Denial of Service Vulnerability Fix

in #steem6 years ago

Vulnerability Fix.png

Hello Steemians, for the last couple of weeks we have been working on a fix to a Denial of Service vulnerability at the same time we are wrapping up our work on MIRA.

The Vulnerability

The vulnerability involved the pending transaction queue. We've been working on, and testing, various solutions since we were informed of the vulnerability by @netuoso about 2 weeks ago. Due to the nature of the attack, we could not publicly disclose our work on this issue and we even limited knowledge of the vulnerability within the organization to minimize risk.

Witnesses & Exchanges

Earlier today we upgraded our nodes and proposed our fix to the Witnesses all of whom have since upgraded. This fix has been tested on a private testnet on which we were able to demonstrate that it successfully mitigates the underlying issue. All nodes including exchanges should be upgraded as soon as possible with this patch. We will be available for technical support for those exchanges that require it.

This vulnerability was brought to our attention by the Steem community developer, @netuoso. This highlights how important Steem’s amazing developer community is to the protocol. Their continued inspection of the chain, and effective communication of their findings, is a critical component of maintaining a safe and secure network. Thanks again to @netuoso for discovering this vulnerability and helping us develop a patch that resolves the vulnerability.

The Steemit Team

Sort:  

Thanks for the shoutout. It is rewarding to help deliver an update that benefits the entire ecosystem.

Steem on!

Looks like you, @netuouso, are the hero of the day. :) Kudos for actually being on the lookout for something wrong, finding the vulnerability and working to fix it. A perfect trifecta of work and effort.

Now, for those of us who can appreciate this, but aren't certain just what it all may have meant for the pending transaction queue had it been attacked, is there anything you can explain about it that would help me to better understand what you all fixed without making any disclosures that shouldn't be disclosed? If not, that's okay. I'm still thankful for all you did. :)

A Denial Of Service (DOS) attack is where someone does something to keep the servers busy doing unnecessary work to slow the system down and prevent others from being able to access the service of the server. It would seem that there was a way to cause the transaction que to loop or do some other work that would keep it busy for a lengthy period of time and this was now fixed to prevent such an attack.

Hey, @happyme.

Thanks for the reply.

Right, so just what could have been exploited by slowing down the transaction queue and keeping it busy? Would a DOS attack allow something else to occur, like getting to what was in the transaction queue? I guess I'm trying to understand the magnitude.

Generally, a DOS attack is simply so that the server is useless and nobody can use it. It is not a security risk on its own.

On a DPoS blockchain a DoS can be a GRAVE security threat.

I will leave the reader with an exercise in figuring out how shutting off the networks servers at will (potentially after fixing the issue locally) would be detrimental in a DPoS blockchain

Thanks for that clarification, but you are now using terms way over my head. As a non-programmer, I can only understand stuff as it is explained to me in layman's terms. As far as I know, DOS stands for denial of service, which translates to not being able to serve the clients trying to access the server. Beyond that, I'm as ignorant as one can be about security or anything else technical and haven't a clue what a DPoS blockchain is. D=? but I assume PoS = Proof of Stake, as opposed to Proof of Work (PoW)? How or why those make any difference is way over my head at this time.

Okay. Thank you. That's what I was wondering, so I appreciate that.

Not sure if you're into token collecting, but for answering my questions, I'm going to send some of these your way. Hopefully it works. :)

!ENGAGE 100

Well, I'll be darned... I already had 150 tokens in the wallet that I didn't even know about! I'm now having all sorts of crazy ideas floating around in my head about the uses for Steem-engine. Thanks again for the tokens and the link to the website!

No problem. Maybe @abh12345 sent the others your way? Always nice to find out you have more than you thought you did. :)

As far as the crazy ideas, go for it. Crazy ideas have a way of becoming the next big thing. :)

Sweet! Thank-you! My first engagement tokens.

Here are your ENGAGE tokens!

To view or trade ENGAGE go to steem-engine.com.

oh yeah @netuoso is great at breaking STEEM with no mention by the elite in control then they seem to make a false vulnerability to give another of steemit incs stooges a leg up

https://steemit.com/steem/@naturicia/nijeah-who-broke-the-blockchain

Why do you even continue to use Steem if it is such a conspiracy?

I am not affiliated with SteemIt, Inc in any way

conspiracy (noun)
a secret plan by a group to do something unlawful or harmful.

the structure of your sentence suggested you didn't understand what a conspiracy is.
and the reason for staying would be to do my best to ensure as few victims as possible get manipulated into the various wealth extractors

you have lied multiple times in the past the most significant being when you performed a super high-risk test on the platform that couldn't have destroyed the chain and when approached lied through your teeth to protect yourself

surprising with the integrity youve shown your not no 1 witness

You have a sad, sour life. Wonder who hurt you as a child but hopefully you are able to move beyond it. Stay strong @isacoin. Stay strong.

lol initiating the @nextgencrypto manipulation strategy when called out

🎁 Dear @isacoin,

SteemBet Seed round SPT sale is about to start in 2 days!

When our started the development of SteemBet Dice game, we couldn’t imagine that our game would go so viral and that SteemBet would become one of the pioneers in this field.

In order to give back to our beloved community, we’ll distribute 4000 STEEM to SPT holders immediately after Seed sale. Plus, investors in this earliest round will be given 60% more tokens as reward and overall Return on Investment is estimated at 300%!

Join the whitelist on SteemBet webiste now and start investing! Feel free to ask us anything on Discord https://discord.gg/tNWJEAD

spt-sale-2-day.jpg

Grenat work @netuoso! Thanks for being our protocol guardian angel.

Good work!

thank you!

Oh hey he comes out of hibernation to actually use the steem blockchain this month! haha
But thanks for the fix.

Wonder what is more important for me to be doing... Commenting and posting about my life and my dogs? Or spending time building a business and working towards improving the security and resilience of the Steem blockchain. Hrmmmmmmmmmmmm.

Thanks for spotting this and helping the team to deal with it. Perfect security is impossible, but I would hope the people will work together to make Steem more resilient

Thank you!

Well done! You have my full upvote sir.

Good catch. Thanks!

Thanks for monitoring our security.
Good work!

Great work and appreciate you keeping your eye out for these things!

Posted using Partiko iOS

Outstanding! That is the Steemian Singularity that make this blockchain so very special! GODSPEED!

🎁 Dear @apostle-thomas,

SteemBet Seed round SPT sale is about to start in 2 days!

When our started the development of SteemBet Dice game, we couldn’t imagine that our game would go so viral and that SteemBet would become one of the pioneers in this field.

In order to give back to our beloved community, we’ll distribute 4000 STEEM to SPT holders immediately after Seed sale. Plus, investors in this earliest round will be given 60% more tokens as reward and overall Return on Investment is estimated at 300%!

Join the whitelist on SteemBet webiste now and start investing! Feel free to ask us anything on Discord https://discord.gg/tNWJEAD

spt-sale-2-day.jpg

Thank you! :)

Posted using Partiko Android

Thank you! Now we can sleep well!

Amazing demonstration of how a decentralized system is better than a centralized one. FaceBook outages are becoming a monthly affair.

Posted using Partiko iOS

@steemitblog,
Thank you for sharing this update and personally I was not aware about this problem till I read this post!

@netuoso,
Thank you for highlighting such important issues and really appreciate it!

Cheers~

Hi @steemitblog, thanks for sharing. Are you from the Steemit team? Your profile doesn’t say all that much about you. Looks like you follow just 5 people… @roboza @cgame @thecryptofiend @alkafir and @rmach. Those people must be your core team members? Good to know! Anywho, it might be a good idea to update your profile info so that people know more about who you are and what kind of blog you have. Let’s start with something simple. A profile pic!

If you’d like to add a profile pic, click settings and upload a photo… Wait… the “settings” tab can’t do that. First… you actually need to click the “wallet” tab. OK… then you’ll arrive at steemitwallet.com, it’s another website. Don’t worry though… it will all make sense soon. So you’ve arrived at steemitwallet.com to change your profile picture. OK… you’ll notice that you’re not logged in anymore. You need to log into your account a second time using one of those four passwords. Wait… actually, a login window will pop up and suggest that you use the posting key, but that’s actually not right… it’s the active key that does stuff for the wallet. Right? Not sure. From there, click the wallet settings button to upload an image for your profile. So simple! Now click update at the bottom. Great! It’ll take some time to show up but it does show up eventually. Now you want to back to your profile. To return to your profile page, click the tiny “blog” tab hiding in the corner. OK, now we are back in action! Congratulations @steemitblog, you now have a profile picture.

Thanks! Lol this actually helped me with what I was looking for

Yeah, but you’re probably still logged into your wallet since it hasn’t been auto-signing out when you close your browser.

It’s possible that this has been fixed though. Maybe.

Humrph, so many steps.

Hello, I'm not part of the team. Just a regular Steemian.

¯\_(ツ)_/¯

I'm a Backup witness, but I have not heard of this solution. Where can I get a mention?

Check #witness in steem.chat

Is there another place that you are monitoring for witness related matters?

I'm already involved in it, but I don't think the content was first disclosed there.
I checked the update through the alarm, but Top witnesses were already updated. Do they have a separate channel?

Oh, you’re not part of the special club? Well that’s weird. I thought we were supposed to have decentralization and transparency and stuff. Why would there be secret clubs of selected witnesses by the chain’s “lead dev team” and single largest stakeholder?

Inquiring minds would like to know. Amirite?

:)

Easy (and honest) answer:

Often with security releases it’s important for the top 20 witnesses to be patched prior to the fix being made public in order to ensure uninterrupted service and safety. Even if it were not us (Steemit Inc) proposing a fix, these witnesses should (and do) have an open channel of communication amongst themselves in order to coordinate rolling out these types of patches.

Oh, so it’s just a chat for top-20 witnesses that’s controlled by those witnesses?

The public channel you mentioned means "https://steem.chat/channel/witness", but I think there are other special channels. Because some of the witnesses had already been updated to version 20.10 before the updates were released and mentioned on the channel.

As you mentioned, you need a public channel for quick sharing. Is there a condition for accessing channels for special members?

For high risk scenarios like this a private channel for the top 20 witnesses, plus those witnesses close to the top 20, is required for security reasons. Such a channel exists and the only requirement for entry is one's position in the witness rankings. If a witness is in the top 20 they are in that slack. If there is a chance they may enter the top 20 (e.g. if they are close) they should be in that slack and if they are not, they should contact me at [email protected].

It's a long way to top, but thank you for the information. I'll contact you if it gets closer.

I don't belong unfortunately............

Every witness has an opportunity, with Steem's vote-enabled democracy, to rise the ranks to become number one. I would say secondary witnesses are just as important as primary witnesses, in my experience at least. They often build dapps, on-board users, and bring code into the FOSS ecosystem. I appreciate all witnesses and humans in general that contribute their valuable time and effort to push forward blockchain technology.

sounds like there is a low level of trust within the organization... hopefully that improves..

This is how IT security traditionally works. There is a "need-to-know" basis around such things. IT admins often have access to highly sensitive information or data and need to keep it quiet.

Something such as a vulnerability shouldn't be discussed with too many people before a fix is made because word of mouth tends to spread quickly.

Kudos to the SteemIt team for keeping things quiet and quickly issuing a fix.

Great job @neutoso and to the Steemit team for fixing it!

What exactly does Ned and the rest of steemit,inc do all day? Is steemit.inc and steemit just a hobby for you guys? What does the new steemit director do? Why does everything move at a snail's pace? Serious question.

He is busy downvoting everyone as Bernie Sanders. They say the truth is often stranger than fiction. However the blockchain points to this based on stats. Makes sense why Dan Larimer left. Just a spoiled rich kid.. drunk on power.. spending Daddies money. It's all a joke to him. Also demented in the head like a little kid that pulls the wings off of a bug for fun. Deranged.

Your welcome.

You have received a negative vote.

https://steemit.com/idtheft/@isacoin/re-lyndsaybowes-fun-fact-the-account-which-steals-my-id-is-at-a-62-reputation-now-20190423t150141271z

There is a ton of blockchain stats that point to this. I am not here to prove or disprove anything. Just sharing my observation based on massive blockchain evidence. This is not decentralized. And all 'top' witnesses are either one guy or chosen by one guy. Rendering total centralization. The whole thing is a damn charade. A mirage if you will. Take care!

You have received a negative vote.

I am not talking about anything other than your intention that Bernie is Ned. Do you have any evidence to support that claim? I don't see a ton of blockchain evidence to support that.

This I feel ones more underlines the need for a bounty system for vulnerabilities. Kudus for @netuoso for identifying this bug while forgoing on what currently seems the only, rather meagre insentive of posting about the bug with appropriate @utopian-io tags.