On July 5, the owner of Bitcoin.org reported that his website, which promotes the use and circulation of Bitcoin tokens as digital currency, was hit with a severe denial-of-service cyber attack. Although the website was occasionally accessible through the day, the administrator explained that he had received a ransom demand right after he detected the attack. Coincidentally, the attack took place just a few days after a British court ordered that the website should stop hosting the original Bitcoin white paper, which is hosted across thousands of sites.

A distributed denial-of-service attack, more commonly abbreviated as DDoS, happens when a user group or botnet is directed at a website or server to send a very large amount of traffic. Usually this results in a service becoming unavailable to legitimate users for an indeterminate amount of time.

For most websites and web applications, a DDoS attack usually happens during the first two phases. One way to think about this is that there are two distinct points of control for the communication between your computer and the internet: The first is your computer, and the second is your ISP. If the traffic comes from your ISP, you need to go through them. But if the traffic comes from your computer, the HTTP request can go directly from your web browser to the server.

Bitcoin.org is hosted on an Apache web server, which means that the first time this connection is established is what’s called the handshake phase, which is one of the first two phases in the communication. During this time, Apache sends its HTTP request to the web server. This is what causes the traffic to overflow. Once Apache has successfully sent the HTTP request to the web server, Apache closes this connection and there is no further traffic sent by Apache. If the web server is sending traffic back to Apache, the server just sends it back.

As we know, that’s what makes DDoS possible. We have a HTTP request sent by a botnet client, but because that client is behind the router, there’s no way to get to the HTTP request, so Apache just continues. If the web server was sending traffic back to Apache, Apache would also continue to receive that traffic.