2 ways Blockchain technology could have last week’s massive IoT-launched DynDNS attack

I’m attending IBM’s “World of Watson” event this week in Las Vegas, and one of the most murmured-over topics of conversation is the massive malicious application of IoT to execute one of the world’s biggest distributed denial-of-service attacks in the history of the Internet.

In case you missed it, the short version is that millions of connected devices with known vulnerabilities were used to launch an attack on DynDNS, a company that provides DNS service for a broad cross-section of the internet.

From their company blog:

Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers.

While it’s been the subject of quiet hand-wringing of IoT advocates and loud criticism from those making their living selling security services, the silver-bullet solution to the problem was clear to me immediately: blockchain.

NameCoin: The solution to a great many looming ills on the internet.

FadiChehade-1024x713I’ve talked about it a few times on my personal blog as well as elsewhere after then ICANN CEO Fadi Chehade came TheCUBE in January of 2014 and dropped a bit of a bombshell: the world has eighteen months to come up with a new governance model for the internet. We asked him on the show if Chehade thought world leaders are prepared to take on the complex and very layered information needed to understand and implement a new model for governance.

Chehade laughed fadingly.

“They are scrambling. Most countries are scrambling, few countries are prepared,” said Chehade. When pressed again for a more direct answer of if they can figure it out in 18 months, Chehade shows his hand. By dodging the question in pulling from in prepared facts dance that avoids saying yes or no definitively, Chehade says in turn says no and rather empathically.

Throughout the interview, he discussed the reasons why the governance model wasn’t tenable (it has to do with perceived political corruption and conflict of interest that other world states hold about America, and its former role in overseeing ICANN). The whole interview is riviting, and worth a watch.

Despite acknowledging that distrust of humans and the organizations built around them is the root of the issue, ICANN hasn’t to this day sought to explore a blockchain solution to the problem, despite it being one of the oldest proof-of-concept applications of blockchain technology.

From the NameCoin foundation’s website:

Namecoin was the first fork of Bitcoin and still is one of the most innovative “altcoins”. It was first to implement merged mining and a decentralized DNS. Namecoin was also the first solution to Zooko’s Triangle, the long-standing problem of producing a naming system that is simultaneously secure, decentralized, and human-meaningful.

It was and continues to be a very elegant solution to the corruption problem. Because it’s commonly merge-mined with Bitcoin, it’s not succeptible to a 51% attack like many other niche cryptocurrencies. It operates according to some rules inherent to the protocol, and isn’t subject to human whims or influence. In short, it solves the dilemma Chehade describes.

More germane, decentralization solves the issue a DDoS attack on DNS systems would present. The record of domain ownership is public information and self administered by the protocol, so targeting one specific set of DNS servers would be a minor inconvenience rather than a far-reaching catastrophe. Literally anyone can pop up a node, block explorer and bolt on a DNS service with NameCoin with no cost other than the hardware it runs on (for a more technical explination, head to this GitHub repo).

Securing the Internet of Things with Blockchain.

I had a conversation with an IBMer when I first arrived about the DynDNS attack, and how IBM’s cognitive analytics could have possibly prevented the attack by hardening security on the specific attack vectors by recognizing patterns in the attack. It is an interesting and highly complex solution to a very difficult problem, but I think the blockchain poses a much more elegant solution to this particular issue (and is implementable with already in-market technology).

One of the lowest hanging fruits would be device firmware hashing, which works a little like this:

  1. screenshot-2016-10-26-at-1-23-21-pmA device (like a connected thermostat or a lightbulb) essentially has a complete system on it akin to any other computing device. It has a lightweight OS, usually imaged on a chip or an SSD and a wireless connection to a hub or the internet itself.
  2. In a world where it’s secured by the blockchain, it would periodically “phone home,” by connecting to the internet, looking up it’s nearest Bitcoin node, and looking for the most recent ledger entry that contains a hash file, or even possibly an encrypted boot image for the device.
  3. It will compare the hash files with the hash files on the device itself. Because the blockchain is immutable once a write operation has occurred, if the hashes do not match, the device can immediately know whether it’s been tampered with or had it’s boot image altered.
  4. As a hardcoded part of the boot sequence, you can have the device re-image itself (or brick, depending on the situation) when it fails the checksum.

This is not dissimilar to an immune system flagging a foreign body. In this way, scaling security for a wide variety of devices becomes simple, and it’s attainable today. This method not only adds a layer of security it adds longevity to IoT devices, particularly for devices created by startups with uncertain futures.

Every IoT-style light bulb or thermostat requires a ‘cloud,’ or someone else’s computer, in other words. Surely, no manufacturer will want to maintain a portion of a database servicing such devices for 10 or even 15 years. ‘A publicly accessible computing protocol married to a database with impenetrable security;’ this basically describes both Ethereum and a perfect scenario for IoT. Any device with the built capability can spend ETH from it’s wallet to communicate via the blockchain.

Getting there isn’t a real big challenge, surprisingly.

disney-chainThe beauty of these solutions is that there’s no need to re-invent the wheel on this. IBM has a great set of tools I’ve learned a bit about this week in Hyperledger, which can be very useful for a variety of functions where a semi-private blockchain can come in handy. There are some great low cost solutions for launching IBM’s Hyperledger implementations, but growing it to meaningful size could get quite pricey (some implementations can be upwards of $10,000 a month).

Implementing a device-level hashing function can be quite cheap, though, and run off existing public blockchains. A non-Turing-Complete implementation can literally cost pennies to maintain, and an Ethereum implementation could be only marginally more expensive.

Likewise, a NameCoin-like solution could not only be a silver bullet solution to ICANN’s security weakspots, but a profitable venture to engage in. A NameCoin has a market value of greater than zero (a $3.7 MM market cap), and it’s essentially nothing more than a functional prototype. Depending on the approach to the creation of the ledger, the foundation that develops the solution can fund itself for the foreseeable future with a crowdsale of their initial token (or pre-mine, depending on the underlying ledger type).

And the excuses against taking the leap into blockchain are rapidly shrinking. Just this morning, Disney corporation announced the release of the opensource framework they’re going to use to issue their own blockchain-based tokens and coins; it was an interesting announcement, but they key take-a-way is that those still resisting blockchain based solutions are now getting lapped by a literal Mickey Mouse solution.

The post 2 ways Blockchain technology could have last week’s massive IoT-launched DynDNS attack appeared first on Mark "Rizzn" Hopkins.