How the Blockchain Could Have Prevented the DNS’ Denial of Service Attack
ConsenSys’ Aiai Garcia sat down with Sam Cassatt, Arthur Falls, and Ron Patiro to get their take on how blockchain technology and distributed computing could prevent DDos attacks. In light of today’s outages of major website and services in the United States, the conversation was timely and illuminated some major benefits of emerging decentralized technologies could make the current Domain Name System (DNS) more resilient and secure.
Q: With today’s DDoS (Distributed Denial of Service) attack, how could blockchain technology could have resolved that?
Sam Cassatt: DNS is basically a partially decentralized one-to-one mapping of IP addresses to domain names. It’s access is controlled such that the people who own the domain are allowed to update the domain record. If you implemented the same access control and put it on a blockchain, allowed only the right parties to update it, and if it was copied ubiquitously everywhere where the blockchain was copied, then there would be no ability to Denial of Service attack it. Because it’s copied everywhere, you couldn’t attack it.
Ron Patiro: What’s spawning the refreshing of the IP address? Is there a way to have many or multiple IP addresses posted on many different nodes simultaneously
Sam Cassatt: Yeah, so the idea is that you would want it replicated a lot . Each IP address and domain name would need to be stored. Just like their DNS records right now, each of those mappings would need to be stored on the blockchain and/or referenced to it so the access control can be stored on the blockchain and the actual bulk of the data can be stored on IPFS or some other decentralized storage technology.
Q: If it were stored on the blockchain, that new one to one mapping would have to be updated but it’s still static to it, or would it have to change every 10 seconds?
Arthur Falls: You can’t change it on the blockchain
Ron Patiro: It’s still too late. There’s one vector to attack it. There’s one-to-one mapping. For example, when I type github.com on my browser. Is there anyway to have multiple IP Addresses at the same time? How could it actually prevent these DNS attacks?
Sam Cassatt: So the reason why this attack happened , or how it happened, was that someone was DDoS attacking Dyn’s servers. The servers that actually propagate the DNS information, and the servers that people are hitting to try to find that mapping. But if that mapping was stored everywhere (i.e. decentralized) and ubiquitously, then it doesn’t matter if you attack one node or a thousand node…. Because there are thousands of other nodes.
Q: So if it were stored on many more nodes, it would be more resilient?
All: YES
Arthur Falls: The blockchain is only as secure as the security mechanisms of that particular blockchain. So for example, if we switched to DNS on Bitcoin and some government in the world wanted to screw up the global DNS entries, they could manufacture 51% of the mining hardware, which would give them the control of creating new blocks, and they could decide on which DNS entries would be allowed to be created or updated. This is a problem. And so there’s perhaps a mixture of centralized and decentralized, that is the right answer. If DNS was going to move on to the blockchain, you would have to take into consideration what the security mechanisms of the blockchain that the DNS Protocol is going to adapt.
