Bitcoin is not 'destroyed' if an attacker mines several blocks in a row. The actual damage that an attacker can do in this scenario is rather limited. The attacker could choose to not include certain (or any) transactions in blocks he mines. Additionally an attacker may choose not to broadcast a block he has mined, but instead continue to build on his own version of the chain privately and at some point, if his chain exceeds the main blockchain in length, broadcast the private chain and override the main blockchain, invalidating one or more recent blocks.

The first option (not include transactions) is available to anyone who mines a block. The second option relies on the fact that the attacker has to generate blocks faster than the rest of the network does. With luck, this can and will happen for short periods of time even with smaller amounts of hashing power.

But only when the hashrate of the attacker exceeds that of the legitimate users of the network, will this become a major problem. In this case, if the attacker waits long enough, he should always obtain a privately mined chain that exceeds the length of the public chain and he should always be able to invalidate blocks mined by other miners.

If an attacker has a small amount of hashing power, he may be able to disrupt the network at a random time, for a brief period by orphaning one or more valid blocks. But it'll be a temporary disruption only. 51% (or more) hashrate is required to be able to permanently lock down block generation and prevent other miners from contributing to the blockchain (assuming no external measures are taken to fight the attack).

You've understood incorrectly.  All an attacker can do is reverse some of their own transactions, or delay other transactions from being confirmed.  This will not "destroy the Bitcoin-network".  Blocks are orphaned on a daily basis, this does not result in destruction of the Bitcoin network.


Why not say that the attacker needs 100 blocks to destroy the network (since they can't even spend any of their newly mined bitcoins until they have 100 confirmations).


Yes. Your premise is wrong.


That depends on what they do with those blocks, and how many they mine.


If an attacker can maintain more than 50% of the total hasing power of the entire network, then they are guaranteed the ability to mine EVERY block.  This means they can prevent ANY transactions from EVER confirming.  It means they are guaranteed the ability to arbitrarily roll back thousands of blocks. It means they are guaranteed the ability to reverse EVERY transaction they send.

Nolan, can you explain what you mean by a checkpoint?

Checkpoints are intentionally pretty deep in the blockchain.  If I remember correctly, the most recent checkpoint is block height 279000.  That's 2014-01-06. The checkpoint before that was block height 250000 (2013-08-03). An attacker with a majority of the hash power can't roll the blockchain back more than the last checkpoint because any peer will reject their chain if their block doesn't match the checkpoint block hash (and therefore any blocks they build on top of their invalid block).  So it limits how far the attacker can roll things back.  It isn't much protection though.  Replacing a chain that deep would be devastating. Anything that would require us to roll back that far would quite possibly have destroyed faith in bitcoin enough for it to become useless. All coins mined since the last checkpoint would immediately vanish (as would every transaction that includes any fraction of any of those mined coins).

Preventing an attacker from replacing the current blockchain with his alternative chain isn't the purpose of the checkpoints.  That's just a side effect of their existence.