Wednesday, December 16, 2015

All app developers should learn from WhatsApp-v-Brazil incident and defend against it

So Brazil forced the ISPs to shutdown WhatsApp (a chat app) for 48 hours, causing more than a million of their customers to move to Telegram (another chat app). Apparently, this was to punish WhatsApp for not helping in a criminal investigation.

Well, this is similar to how ISPs block botnets. Botnets, the most common form of malware these days, have a command-channel back to the hacker that controls all the bots in the network. ISPs try to block the IP address and/or DNS name in order to block access to the botnet.

Botnets use two ways around this. One way is "fast-flux DNS", where something like "" changes its IP address every few minutes. This produces too many IP addresses for ISPs to block. WhatsApp can keep spinning up new cloud instances at places like Amazon Web Services or Rackspace faster than ISPs can play whack-a-mole.

But ISPs can also block the domain name itself, instead of the IP address. Therefore, an app can also choose to use a "domain generation algorithm" or "domain flux".  This generates a new domain name based on the current time, which changes several times per day. Names will be something like "", using a predictable, but "pseudo-random" algorithm. This would generate too many names for ISPs to block, assume the algorithm was public. However, in practice, in situations like this, the ISPs wouldn't know the algorithm, so therefore, wouldn't know the list of names they needed to block.

The cool thing is that companies like WhatsApp can deploy such measures in their software really easily. but not tell anybody. The first time a government like Brazil tried to punish them, the ISPs would mysteriously fail at blocking the app. It would take days of research for anybody to figure out why.

This highlights two important points.

The first is that "governments", not just "hackers", need to be part of your threat model when developing apps/services. The second is that evil "malware" or "viruses" is often indistinguishable from good software. That's what things like the Wassenaar Arms Control export restrictions are doomed to fail, because it's impossible for regulations to clarify the difference.

Note: Apparently the court order specified '', '', all subdomains, and IP addresses used by those domains.


Matt said...

It would be easy enough for What's app to add domain flux to their application, but how do you think courts would react to that?

I think courts will not react well to that sort of mockery. The results could be worse for What's app than loosing some customers.

Ryan said...

No, just use dnscrypt and resolve domains using local software, no need to outsource to the router.