IEEE Symposium on Security and Privacy ( IEEE S&P ) 2020 https://erebus-attack.comp.nus.edu.sg/ A Stealthier Partitioning Attack against Bitcoin Peer-to-Peer Network Muoi Tran , Inho Choi, Gi Jun Moon, Anh V. Vu, Min Suk Kang May 2020
Bitcoin relies on underlying peer-to-peer network A à B: 10 TX C à D: 20 Bitcoin consensus rules blockchain Peer-to-peer network 2
Bitcoin peer-to-peer network can be partitioned Victim Bitcoin node Bitcoin network Partitioning attacks: isolate victim node(s) from the rest of network 3
Partitioning attack is a dangerous threat Partitioning enables/improves several other attacks: ü 51% attack ü selfish mining merchant ü censoring transactions A à B: 10 A à C: 10 ü take down cryptocurrencies Bitcoin network ü … Example: Double spending attack 4
Previous attack: routing manipulation to partition Bitcoin’s peer-to-peer network All traffic to victim is Lie: “I am the owner routed through the attacker! of 1.2.3.4” Victim node 1.2.3.4 Attacker AS Autonomous System (AS) ASes (e.g., large ISPs) can do it. Only one attack instance observed in practice. Why? • Bitcoin hijacking (Apostolaki et al., IEEE S&P’17 ) • Route manipulation is immediately visible to the public ü Question: “ Do they really launch this attack in practice? ” ü Attacker AS uses BGP hijacking to hijack victim connections • Attacker’s identity (AS number) is revealed 5
Can partitioning attacks be stealthier ?
Erebus attack: A stealthier partitioning attack against Bitcoin network Challenge 2: B How to influence the target changing Challenge 1: peer C A connections node’s peer selection? Is there enough Shadow IPs shadow IPs that the V M attacker can use? G Adversary AS D targeted victim node E F Idea : Indirectly force the victim node connects to “shadow” IPs: ü Shadow IP has the victim-to-itself route includes adversary AS ü Attacker AS is the man-in-the-middle of all peer connections! 7
Challenge 1 : How many shadow IPs are available? Attacker AS in Europe Victim node Shadow AS (e.g., Amazon) If attacker AS is big enough (e.g., top-100), it can easily find hundreds of shadow ASes => millions of shadow IPs
Challenge 2 : How does Erebus attacker influence Bitcoin node’s peer selection? Shadow IP addresses 8 outgoing e … … a a b c d connections b Victim c Attacker AS … d 117 incoming connections e • Occupying 117 incoming connections (easier) ü Connect to the victim on behalf of the shadow IPs • Occupying 8 outgoing connections* (*) 10 outgoing (much harder!) connections since ü Influence the victim to make connections to shadow IPs Bitcoin version 0.19.1 9
How to influence the victim to connect to shadow IPs? Our goal : Dominate reachable IPs in Randomly choose a two tables with shadow IPs reachable IP from either of two tables Challenges : ? • Several bugs fixed since Bitcoin v0.10.1 (2015) Victim • Attack is now nearly impossible with botnets In the old days… new tried ~ 3K bots (IPs learned (IPs that node has from peers) connected to) Tables for IP addresses Eclipse attack (Heilman et al., USENIX Sec’15 ) 10
Attack strategy: send low-rate traffic and patiently wait Legitimate IP Shadow IP % 100 Shadow IP addresses 80 … 60 Delete unreachable 40 IP older than 30 days Most are shadow 20 IPs after 30 days 0 Victim days 0 10 20 30 40 50 Low-rate Reachable IPs in the new table Attacker AS traffic insert % 100 Shadow IPs new 80 gradually increases 60 1 IP / 2 mins 40 20 tried 0 days 0 10 20 30 40 50 Reachable IPs in the tried table 11
Adversary can occupy all connections with shadow IPs in 5 - 6 weeks Number of 1 Probability All eight outgoing outgoing connections connections are 8 0.8 occupied after 40 days ! * * Number of connections 6 0.6 made to shadow IPs 4 0.4 * Probability of selecting a 2 0.2 * shadow IP 0 0 * 0 10 20 30 40 50 days after attack begins 12
Why is the Erebus attack stealthy ? • No route manipulation (e.g., BGP hijacking) needed => Invisible to control-plane monitors ( e.g., BGP collectors) • Only low rate data-plane attack traffic ( 520 bit/s or 2 IP/s) is required => Difficult to distinguish from legitimate traffic 13
Who can launch the Erebus attack? • To attack a targeted node, Erebus attacker needs: ü millions shadow IP addresses ü several weeks of attack execution • All Tier-1 networks ü AT&T, CenturyLink, NTT, … ü Can target any Bitcoin node! • Many large Tier-2 networks ü Singtel, China Telecom, … ü Can target the majority of nodes! • Nation-state adversaries ü Some countries are believed to have direct control over their ISPs 14
What about other cryptocurrencies? All vulnerable! • Bitcoin peer-to-peer networking stack is widely replicated ü Erebus attack also applies on 34 out of top-100 cryptocurrencies 15
Countermeasures against the Erebus attack • The Erebus attack exploits the topological advantage of being large ISPs, not any specific bugs => Hard to counter against! • Trivial (yet less practical ) solutions: Partial solutions are available. => not permissonless ü Trusted authority: Whitelist/Blacklist of IPs C arefully evaluations are needed before deployment. ü Third-party proxies: VPNs, Tor, relay networks => not decentralized • Partial solutions: ü Table size reduction ü More outgoing connections Deployed in the latest version ü Incorporating AS topology in the peer selection Being tested ü Protecting peers providing fresher block data Being tested 16
Conclusions • Erebus attack can isolate Bitcoin nodes in a stealthy manner ü Low rate attack traffic (520 bit/s per node) ü Patiently waiting for a few weeks ü Large ISPs can launch this attack against latest Bitcoin Core • Mitigating the Erebus attack is hard ü No software bugs was exploited ü Attackers only exploit the topological advantages of being ISPs • Updates on countermeasures : https://erebus-attack.comp.nus.edu.sg/ 17
https://erebus-attack.comp.nus.edu.sg/ B changing peer connections C A V M G Adversary AS D targeted victim node E F Muoi Tran muoitran@comp.nus.edu.sg
Recommend
More recommend
