Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/23/2017
03:00 PM
Mance Harmon
Mance Harmon
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Blockchainís New Role In The Internet of Things

With next gen 'distributed consensus' algorithms that combine both security and performance, organizations can defend against DDoS attacks, even those that leverage IoT devices

On October 21st, a new malware weapon called the Mirai botnet took down a huge portion of the Internet, by launching a DDoS attack on Dyn, a company that controls much of the Internet’s domain name system (DNS) infrastructure. Affected sites included Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US.

The Mirai botnet is unique because it is largely made up of Internet of Things devices such as digital cameras and DVR players. Because it has so many Internet-connected devices to choose from, attacks from Mirai are much larger than previous DDoS attacks. Dyn estimated the attack involved “100,000 malicious endpoints” at a strength of 1.2Tbps. For comparison, that makes the October 21st attack roughly twice as powerful as any similar attack on record.

Since then, source code for Mirai has been published as open source in hacker forums, and the techniques have been adapted in other malware projects, making it more likely that we will see these attacks increase in frequency and size as other threat actors learn how to harness Mirai-like IoT botnets. While the Mirai botnet was used in this case to attack the DNS system, this form of attack will certainly be used against company servers directly, and traditional approaches to DDoS defense are simply inadequate for this emerging threat. 

It is very difficult to protect a single target against an army of attackers. Instead, we must find a way to divide and conquer. If we have multiple targets, then an attacker must divide their forces, with each group being less powerful than the whole. Distributed consensus technology replaces a central server with a community of peers. A would-be attacker can no longer target a single server, but rather, must successfully attack at least one third of all peers of the network.

Distributed consensus algorithms (such as blockchain and hashgraph) enable communities of people - strangers who are both unknown and untrusted - to securely collaborate with each other over the Internet without the need for a trusted third party.  In other words, it enables the development of multi-participant, general ­purpose applications that execute without the need for a central server. Each member of the community runs a local copy of the application. The consensus algorithm ensures that all instances of the application accurately reflect changes made by all members of the community, while ensuring no single member can cheat.

Until recently there has been two categories of consensus technology from which to choose: 

1) Public networks, like Bitcoin and Ethereum, that have poor performance and are grossly inefficient (requiring Proof of Work), and

2) Private (Permissioned) solutions such as HyperLedger Fabric, and non-Proof of Work Bitcoin or Ethereum (in which case the nodes take turns publishing a block of transactions).

Public networks have better security but poor performance in terms of transaction throughput and consensus latency, which is the time it takes for members of the community to come to an agreement on the order of transactions in the application. These performance constraints dramatically limit the number of applications that can practically use the technology. For example, Bitcoin blockchain can process only 7 transactions per second, and it takes the community an hour to agree on the order of those transactions. There aren’t many applications that can use a database with those performance characteristics.

Some users have opted to relax the security requirements of the distributed consensus algorithm, and restrict the use of the algorithm to private networks of known and trusted participants. This improves performance (achieving 100s or low 1000s of transactions per second, and seconds consensus latency), but at the expense of security.  If even a single member of the network is compromised, then the attacker can disrupt the flow of transactions for the entire network (i.e., launch a DoS attack).  

A new generation of distributed consensus technology products in the pipeline from a variety of vendors (including Swirlds)  provides a third category from which to choose: algorithms with both high security and high performance. For many applications, this combination of security and performance enables a new defense to DDoS attacks, even those that leverage IoT devices. 

To demonstrate the point, let's consider a popular online game, World of Warcraft (WoW).  The current system has a central server that ensures all players have a common view of the world and can’t cheat. However, a DDoS attack on the server can disrupt the game for everybody.  Also, the integrity and availability of the game can be compromised by a malicious insider or a remote attacker. 

A distributed version of WoW would provide a layer of defense against those types of attacks. In distributed WoW, each player is a node in a network, and the consensus technology ensures a common view of the world and prevents cheating. There is no central server to attack. A DDoS attack might be able to disrupt one (or even a few) players, but the game continues to be available for the rest of the community.    

Bitcoin blockchain introduced us to the modern era of distributed consensus, but it only provides a taste of what’s possible. The emerging, next generation of distributed consensus technology offers a unique combination of performance and security. This enables a new category of DDoS defense.  Eventually every industry will have networked, distributed applications, and wide-spread adoption will fundamentally change the security of the Internet.  

Related Content:

 

Mance Harmon is an experienced technology executive and entrepreneur with more than 20 years of strategic leadership experience in multi-national corporations, government agencies and high-tech startups, and is co-founder and CEO of Swirlds. Prior experience includes serving ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndrewfOP
100%
0%
AndrewfOP,
User Rank: Moderator
2/24/2017 | 10:41:39 AM
DDoS attacks, Meet DDoS defense
It's good that DDoS defense technology is making progress toward wider adoption.  Ever since DDoS attacks came onto the scene, I always wonder why there were no technology that would turn DDoS attack modules into defense modules.  If DDoS's method is to turn hordes of computing devices into attacking clones, why can't there be hordes of counter devices?  After all, no select group of servers can defend against the onslaught of devices from the entire internet.  Yet, if the very same devices doing the attacking are also doing the defending, there would be a perfect equilibrium.  For the ever increasing and inexhaustible capacity of the whole internet, the defense would increase at the same time as the offense. 

The only losers in this reality would the owners and manufacturers that allow their devices to be infected, run at full capacity for doing the attacking and defending all the time, and thus reduce product lives, which ought to be good incentives for improving device security for owners and manufacturers alike.

 
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industryís conventional wisdom. Hereís a look at what theyíre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1689
PUBLISHED: 2019-12-10
Mozilla Firefox 20.0a1 and earlier allows remote attackers to cause a denial of service (crash), related to event handling with frames.
CVE-2016-10001
PUBLISHED: 2019-12-10
inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitra...
CVE-2019-6183
PUBLISHED: 2019-12-10
A denial of service vulnerability has been reported in Lenovo Energy Management Driver for Windows 10 versions prior to 15.11.29.7 that could cause systems to experience a blue screen error. Lenovo Energy Management is a client utility. Lenovo XClarity Energy Manager is not affected.
CVE-2019-6192
PUBLISHED: 2019-12-10
A potential vulnerability has been reported in Lenovo Power Management Driver versions prior to 1.67.17.48 leading to a buffer overflow which could cause a denial of service.
CVE-2019-4095
PUBLISHED: 2019-12-10
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.