A Stealthier Partitioning Attack against Bitcoin Peer-to-Peer - - PowerPoint PPT Presentation

A Stealthier Partitioning Attack against Bitcoin Peer-to-Peer Network

Muoi Tran, Inho Choi, Gi Jun Moon, Anh V. Vu, Min Suk Kang May 2020

IEEE Symposium on Security and Privacy (IEEE S&P) 2020 https://erebus-attack.comp.nus.edu.sg/

Bitcoin relies on underlying peer-to-peer network

blockchain

A à B: 10 C à D: 20

2

Bitcoin consensus rules Peer-to-peer network TX

Bitcoin peer-to-peer network can be partitioned

3

Bitcoin network

Partitioning attacks: isolate victim node(s) from the rest of network

Victim Bitcoin node

Partitioning attack is a dangerous threat

4

A à B: 10

Example: Double spending attack

A à C: 10

Partitioning enables/improves several other attacks: ü 51% attack ü selfish mining ü censoring transactions ü take down cryptocurrencies ü …

merchant Bitcoin network

Autonomous System (AS)

Previous attack: routing manipulation to partition Bitcoin’s peer-to-peer network

5

Victim node

Attacker AS

Lie: “I am the owner

• f 1.2.3.4”
• Bitcoin hijacking (Apostolaki et al., IEEE S&P’17)

ü Attacker AS uses BGP hijacking to hijack victim connections

1.2.3.4

All traffic to victim is routed through the attacker!

ASes (e.g., large ISPs) can do it. ü Question: “ Do they really launch this attack in practice?”

Only one attack instance observed in practice. Why?

• Route manipulation is immediately visible to the public
• Attacker’s identity (AS number) is revealed

Can partitioning attacks be stealthier?

Erebus attack: A stealthier partitioning attack against Bitcoin network

M

targeted victim node

V G F A

Adversary AS

B E C D

changing peer connections

Idea: Indirectly force the victim node connects to “shadow” IPs:

ü Shadow IP has the victim-to-itself route includes adversary AS ü Attacker AS is the man-in-the-middle of all peer connections!

Challenge 1:

Is there enough shadow IPs that the attacker can use?

Challenge 2:

How to influence the target node’s peer selection?

7

Shadow IPs

Challenge 1: How many shadow IPs are available?

If attacker AS is big enough (e.g., top-100), it can easily find

Victim node (e.g., Amazon) Attacker AS in Europe

hundreds of shadow ASes => millions of shadow IPs

Shadow AS

Challenge 2: How does Erebus attacker influence Bitcoin node’s peer selection?

• Occupying 117 incoming connections

üConnect to the victim on behalf of the shadow IPs

• Occupying 8 outgoing connections*

üInfluence the victim to make connections to shadow IPs

9

Victim … …

8 outgoing connections 117 incoming connections

Attacker AS a b c d e …

a b c d e

Shadow IP addresses

(easier) (much harder!)

(*) 10 outgoing connections since Bitcoin version 0.19.1

How to influence the victim to connect to shadow IPs?

10

Victim

?

new tried Tables for IP addresses

Randomly choose a reachable IP from either of two tables

(IPs learned from peers) (IPs that node has connected to) ~ 3K bots

Eclipse attack (Heilman et al., USENIX Sec’15)

Our goal: Dominate reachable IPs in two tables with shadow IPs Challenges:

• Several bugs fixed since Bitcoin v0.10.1 (2015)
• Attack is now nearly impossible with botnets

In the old days…

Attack strategy: send low-rate traffic and patiently wait

11

Victim

new

Attacker AS … Shadow IP addresses insert

tried 1 IP / 2 mins Low-rate traffic

20 40 60 80 100 10 20 30 40 50 20 40 60 80 100 10 20 30 40 50

Reachable IPs in the new table Reachable IPs in the tried table Delete unreachable IP older than 30 days

Legitimate IP Shadow IP

Most are shadow IPs after 30 days Shadow IPs gradually increases

days days % %

Adversary can occupy all connections with shadow IPs in 5 - 6 weeks

12

0.2 0.4 0.6 0.8 1 2 4 6 8 10 20 30 40 50

Number of connections made to shadow IPs Probability of selecting a shadow IP days after attack begins Probability Number of

• utgoing

connections

* * * * *

All eight outgoing connections are

• ccupied after 40 days!

Why is the Erebus attack stealthy?

• No route manipulation (e.g., BGP hijacking) needed

=> Invisible to control-plane monitors ( e.g., BGP collectors)

• Only low rate data-plane attack traffic (520 bit/s or 2 IP/s) is

required => Difficult to distinguish from legitimate traffic

13

Who can launch the Erebus attack?

• To attack a targeted node, Erebus attacker needs:

ümillions shadow IP addresses üseveral weeks of attack execution

• All Tier-1 networks

üAT&T, CenturyLink, NTT, … üCan target any Bitcoin node!

• Many large Tier-2 networks

üSingtel, China Telecom, … üCan target the majority of nodes!

• Nation-state adversaries

üSome countries are believed to have direct control over their ISPs

14

What about other cryptocurrencies?

• Bitcoin peer-to-peer networking stack is widely replicated

üErebus attack also applies on 34 out of top-100 cryptocurrencies

15

All vulnerable!

Countermeasures against the Erebus attack

• The Erebus attack exploits the topological advantage of being large ISPs,

not any specific bugs

• Trivial (yet less practical) solutions:

üTrusted authority: Whitelist/Blacklist of IPs üThird-party proxies: VPNs, Tor, relay networks

• Partial solutions:

üTable size reduction üMore outgoing connections üIncorporating AS topology in the peer selection üProtecting peers providing fresher block data

16

Deployed in the latest version Being tested Being tested

=> Hard to counter against! => not permissonless => not decentralized

Partial solutions are available. Carefully evaluations are needed before deployment.

Conclusions

• Erebus attack can isolate Bitcoin nodes in a stealthy manner

üLow rate attack traffic (520 bit/s per node) üPatiently waiting for a few weeks üLarge ISPs can launch this attack against latest Bitcoin Core

• Mitigating the Erebus attack is hard

üNo software bugs was exploited üAttackers only exploit the topological advantages of being ISPs

• Updates on countermeasures: https://erebus-attack.comp.nus.edu.sg/

17

Muoi Tran muoitran@comp.nus.edu.sg

https://erebus-attack.comp.nus.edu.sg/

M

targeted victim node

V G F A

Adversary AS

B E C D

changing peer connections