Meet disBalancer: How it Works

6 min readMar 24, 2021

Introduction

DisBalancer, the second project to enter the Hacken Foundation, is an innovative solution that makes websites resistant to DDoS attacks. The product combines the power of Main Nodes managed by disBalancer and the rent out resources of users’ (‘farmers’) devices in a decentralized network of nodes so that the traffic generated by attackers is distributed across the network.The users (farmers) get tokens in exchange for their rent out resources while websites get protection from denial-of-service attacks.

The usability of the product was recognized in the industry during the Grey Hat Hackers Ideas Competition organized by the leading cybersecurity company Hacken. DisBalancer was awarded the Special Prize and got positive feedback from the members of the Hacken community and industry experts.

Challenge

The volume of internet traffic circulating every minute in the global virtual environment is rapidly increasing. More and more companies use their websites to interact with existing customers and win new ones. By disrupting the functioning of the website, competitors or criminal cyber actors may cause financial and reputational damage to the targeted company so that the latter may lose its competitiveness in the market. One of the most frequently used methods to crash a website is the conduct of a distributed denial-of-service (DDoS) attack. During such an attack a website is overwhelmed with requests overloading its infrastructure. The attacks come from multiple locations. DDoS attacks may be committed either by companies striving to beat their competitors or by criminal groups and individual hackers for requesting financial compensation.

The victims of DDoS attacks lose money since their sites don’t generate revenues when crashed as well as have to spend time and resources to resolve the issue. As a result, DDoS attacks make companies increase their expenditures while getting lower income. DDoS attacks may also cause server and hosting issues since the company’s failure to prevent DDoS attacks is likely to affect other websites that are functioning on the same server. Criminal groups may commit DDoS attacks to make the targeted website more vulnerable to hacks aimed at stealing data since there is a risk that security systems may also be put out due to DDoS attack.

On 1 September 2020, the company SwissSign, the provider of email encryption, digital identity, and document management services, reported on the limited availability of its products due to a number of experienced DDoS attacks. The magnitude of the DDoS attack amounted to 40 Gbps of internet traffic which their servers were unable to handle. The company’s specialists spent a few days restoring the functioning of its systems. Due to the attack, the company lost its major customer, the secure email provider ProtonMail. ProtonMail decided to start cooperating with the company Let’s Encrypt.

DDoS attacks have become a serious challenge for modern businesses worldwide and that is why innovative solutions that can protect websites from these types of virtual attacks are highly demanded in the market.

The disBalancer network

The use of disBalancer allows companies to prevent denial of service by transferring the load from their network to our decentralised network of nodes spread across the world.

Main Nodes

At the core of the network are the Main Nodes that ensure the effective functioning of the decentralized system. The Main Nodes will be spread across the globe and managed by the disBalancer team.

The verified users may also deploy their nodes that, in turn, may become the Main Node for the purpose of load balancing. As a result, when the Main Node is set up, the traffic comes through the node and the overwhelming of the server does not take place.

The solution constitutes the ecosystem in which website owners benefit from the possibility to distribute traffic among the nodes.

User Nodes

The last element of the network are users that want to participate in the disBalancer network by supplying their free computing power and bandwidth in exchange for tokens. An owner of a smartphone or personal computer becomes a Farmer by connecting to the deployed nodes, turning their own device into a new node. The application is run in the background. Tokens are credited to users when the network traffic comes through their resources.

The accrued tokens may be sold by farmers to the clients and the latter use the purchased tokens to pay for security services ordered within the ecosystem. Thus, the project functions under the principles of a circular model. The potential financial losses for websites due to DDoS attacks are much higher than the cost of DDoS-protection services described above.

How to use the network to protect your website

To start using the service a customer needs to change his website’s DNS records to redirect the incoming traffic to the nearest disBalancer network nodes. Every node, in turn, can redirect the traffic to other nearby nodes in case the existing load is not sufficient to prevent the overwhelming of the server. As a result, our pool encompassing hundreds of nodes will be able to handle all malicious traffic.

The detailed mechanism of work

DisBalancer protects the websites of customers in 4 stages:

The initial stage is detection that provides for distinguishing DDoS attack from normal traffic. To this end, the solution considers previous data, IP reputation as well as common attack patterns. DisBalancer applies HTTP fingerprinting and known AI/custom rule pattern matching to identify known threats in less than 2 milliseconds. As a result, disBalancer detects almost 99 per cent of all bad requests to customers’ APIs, websites, and mobile applications using these methods. Disbalancer detects new threats by analyzing information as browser tracking, browser automation detection, user event tracking, fake browser detection, and device detection. The solution detects layer application attacks via the use of Cookie challenge, JS test, and CAPTACHAs to monitor the behaviour of users, challenge unrecognized entities, and block known bad bots. Advanced new bots are detected in less than 100 milliseconds. When a particular threat is detected on the website of one of our customers, the protection algorithm is updated automatically so that the websites of other customers become protected from the type of DDoS attacks in question.

Normal traffic goes to the targeted website while malicious traffic as well as unusual traffic go through the Main Node and then the User Nodes. In case the unusual traffic is not detected as malicious upon analysis, it also goes to the targeted website.

Upon detecting an attack the solution provides a response aimed at dropping malicious traffic. To address layer (L7) attacks the solution applies WAF page rules while lower-level attacks (L3/L4) such as NTP amplification and Memcached attacks are handled via the application of other filtration processes. As a result, the solution does not allow a DDoS attack to result in the disruption of the website’s functioning.

At the third stage, the solution breaks the remaining traffic into manageable chunks through routing. Lastly, to effectively address DDoS attacks in the future, the solution can adapt to attack patterns by analyzing such traffic characteristics as country of origin, the improperly used protocols, and repeating offending IP blocks. The information about the malicious traffic is reported by a User Node to the Main Node.

As a result, the solution effectively protects customers’ websites even in the rapidly changing DDoS environment.