Researchers create cryptocoin with DDoS puzzle for miners

Two researchers in the United States have created a cryptocurrency that uses a malicious alternative to bitcoin's proof-of-work, the computational effort required to mine new coins. 

DDoSCoin design schematic. Source: Wustrow & VanderSloot

Called DDoSCoin, the alternative cryptocurrency allows miners to prove that they have participated in distributed denial of service attacks against preselected targets in order to create more virtual money. 

DDoSCoin, which was created by Eric Wustrow and Benjamin VanderSloot from the universities of Colorado and Michigan, operates by miners opening a large number of Transport Layer Security (TLS) connections to target webservers. 

It would then use the signed responses as proof a connection has occurred, the researchers said. 

Miners with DDoSCoin blocks could then trade these for other currencies, including bitcoin, the researchers suggested. 

This malicious "proof-of-DDoS" model used by DDoSCoin miners works only with sites that support TLS 1.2, but the researchers said over half of the top million websites as measured by metrics firm Alexa support that version of the protocol. 

Bitcoin's proof-of-work, a mathematical puzzle that miners have to collectively solve before more units of the currency can be created, has been criticised as a waste of resources. 

In their DDoSCoin paper [pdf] presented at the Usenix 2016 security conference, the researchers noted that bitcoin's computationally intensive proof-of-work "does not contribute to any useful problems besides securing the currency from attack". 

Concerns have been raised over the large amounts of energy required by Bitcoin miners, with researcher Sebastian Deetman suggesting they might consume as much power as the nation of Denmark does by 2020. 

There have been efforts to create other cryptocurrencies such as Litecoin and Primecoin, where the proof-of-work does something useful and beneficial. 

However, Wustrow and VanderSloot decided to take the opposite tack with DDoSCoin and encourage others to innovate by creating altcoins with novel proof-of-resource puzzles. 

While they created a proof-of-concept for DDoSCoin they only attacked websites that the researchers had control over and owned. 

Nor did the researchers release a fully functioning DDoSCoin, and suggested that website owners could go after miners taking parts in attacks. 

Website owners could also try to thwart DDoSCoin by participating in the coin mining themselves, the researchers said. 

Victim websites that join DDoSCoin mining will have an advantage in that they have access to the TLS private encryption key, and would be able to create enough coins to mint a proof-of-stake block to remove themselves from the attack list. 

Alternatively, sites participating in DDoSCoin mining could raise the difficulty of mining a block high enough, so that a remote miner has a negligible chance of succeeding.