The public chain of conflict! Alien Attack Vulnerability from P2P Protocol

When we talk about blockchain, we are always inseparable from these technologies: distributed storage, P2P networks and consensus mechanisms. The problem we are going to talk about this time is the P2P peer-to-peer network protocol.

Alien attack is actually a problem that all public chains may face. We use Taifang as an example. Ethereum's P2P network is mainly implemented by Kademlia (Kad) algorithm, which is a distributed hash table (DHT) technology. It can be used to quickly and accurately route and locate data in a distributed environment. The problem.

What is an alien attack?

First, we first define the concept of a homogeneous chain, which refers to a blockchain system that uses the same or compatible protocols as other blockchains.

Alien attack, also known as address pool pollution, refers to an attack method that induces nodes of the same chain to invade and pollute each other. The main reason for the vulnerability is that the same chain system does not identify non-similar nodes in the communication protocol.

Ethereum alien attack means that Ethereum's similar chain (specifically, the public chain using the Ethereum P2P discv4 node discovery protocol, including Ethereum and Ether Classic) cannot distinguish whether the nodes belong to the same one because they use a compatible handshake protocol. The chain causes the address pools to pollute each other, and the communication performance of the nodes decreases, eventually causing the node to block.

1. Normal node discovery process

The node discovery is completed by four UDP communication protocols between the same chain nodes in Ethereum. The message structure is as follows:

[1] ping: probe whether a node is online

[2] pong: response to the Ping command
[3] findnode: find other nodes that are XORed closest to the Target node
[4] neighbors: In response to the FindNode command, one or more nodes are returned

2. Attack process

Preparation: Collecting Ethereum Node Addresses

We found an address library created by the community:

The first step: initiate a malicious handshake.

Attacker A simulates the entire handshake process, initiates a ping operation, and uses the 4th neighbors of the protocol to modify the returned neighbor table to the Ethereum node address we collected and push it to the victim node B (B is an Ethereum-like node) Chain node). Since only one address can be pushed in a single communication, we need to push multiple times to achieve the attack.

The second step: polluting the address pool.

B receives a large number of neighbor tables returned by A, tries to handshake with these nodes, and adds these nodes to their own address pool (commonly known as K bucket).

The third step: automatic diffusion of pollution.

Surprisingly, the nodes of different chains actually shake hands with each other. What is even more terrifying is that they push the known nodes in their respective address pools to each other, causing more nodes to pollute each other and eventually spread to the entire network. .


  • A similar chain node attacked by a different shape cannot find a truly usable node, and cannot establish a TCP data synchronization channel, causing the node to be attacked offline.
  • For mine pools or outbound nodes, alien attacks can cause broadcast delays or even failures, resulting in lost revenue.
  • Alien attack can cause all Ethereum's similar chain address pools to pollute each other, resulting in a total reduction in node communication efficiency and long-term damage to the entire blockchain system.

Sphere of influence

When we conducted a security audit on a well-known public chain, we found that after the node of the public chain suffered an alien attack, the performance of the node was seriously degraded, and the external node took a long time to establish a connection with the victim node. The public chain team then fixed the issue.

In theory, all the blockchains that use the Ethereum discv4 protocol may be affected by this vulnerability. After a period of testing, we observed that the monitoring nodes of EtherNode have also been contaminated, and the diffusion rate of pollution seems to be more than expected. be quick.

Perhaps, Ethereum needs to be cleaned once.


1. Does this vulnerability affect Ethereum? The number of nodes in Ethereum is much larger than that of other similar chain nodes, and a stable connection has been established between the nodes, and the impact is not obvious. But for other similar chain nodes, it will be subject to strong intrusion from the Ethereum node, resulting in communication blocking.

2. Many friends are concerned about whether other public chains other than Ethereum have such problems, such as Bitcoin and its altcoin, such as the public chain using the libp2p protocol. These issues will be disclosed in subsequent articles!

Source: Slow Fog Safety Team

Editor's Note: This article does not change the original intention of the deletion.