Alien attack is actually a problem that all public chains may face. We use Taifang as an example. Ethereum's P2P network is mainly implemented by Kademlia (Kad) algorithm, which is a distributed hash table (DHT) technology. It can be used to quickly and accurately route and locate data in a distributed environment. The problem.
What is an alien attack?
Alien attack, also known as address pool pollution, refers to an attack method that induces nodes of the same chain to invade and pollute each other. The main reason for the vulnerability is that the same chain system does not identify non-similar nodes in the communication protocol.
Ethereum alien attack means that Ethereum's similar chain (specifically, the public chain using the Ethereum P2P discv4 node discovery protocol, including Ethereum and Ether Classic) cannot distinguish whether the nodes belong to the same one because they use a compatible handshake protocol. The chain causes the address pools to pollute each other, and the communication performance of the nodes decreases, eventually causing the node to block.
- Popular Science | Blockchain Security Getting Started Notes (4)
- Blockchain security | APT attacks against a blockchain digital cryptocurrency trading platform
- Crypto investment fund Trident hacked, data leaks of 266,000 users
- Security Monthly Report | 16 security incidents occurred in November, with losses of nearly US $ 56 million
- Research Report | Analysis Report on Quantum Mechanics and Blockchain Security Technology
- zkSNARKs contract library "input pseudonym" vulnerability, many mixed currency projects
1. Normal node discovery process
The node discovery is completed by four UDP communication protocols between the same chain nodes in Ethereum. The message structure is as follows:
 ping: probe whether a node is online
2. Attack process
Preparation: Collecting Ethereum Node Addresses
We found an address library created by the community: https://github.com/smartheye/EthStaticNodesTool/blob/master/MainNet/static-nodes.txt
The first step: initiate a malicious handshake.
Attacker A simulates the entire handshake process, initiates a ping operation, and uses the 4th neighbors of the protocol to modify the returned neighbor table to the Ethereum node address we collected and push it to the victim node B (B is an Ethereum-like node) Chain node). Since only one address can be pushed in a single communication, we need to push multiple times to achieve the attack.
The second step: polluting the address pool.
B receives a large number of neighbor tables returned by A, tries to handshake with these nodes, and adds these nodes to their own address pool (commonly known as K bucket).
The third step: automatic diffusion of pollution.
Surprisingly, the nodes of different chains actually shake hands with each other. What is even more terrifying is that they push the known nodes in their respective address pools to each other, causing more nodes to pollute each other and eventually spread to the entire network. .
Sphere of influence
In theory, all the blockchains that use the Ethereum discv4 protocol may be affected by this vulnerability. After a period of testing, we observed that the monitoring nodes of EtherNode have also been contaminated, and the diffusion rate of pollution seems to be more than expected. be quick.
1. Does this vulnerability affect Ethereum? The number of nodes in Ethereum is much larger than that of other similar chain nodes, and a stable connection has been established between the nodes, and the impact is not obvious. But for other similar chain nodes, it will be subject to strong intrusion from the Ethereum node, resulting in communication blocking.
2. Many friends are concerned about whether other public chains other than Ethereum have such problems, such as Bitcoin and its altcoin, such as the public chain using the libp2p protocol. These issues will be disclosed in subsequent articles!
Source: Slow Fog Safety Team
Editor's Note: This article does not change the original intention of the deletion.