Distributed Denial of Service (DDoS) attacks - cyberattacks in which perpetrators render a website or other resource unavailable to its intended users by overloading it with superfluous requests sent from numerous devices simultaneously - continue to pose a major risk to businesses and other organizations that rely on the Internet. It is not hard to picture the potentially catastrophic damage to a company that earns its revenue by online advertising if it were knocked offline, or to an online retailer if an unscrupulous competitor hired a criminal to launch an attack on the former's website at the height of the holiday shopping season. In fact, on multiple occasions we have seen clear examples of the damage that DDoS attacks can inflict. Furthermore, as I discussed earlier this week, criminals are now demanding that firms pay them or face DDoS attacks - a 2017 version of classic "protection money" extortion.
Over the past decade various technologies have emerged that help reduce the risk of DDoS attacks - but the capabilities of the criminals launching the attacks have greatly advanced as well. With the mass proliferation of insecure Internet of Things devices and the easy availability of exploit code, attackers have access to a multitude of easily-comprised potential zombies, making DDoS attacks a significant danger.
Ultimately, the Achilles Heel of many DDoS defenses is that they must absorb large amounts of attack traffic - a process which can utilize a lot of bandwidth and processing power, and be quite expensive. As such, criminals benefit from a tremendous advantage: they normally launch DDoS attacks from "zombies" - that is, computers that they have taken control of via malware - so they obtain their necessary resources for free.
Because of the cost of absorbing large volumes of data, many DDoS protection firms charge businesses for handling huge traffic loads - with Uber-like "surge pricing" - making DDoS attacks very expensive even to those organizations that successfully mitigate against them. Other defense firms may charge businesses more up front to ensure profitability even if DDoS attacks do occur, or may terminate customer accounts if a customer turns into a losing proposition. Last year, for example, after criminals launched a massive DDoS attack at security journalist Brian Krebs' website - which was, at the time, protected pro bono by Akamai - Akamai told Krebs to take his site's protection needs elsewhere. Additionally, even the most robust anti-DDoS infrastructures may be taxed by growing DDoS attacks; there is a limit to how many entities they can adequately protect at once. Hacktivists - that is, hackers attacking parties for activist-type rationales - have even taken down some sites when attacking other sites using the same DDoS protection service.
I recently spoke with a startup that is working to use the blockchain technology to address these shortcomings, to dramatically reduce the cost of protecting against DDoS attacks, and, ultimately, to render DDoS attacks far less effective. Blockchain, is of course, the technology underlying cryptocurrencies like Bitcoin and smart contract systems like Ethereum. It allows for the sharing of information through a nearly-incorruptible digital ledger that is distributed all over the Internet, requires no central authority for management, and protects entries by effectively allowing them to be made only by the parties authorized to do so. I will write a detailed explanation of blockchain in an upcoming piece.
By using blockchain, Maryland-based Gladius is creating a system that would allow people to rent out their unused bandwidth so that it can be used to absorb malicious DDoS traffic and mitigate against attacks. For most adults of working age, the vast majority of the bandwidth of their home Internet connection sits idle during the workday; in much the same way that Airbnb lets people utilize their home to make money when it would have otherwise sat idle and empty, Gladius plans to allow folks to leverage their Internet connections when they would not normally be heavily used. By leveraging the blockchain, Gladius eliminates the middle man between bandwidth providers and those needing it, and eliminates the need to buy bandwidth other than during an actual attack - so, businesses buy only the bandwidth that they actually need. Web site owners could also use the system to accelerate the delivery of content - as computers all over the world could function effectively as remote deliverers of cached data (in what would technically be known as a Content Delivery Network or CDN). Payments on Gladius are done with its own cryptocurrency - GLA - which ostensibly will be bought and sold on crypto exchanges. Gladius will begin offering GLA in an Initial Coin Offering (ICO) in October, and plans to go live early next year.
Like any other startup, Gladius will certainly face challenges, and it is obviously too early to know whether the firm or other blockchain technologies will ultimately capture the DDoS protection market from established businesses, but the advent of a new, democratized model of protection and financial opportunity - allowing for potentially better utilization of resources by everyone across the Internet ecosystem - is certainly an exciting development. Ironically, if Gladius is successful, it will need to implement security to ensure that criminals don't monetize zombies in the future by transforming them from DDoS attackers into rented defenders against DDoS attacks.
Gladius may be pioneering the use of blockchain for DDoS protection, but it is certainly not the only party using blockchain technology to advance security. I am certain that over the upcoming years we will see other blockchain-based security technologies emerge - offering better models for optimizing the allocation of resources to solve long-established security challenges.