23:26:21 ThickAsThieves bitinstant.com Error 21 (net :: ERR_ NETWORK_ CHANGED): Unknown error.
Mar 15 23:26:25 mircea_popescu Namworld browsershots.org/bitinstant.com. It's mostly not loading. I think they're getting da DDoS.

A number of other major services have been hit with DDoS attacks in the past week or two : MPEx (and once before in January but that didn't do much at all), blockchain.info as pretty good examples. Bitcointalk was also down intermittently and sluggish generally, but then again from what I'm told that's par for the course for that site. MtGox was clocking half hour delays all through the past week, but then again that may be just the result of trading spurts.

Back in February it was btc-e.com, although this is older and may be related to their involvement in the NovaCoin scam thing. In January it was sealswithclubs (although this is even older and atypically received a ransom note - unless, of course, Micon is making shit up). Walletbit and BitPay were both offline back in September (the former also receiving a ransom), Bitstamp was hit in October.

To sum up, pretty much every major piece of Bitcoin infrastructure was DDoS'd in the past six months or so. I can't speak for the others, but as far as MPEx goes what we've seen is not exactly standard fare. Some characteristic points to consider :

• Very high spikes. While baseline remained for the entire duration in the 5-10 Gbit range, I've seen spikes as high as 100Gbit and I'm not even sure I've actually measured the highest ones.
• Very good quality DDoS. IPs that hit twice in the same hour are extremely rare - and quite possibly false positives. The traffic mix and other characteristics speak, to me, of professionalism.
• Extremely extended periods. It is trivial to set up a few Gbit DDoS to hit a website for a few seconds or half a minute. Pretty much any kid 15 or older should be able to do it if they're neither lazy nor stupid. On the other hand I've had billions of requests, Petabytes worth of traffic. This is not exactly common, or for that matter cheap to produce.
• Reasonably good management. The January attack could be considered a a case of fire-and-forget brute force DDoS. The March attack could not - if only for the WhiteHouse episode which produced a reaction within 30 seconds or less, it was clear that technically competent individuals were supervising the attack non stop, 24/7, and I do mean 7.

Originally, in the heat of events, my lead theory was that this is probably a heavy customer doing his own version of testing MPEx' squishiness. As that heat subsided and I've had time to look around, my lead theory is that we're being probed, systematically, by some sort of an organisation with deep pockets and serious technical competence on staff. To put it in other words : if all this isn't part of some secret NSA/ASAⁱ project to map out the Bitcoin ecosystem and document its weaknesses, possible points of failure scl etc I would be very much surprised.

I would very much like for the other people with direct knowledge of these matters - such as for instance sysadmins or service operators involved - to weigh in on this subject. I'd also appreciate any corrections or additions to the list presented from anyone who knows better. Thanks.

1. Alphabety Soup Agency [↩]