Denial of service (DoS) attack: Chengye miner, defeated miner

Source: First Class

Abstract: We have discovered a denial-of-service attack against a Bitcoin-like blockchain. This attack mode is much cheaper than the previous attack mode (only 20% of the network's computing power is required). Blockchain relies on incentives to ensure system security. We show how attackers can disrupt these incentives and cause rational miners to stop mining.

Since the birth of the Internet, denial of service (DoS) attacks (also known as flood attacks) have plagued the Internet. DoS attackers target a variety of services with the goal of gaining fun and profit. Most commonly, they send a large number of requests to the server, causing the server to be too busy to serve normal users. The response is usually to prevent such attacks by identifying the source of the flood.

Therefore, in a so-called distributed denial of service (DDoS) attack, the attacker must coordinate flooding from multiple computers.

First class warehouse note: DDoS broadband consumption attacks can be divided into two different levels; flood attacks or amplification attacks. Flood attacks are characterized by the use of zombies to send large amounts of traffic to the victim's compromised system in order to block their bandwidth. Amplification attacks are similar to limiting the bandwidth of the victim's system by maliciously amplifying traffic; it is characterized by using bots to send requests to some vulnerable servers through fake source IPs (that is, attack target IPs). After processing the requests, the server sends requests to The fake source IP sends the response. Due to the special nature of these services, the response packet is longer than the request packet. Therefore, using a small amount of broadband can enable the server to send a large number of responses to the target host.

Interesting fact: Distributed sources are often users' victim machines that form a robot network or a botnet.

Cryptocurrencies like Bitcoin are a particularly profitable target for DoS attacks. In theory, futures markets and margin trading allow attackers to short a cryptocurrency and make profits by driving down the price of that currency. Competitive cryptocurrencies, as well as governments worried about their impact on financial sovereignty, are other potential attackers. As far as we know, in actual operation, there have been no successful DoS attacks on important cryptocurrencies.

The reason is the decentralized nature of the blockchain protocol. In the blockchain world, there is no central server that can be attacked. The machines running the blockchain are called miners, and they will completely replicate the blockchain data. Although there have been attacks on individual machines, the complete shutdown (or even destruction) of several machines has almost no impact on the availability of the entire system.

More interesting fact: Bitcoin's P2P network is built to resist attacks, it learns from botnets (botnets are built to resist attacks from anti-malware companies).

In fact, DoS attacks against blockchains like Bitcoin are very expensive. The Bitcoin protocol proposed by Satoshi Nakamoto relies on the proof-of-work mechanism (PoW) to ensure the security of the system. Miners can only prove that they spent resources (that is, computing power) outside the system to create blocks. The security of the blockchain can only be maintained when most of the computing power in the system is operating normally. Therefore, for an attacker to perform a DoS attack, the computing power possessed by the attacker is higher than the sum of other participants, that is, 51% of the attack. For major cryptocurrencies, the cost of a 51% attack is unbearable for most entities.

This type of attack was tried in the "hash war" between Bitcoin ABC and Bitcoin SV at the end of 2018, but was unsuccessful.

BDoS

We found that the inherent characteristics of the Satoshi protocol make it vulnerable to significantly cheaper DoS attacks, and we take advantage of the fact that blockchain protocols rely on security incentives. In the blockchain, participants (miners) are rewarded for participating in cryptocurrency mining. When these incentives no longer promote good behavior, the system is at risk. We call this attack Blockchain DoS (BDoS), which deprives miners of their reason, making them more profitable than violating rules.

To be effective, attackers need miners to understand this attack and make them aware of the fact that they can increase profits through this attack. Obviously, this strategic behavior is not pre-programmed in the mining software. Therefore, we believe that this attack does not bring imminent risks, because miners must reprogram the mining equipment to maximize their profits when facing the attack.

The existence of this attack may not be surprising, it is indeed a manifestation of the theory proposed by BryanFord and Rainer Böhme. They believe that the analysis of the system's utility from the perspective of a rational subject is limited because external incentives cannot interact with Byzantine behavior is distinguished.

Below we will outline the mechanism of this BDoS attack. First, let's start with Satoshi's background.

background

Most cryptocurrencies use the blockchain protocol proposed by Satoshi Nakamoto for Bitcoin. In the Satoshi Nakamoto blockchain, all transactions in the system are placed in blocks and form a growing chain. Miners extend this chain with new blocks made up of new transactions and publish them to all other system participants. The speed of block production is adjusted by requiring miners to provide proof of work (a solution to the cryptographic challenge) in the block. (By definition, blocks without PoW are invalid.) In order to motivate miners to work, production blocks will receive some fixed rewards (for example, the current Bitcoin fixed block reward is 12.5 BTC). If miners are not too large, then they will be motivated to extend the blockchain and receive corresponding rewards.

Because miners are located all over the world, occasionally two or more miners produce blocks at the same time, and these blocks have the same parent block, which results in a fork, that is, multiple branches of the chain. To determine which chain is the main chain, the rule proposed by Satoshi Nakamoto is: the longest chain is the main chain, all miners should extend this longest chain, and the blocks separated from the main chain and their returns will be ignored. .

To avoid losing rewards, miners start mining before receiving and verifying the latest block. Once it receives its metadata in the header of the latest block, miners start mining it. This can avoid wasting mining resources on the old block and increase the chance of mining the next block. Usually, this is not good practice and has caused concern for many security researchers. After the lightweight client uses the simplified payment verification (SPV) protocol for part of the blockchain verification, this block-header-based mining method has been applied and is called SPV mining.

attack

The attacker we proposed puts the system in a state where the best action for a rational miner is to stop mining.

To induce this state and the corresponding proof, the attacker generates a block and publishes only its block header. Given a block header, a rational miner has three possible actions: (1) it can extend the main chain and then ignore the block header; (2) it can extend this block header (SPV mining);

(3) It can stop mining, neither consume computing power nor win rewards;

If a rational miner follows option 1 and expands the main chain, finds and broadcasts a new block, then the attacker miner will use its relatively high connectivity (such as selfish mining) and propagate the complete block corresponding to the block header BA Piece. This will lead to competition between two groups of miners, one of which will receive the attacker's block data first, and the other will receive the blocks of rational miners first.

The rational miner is likely to lose the game, and the block Bi will never be included in the main chain. Compared to the "no-attack" case, this reduces the expected benefits of mining in the last complete block.

If a rational miner follows option 2 and successfully expands the attacker's block header BA, the attacker will not publish the full block BA. This results in that the block of rational miners will never be included in the main chain, resulting in zero expected returns for the block.

Therefore, in both cases, if the original profitability in the "No Attack" setting is not too high, the attacker can ensure that honest miners will eventually suffer losses. Therefore, the threat of BDoS attackers means that it is better for honest miners to give up than choose mining, that is, choose the third option. As the movie "Game of War" states, "The only way to win is not to participate."

Conditions for successful BDoS attacks

Now let ’s talk about the conditions for a BDoS attacker to succeed. Specifically, for a specific rational miner i, we need to consider under what conditions, regardless of the behavior of other participants, i stop mining is more profitable than continue mining. The answer depends on three factors: first, if the attacker's computing power is sufficient, then the attack will succeed; second, if the miner i's computing power is small enough, then he will succeed; finally, if miner i is not profitable at first, Then he will succeed

The profit factor of miner i is that if no attack occurs, every dollar of its investment in mining will be rewarded. The image below shows the maximum return on successful attacks for different attacker sizes (X-axis) and miner sizes (different curves).

In our analysis, we used an attribute called return factor, which represents the return on each dollar of investment. It depends on the cost of mining equipment and electricity, and the price of the relevant cryptocurrency.

As a specific example, if the computing power of the largest miner accounts for 20% of the computing power of the entire network, then an attacker with 20% of the computing power of the entire network can motivate all miners to stop when their profit coefficient is below 1.37. Mining.

At present, for Bitcoin, with the electricity price of $ 0.05 / kWh, the profit factor of Bitmain's S17 Pro miner is close to 2 and the return factor of S9 is close to 1. If the price of the currency drops sharply and the difficulty increases, the attacker will be able to motivate existing miners to stop mining, which will cause the Bitcoin network to stop completely. In addition, the Bitcoin block reward is expected to be halved in 2020, which will correspondingly reduce the profitability of miners.

Two currency models

Please note that our model is conservative and underestimates the opportunities of attackers in a sense. So far, we have assumed that a miner can continue mining or stop mining with a profit of zero. However, cryptocurrency miners usually transfer their mining work to a second cryptocurrency, even temporarily. If the initial profitability of the two currencies (before the attack) is similar, then switching to another currency when the attack occurs is almost profitable. This means that in this case, the attack threat we call the two-currency model is even higher than what our analysis above shows. In fact, the two currency models are more in line with the real world. For example, there is evidence that miners often switch between BTC and BCH based on profitability.

Mitigation measures and disclosure obligations

We did not rent mining equipment to attack, nor did we short bitcoin and run to avoid it. Instead, we followed security research best practices and experienced a responsible disclosure period. We issued an attack alert to the developers of the affected major cryptocurrencies and discussed mitigation measures.

We recommend making small changes to the consensus rules so that miners can give lower priority to blocks whose block header is above a certain threshold time (such as 1 minute). This will increase the chance for an attacker to lose the block spread competition, and thus reduce the effectiveness of BDoS attacks. Unfortunately, this countermeasure is not fundamental. As we explained in the paper, attackers can use smart contracts or zero-knowledge proofs to prove that they found a block (instead of publishing a block header). The use of these technologies will make it impossible to distinguish between the attacker block and the rational miner block in the block propagation competition, thus rendering the mitigation technology ineffective.

Another possible solution for BDoS attacks is to use the uncle block reward mechanism, just like the scheme adopted by Ethereum. The uncle block reward mechanism rewards miners who dig to non-main chain (but directly connected to the main chain) blocks. If the uncle block reward mechanism is used, the chance of a reasonable miner to stop mining in a BDoS attack is much lower, because even if it loses the game, it will get a reward (equivalent to 7 of the Ethereum full block reward /8). However, this is a compromise because uncle blocks reduce the security against selfish mining attacks. In addition, another BDoS-like attack may be longer than the blockchain, which again causes serious competition losses.

in conclusion

BDoS is a threat to the Satoshi consensus blockchain because it allows attackers to perform denial-of-service attacks with much lower computing power than previous attacks. We have shown how attackers can distort incentives and guide profit-mining miners to stop mining activities. The mitigation measures we propose are easy to implement (no network fork is needed), but only affect specific types of BDoS attacks. If there are no more effective mitigation measures, the activity of the Satoshi consensus blockchain will depend on whether miners are willing to abide by the agreement in the case of lost revenue, that is, to be altruistic.