1

Pentesting the new webapp that we have developed before having an external source have a go at it and give us a risk assessment. Now we have come to the portion right at the end; DDOS.

For the most part guides outlining best practices have been followed at an attempt to mitigate DDOS with some rules in our proxy layer before hitting our webapp. The question is not based around that though.

Reading up online I have come across some readings stating that blockchain could potentially solve the DDOS problem. I struggle to understand how. The whole problem behind DDOS as I understand it is that there is always a single point of failure. Even with the Filters in front you are just moving that point to the whatever is the Filter instead of your webapp - the attack just has a different physical destination - and while your webapp may never be touched, your proxy will and that's just as good. So the current solution to DDOS is throwing money at the problem in forms of big infrastructure?

If I think about it - would they use block chain as the underlying mechanism to build a system to co-ordinate a peer to peer sharing of bandwidth( some articles mentioned Gladius company, though not sure if this is what they are going after) where subscribed users share their unused bandwidth(i.e. when at work) and basically you place this system as a fallback proxy when under attack to route traffic to your webapp trying to throttle any traffic with bad indicators attached to them under some defined rules. This does not change the solution to a DDOS attack but rather the execution as you are no longer renting hardware from a big company but getting the hardware needed from a pooled source on demand - so community driven to lower the cost of the solution making it open to medium businesses as well instead of only massive ones?

Is this what is meant by using block chain to fight DDOS attacks? If no, why and what is meant? If yes, are there technical docs I may read? I am not clued up on block chain at all and probably do not know which key words to search for such docs.

Thanks.

Nilo
  • 13
  • 2
  • You don't need your own big infrastructure to defend against DDOS, you can use shared infrastructure like Cloud Flare. Blockchain to stop DDOS sounds like something that's just a concept at the moment. Perhaps it's theoretically possible, but I'm skeptical it could ever be practical. Besides, paying a commercial provider seems a completely adequate model for most people. – paj28 Jan 23 '19 at 16:39

1 Answers1

0

I can't speak about the security of private blockchains, because, frankly, I do not believe in private blockchain solutions. I can, however, speak about my experience with public blockchains and why I believe in the security they can provide.

Utilizing a public blockchain, like the one we leverage at our company- in this case I am referring to the Ethereum mainnet- does not necessarily solve the DDoS problem or prevent heavy request load from bogging down the network. Rather, it makes launching DDoS, or even DoS attacks, extremely costly to the attacker because in order to write to the blockchain, one must pay gas, which is essentially a POST request fee.

It is also very difficult to launch a DDoS attack due to the decentralized nature of the network. The nodes are scattered around allowing requests to the network to be handled by hundreds or thousands of points rather than one, central point of failure. As it may be possible to take down a collection of network nodes, the other nodes in the network will still able to handle requests, though perhaps maybe be responding at a slower rate.

With regards to pentesting a web-app that utilizes smart contracts or a blockchain back-end, the server hosting the web-app front-end resources (or using something like s3 to host static pages) will still need to utilize traditional systems, and will therefore not be protected by a blockchain at all, requiring the company to rely on traditional DDoS protections. The blockchain back-end, however, will still be accessible via some gateway for whatever duration the web-app remains offline. The exception to this would be if the web-app was able to host its files and resources using additional distributed technologies (e.g. IPFS). Thus, making the web-app truly decentralized and more resistant to attacks.

Please don't misunderstand me, it is very possible to DDoS a public blockchain, though it is difficult and extremely costly. There have been a few cases of this happening in the history of Ethereum, yet these attacks have not prevented the consensus algorithm from working correctly, nor has it prevented access to the network resources (e.g. accessing smart contract functionality, stored data). What these attacks have done is significantly increase the time it takes for transactions to be validated, thus encouraging Ethereum users to add higher gas fees to their transactions in hopes of getting their transactions mined in a more timely fashion.

jonroethke
  • 1,006
  • 2
  • 7
  • 21
  • It is definitely clear that my knowledge on block chain is limited. From what I have read - as an engineer block chain would be used as the tool to create ddos mitigation systems which you can add to your traditional systems during some fall back scenario. The gas fee implementation is not okay from a public entry point given our market...[will continue] – Nilo Jan 24 '19 at 07:46
  • Using block chain to control trust among subscribed users of the shared resource makes sense as signup to such communities is easier in overall application since you can be random strangers...the gas could be given out on how much bandwidth you contribute to the system. This is just another way at implementing the same current ddos solution but with different advantages - like shared costing for example. I am going to accept your answer for two reasons: – Nilo Jan 24 '19 at 07:46
  • 1) I do not have further knowledge on the subject to get more specific information out of you. 2) You have pointed me in the direction for further research. Thank you. – Nilo Jan 24 '19 at 07:46