Yesterday, Blockchain experienced an outage for several hours while under a DNS attack.
At approximately 5:42 AM EST, the attacker changed Blockchain.info’s DNS servers. Within minutes, our internal systems alerted our infrastructure team who immediately began to assess the attack.
Control over our DNS servers is highly restricted and goes beyond industry standard protections against configuration changes. We were able to access our administrative accounts with our registrar and regain control. Unfortunately, it became clear the attackers gained access to our accounts through breaching the systems of our DNS registrar.
In an abundance of caution, we shut down our entire platform until we investigated the full extent of the attack. After making offline high-level contact with our registrar, we quickly determined that our registrar’s systems were breached by a highly sophisticated attack against the registrar’s infrastructure and not Blockchain’s infrastructure. Our registrar was able to manually regain control and revert the DNS changes.
While we waited for the fix to propagate across the internet, we investigated the malicious site to which the attacker had redirected traffic. We determined that due to the attacker using a self-signed SSL certificate, users using modern browsers – which the wallet requires – were prevented from being exposed to the phishing site. Due to the quick response of our team, the attacker’s DNS changes were allowed only to propagate partially across the Internet. We were also able to locate the owners of the compromised machine being used by the attackers and have it shut down.
After a full check of our own systems and a complete propagation of the correct DNS servers, we brought our platform back online at 1:20 PM EST. To mitigate the attack vector at our registrar, we have implemented additional manual, offline controls.
Ultimately, any disruption in service is something we take seriously and we extend our sincere apologies. While we sometimes remain offline for longer than necessary, we do so out of an abundance of caution while we check to ensure all systems are fully protected and functional.