Final SP btc › files › Final_SP_btc.pdf · 10/15 11/15 12/15 01/16 02/16 03/16 0 50k 100k 150k...

IEEE Security & Privacy

Maria Apostolaki

23 May 2017

ETH Zürich

Joint work with Aviv Zohar and Laurent Vanbever

Routing Attacks on Cryptocurrencies

Hijacking Bitcoin

1

Routing attacks quite often make the news

2

source: arstechnica.com

3

source: wired.com

4

That is only the tip of the iceberg of routing manipulations

5

Oct. Dec.

# of monthlyrouting hijacks

2015

Nov. Jan. Feb. March

150k

100k

50k

200k

0

20166

10/1

5

11/1

5

12/1

5

01/1

6

02/1

6

03/1

6

0

50k

100k

150k

200k

month

# of

hija

ck e

vent

s

Oct. Dec.

# of monthlyrouting hijacks

2015


150k

100k

50k

200k

0

2016

212k

176k

112k100k

119k137k

7

Can routing attacks impact Bitcoin?

8

Bitcoin is highly decentralized making it robust to routing attacks, in theory…

Bitcoin nodes …

are scattered all around the globe

establish random connections

use multihoming and extra relay networks

9

In practice, Bitcoin is highly centralized,both from a routing and mining viewpoint

10

11

<

0

40

100

1 30

80

60

20

20

# of hosting networks

cumulative % ofmining power

10

1 5 10 15 20 25 300

20

40

60

80

100

# of ASes

cum

m. %

of h

ash

powe

r

<

0

40

100

1 30

80

60

20

20



10

Mining power is centralized to few hosting networks

12

1 5 10 15 20 25 300

20

40

60

80

100

# of ASes

cum

m. %

of h

ash

powe

r

<

0

100

1 30

68



10

68% of the mining power is hosted in 10 networks only

13

1 10 100 12220

20

40

60

80

100

# of ASes

cum

. %

connect

ions

inte

rcepte

d

<

0

100

1 10 1220

60

100

# of transit networks

cumulative % of connections

40

80

20

14

1 10 100 12220

20

40

60

80

100

# of ASes

cum

. %

connect

ions

inte

rcepte

d

<

0

100

1 10 1220

60

100



Likewise, a few transit networks can intercepta large fraction of the Bitcoin connections

40

80

20

15

1 10 100 12220

20

40

60

80

100

# of ASes

cum

. %

connect

ions

inte

rcepte

d

<

0

100

1 3 1220



3 transit networks see more than 60% of all connections

63

16

Because of these characteristics two routing attacks practical and effective today

Partitioning Delay

Attack 1 Attack 2

Split the network in half Delay block propagation

17

Each attack differs in terms of itsvisibility, impact, and targets

Partitioning Delay

Attack 1 Attack 2

visible

network-wide attack

invisible

targeted attack (set of nodes)

18

Each attack differs in terms of itsvisibility, impact, and targets

Partitioning Delay

Attack 1 Attack 2

visible

network-wide attack

invisible

targeted attack (set of nodes)

19


Hijacking Bitcoin

BGP & Bitcoin

Background

Partitioning attack

splitting the network

Delay attack

slowing the network down

Countermeasures

short-term & long-term

1

2

3

4

20

BGP & Bitcoin

Background

Partitioning attack


Delay attack


Countermeasures


1


Hijacking Bitcoin

21

Bitcoin is a distributed network of nodes

A

B

C

D

E F

G

H

I

J

22

Bitcoin nodes establish random connectionsbetween each other

A

B

C

D

E F

G

H

I

J

23

Each node keeps a ledger of all transactions ever performed: “the blockchain”

Tx a1a53743

Tx b5x89433

Tx x5f78432

Tx h1t91267

… …

Tx x5f78432

Tx h1t91267

…

24

Block #42 Block #43

prev: #41

Tx a1a53743

Tx b5x89433

Tx x5f78432

Tx h1t91267

prev: #42

… …

Block #44

Tx x5f78432

Tx h1t91267

prev: #42

…

25

The Blockchain is a chain of Blocks

The Blockchain is extended by miners

Block #44

Tx z2v67542

Tx p6o74587

prev: #43

…

Block #42 Block #43

prev: #41

Tx a1a53743

Tx b5x89433

Tx x5f78432

Tx h1t91267

prev: #42

… …

26

Miners are grouped in mining pools

mining pool

A

B

C

D

E F

G

H

I

J

miners

…

27

Internet

Bitcoin connections are routed over the Internet

…

A

B

C

D

E F

G

H

I

J

28

AS3

AS1AS7

AS4

AS8

AS2

AS6

AS5

The Internet is composed of Autonomous Systems (ASes). BGP computes the forwarding path across them

A

B

C

D

E F

G

H

I

J…

29

AS3

AS1AS7

AS4

AS8

AS2

AS6

AS5

Bitcoin messages are propagated unencryptedand without any integrity guarantees

Tx

Tx

block

block

block

Tx

A

B

C

D

E F

G

H

I

J…

30

BGP & Bitcoin

Background

Partitioning attack


Delay attack


Countermeasures


2


Hijacking Bitcoin

31

The goal of a partitioning attack is to split the Bitcoin network into two disjoint components

32

Double spending

Revenue Loss

Denial of Service

33

The impact of such an attack is worrying

Bitcoin clients and wallets cannot secure or propagate transactions

Double spending

Revenue Loss

Denial of Service


34

Blocks in component with less mining power are discarded

Double spending

Revenue Loss

Denial of Service

35


Transactions in components with less mining power can be reverted

Double spending

Revenue Loss

Denial of Service

36


How does the attack work?

37

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5

Let’s say an attacker wants to partition the network into the left and right side

Attacker

F

38

For doing so, the attacker will manipulate BGP routes to intercept any traffic to the nodes in the right

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5Attacker

F

39

Attacker

Let us focus on node F

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5

F

40

Attacker

F’s provider (AS6) is responsible for IP prefix

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5

F

82.0.0.1AS6

41

AS3

AS1AS7

AS4AS2

AS5

AS6 will create a BGP advertisement

AS8

AS682.0.0.1

42

82.0.0.0/23

Path: 6

82.0.0.0/23

Path: 8 6 F

AS3

AS1

AS4AS2

AS6’s advertisement is propagated AS-by-ASuntil all ASes in the Internet learn about it

AS6AS7

AS5AS8

82.0.0.1

AS1 AS6

43

82.0.0.0/23

Path: 7 6

82.0.0.0/23

Path: 8 6

F

AS3

AS1

AS4AS2

AS6’s advertisement is propagated AS-by-ASuntil all ASes in the Internet learn about it

AS6AS7

AS5AS8

82.0.0.1

AS1 AS6

44

82.0.0.0/23

Path: 7 6

82.0.0.0/23

Path: 8 6

F

BGP does not check the validity of advertisements,meaning any AS can announce any prefix

45

Consider that the attacker advertises amore-specific prefix covering F’s IP address

AS3

AS1AS7

AS4AS2

AS5

82.0.0.0/23

Path: 6

AS6

82.0.0.0/24

Path: 8Attacker

82.0.0.1

46

F

As IP routers prefer more-specific prefixes, the attacker route will be preferred

AS3

AS1AS7

AS4AS2

AS5

82.0.0.1

AS6

Attacker

47

82.0.0.0/24

Path: 8

82.0.0.0/23

Path: 6

AS3

AS1

AS4AS2

AS6AS7

AS5

diverted IP traffic

Attacker

82.0.0.1

48

Traffic to node F is hijacked

F

By hijacking the IP prefixes pertaining to the right nodes,the attacker can intercept all their connections

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5

AS1

AS3

AS7

Attacker

F

49

Once on-path, the attacker can drop all connections crossing the partition

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5Attacker

F

50

The partition is created

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5Attacker

F

51

Not all partition are feasible in practice:some connections cannot be intercepted

52

Bitcoin connections established…

within a mining pool

within an AS

between mining pools with private agreements

cannot be hijacked (usually)

53

Bitcoin connections established…

within a mining pool

within an AS

between mining pools

can be detected and located by the attacker

cannot be hijacked (usually)

enabling her to build a similar but feasible partition

but

54

Theorem Given a set of nodes to disconnect from the network,

there exist a unique maximal subset that can be isolated

and that the attacker will isolate.

see paper for proof

55

Practicality Time efficiency

Can it actually happen? How long does it take?

We evaluated the partition attack in terms ofpracticality and time efficiency

56


Can it actually happen?

We evaluated the partition attack in terms ofpracticality and time efficiency

57

Splitting the mining power even to half can be doneby hijacking less than 100 prefixes

58

Splitting the mining power even to half can be doneby hijacking less than 100 prefixes

negligible with respect to

routinely observed hijacks

59

100

1k

10k

30k

month

max

# p

fxes

hija

cked

at o

nce

(log)

Oct. Dec.

max # of prefixeshijacked at once

2015


10k

1k

30k

100

2016

log scale

Hijacks involving up to 1k of prefixes are frequentlyseen in the Internet today

60


How long does it take?

We also evaluated the partition in terms oftime efficiency

61

We measured the time required to perform a partition attack by attacking our own nodes

62

ETH

Live Bitcoin

network

We hosted a few Bitcoin nodes at ETH and advertised a covering prefix via Amsterdam

Amsterdam

184.164.232.1-6

...

184.164.232.0/22

63

ETH

Live Bitcoin

network

Initially, all the traffic to our nodes transits via Amsterdam

Amsterdam

184.164.232.1-6

...

bitcoin traffic

64

ETH

Live Bitcoin

network

We hijacked our nodes

Amsterdam

184.164.232.1-6

...

bitcoin traffic

Cornell

184.164.232.0/23

65

ETH

We measured the time required for a rogue AS to divert all the traffic to our nodes

Amsterdam

184.164.232.1-6

...

Cornell

divertedbitcoin traffic

66

<

0 40 8060# seconds from start of hijack

20

0

100

60

40

80

20

cumulative % ofconnectionsintercepted

67

Seconds from hijack until traffic is received

CD

F #

Con

nect

ions

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

<

0 40 8060# seconds from start of hijack

cumulative % ofconnectionsintercepted

20

0

100

60

40

80

20

It takes less than 2 minutes for the attackerto intercept all the connections

68

Mitigating a hijack is a human-driven process,as such it often takes hours to be resolved

69

It took Google close to 3h

to mitigate a large hijack in 2008 [6]

Mitigating a hijack is a human-driven process,as such it often takes hours to be resolved

(same hold for more recent hijacks)

70


Hijacking Bitcoin

BGP & Bitcoin

Background

Partitioning attack


Delay attack


Countermeasures


1

2

3

4

71

The goal of a delay attack is to keep the victim uninformed of the latest Block

72

The impact of delay attacks is worryingand depends on the victim

Regular node

Mining pool

Merchant

73

susceptible to be the victimof double-spending attacks

Regular node

Mining pool

Merchant


74

waste their mining power bymining on an obsolete chain


Regular node

Mining pool

Merchant

75

unable to collaborate to the peer-to-peer network


Regular node

Mining pool

Merchant

76

Merchant

How does a delay attack work?

77

tim

e

#

victimA B

Consider these three Bitcoin nodes

78

#

victimattackerA B

An attacker wishes to delay the block propagationtowards the victim

tim

e

79

INV Block #42

INV Block

INV Block

The victim receives two advertisement for the block

victimattackerA Bti

me

80

INV Block #42

#

INV Block

INV Block

GET DATA Block

The victim requests the block to one of its peer, say A

victimattackerA Bti

me

81

INV Block #42

#

INV Block

INV Block

GET DATA Block

As a MITM, the attacker could drop the GETDATA message

victimattackerA Bti

me

82

INV Block #42

#

INV Block

INV Block

GET DATA Block

Similarly, the attacker could drop the delivery of the block message

BLOCK Block

victimattackerA Bti

me

83

INV Block #42

#

INV Block

INV Block

GET DATA Block

BLOCK Block

victimattackerA Bti

me

Similarly, the attacker could drop the delivery of the block message

84

INV Block #42

#

INV Block

INV Block

GET DATA Block

Yet, both cases will lead to the victim killing the connection (by the TCP stack on the victim)

DISCONNECT BLOCK Block

victimattackerA Bti

me

85

INV Block #42

#

INV Block

INV Block

GET DATA Block

GET DATA Block

Instead, the attacker could intercept the GETDATA and modifies its content

victimattackerA Bti

me

86

INV Block #42

BLOCK Block #30

#

INV Block

INV Block

GET DATA Block

GET DATA Block

BLOCK Block

By modifying the ID of the requested block,the attacker triggers the delivery of an older block

victimattackerA Bti

me

87

INV Block #42

BLOCK Block #30

ignored

#

INV Block

INV Block

GET DATA Block

GET DATA Block

BLOCK Block

The delivery of an older block triggersno error message at the victim

victimattackerA Bti

me

88

INV Block #42

BLOCK Block #30

ignored

#

INV Block

INV Block

GET DATA Block

GET DATA Block

BLOCK Block

up to

20 min

From there on, the victim will wait for 20 minutesfor the actual block to be delivered

victimattackerA Bti

me

89

INV Block #42

BLOCK Block #30

ignored

#

INV Block

INV Block

GET DATA Block

GET DATA Block

BLOCK Block

GET DATA Tx

GET DATA Block

up to

20 min

To keep the connection alive, the attacker can trigger the block delivery by modifying another GETDATA message

victimattackerA Bti

me

90

INV Block #42

BLOCK Block #30

ignored

#

INV Block

INV Block

GET DATA Block

GET DATA Block

BLOCK Block

GET DATA Tx

GET DATA Block

up to

20 min

Doing so, the block is delivered before the timeoutand the attack goes undetected (and could be resumed)

BLOCK Block

victimattackerA Bti

me

91

Effectiveness Practicality

How much time does

the victim stay uniformed?

Is it likely to happen?

We evaluated the delay attack in terms ofeffectiveness and practicality

92

MiTMVictim

y%x%

We performed the attackon a percentage of a node’s connections (*)

Live Bitcoin

network

(*) software available online: https://btc-hijack.ethz.ch/93

94

The attacker can keep the victim uninformed for most of its uptime while staying under the radar

even if the attacker intercepts

a fraction of the node connection

95

The attacker can keep the victim uninformed for most of its uptime while staying under the radar

% intercepted connections 50%

96

% intercepted connections

% time victim does not havethe most recent block

50%

63.2%

97

% intercepted connections

% time victim does not havethe most recent block

% nodes vulnerable to attack 67.9%

50%

63.2%

The vast majority of the Bitcoin network is at risk

98


Hijacking Bitcoin

BGP & Bitcoin

Background

Partitioning attack


Delay attack


Countermeasures


1

2

3

4

99

Both sort-term and long-term countermeasures exist

100

Short-term Routing-aware peer selection

reduce risk of having one ISP seeing all connections

Monitor changes in peer behavior, statistics, etc.

abnormal changes could be the sign of a partition

101

Short-term countermeasures are simple shifts in the Bitcoin clients

Long-term

Longer-term countermeasures provide more guaranteesbut require protocol or infrastructure changes

Use end-to-end encryption or MAC

prevent delay attacks (not partition attacks)

Deploy secure routing protocols

prevent partition attacks (not delay attacks)

102


Hijacking Bitcoin

BGP & Bitcoin

Background

Partitioning attack


Delay attack


Countermeasures


103


Hijacking Bitcoin

Bitcoin is vulnerable to routing attacks

both at the network and at the node level

The potential impact on the currency is worrying

DoS, double spending, loss of revenues, etc.

Countermeasures exist (we’re working on it!)

some of which can be deployed today

104

IEEE Security & Privacy

Maria Apostolaki

23 May 2017

ETH Zürich

Visit our website: https://btc-hijack.ethz.ch


Hijacking Bitcoin

105

https://btc-hijack.ethz.ch


Hijacking Bitcoin

Bitcoin is vulnerable to routing attacks

both at the network and at the node level

The potential impact on the currency is worrying

DoS, double spending, loss of revenues, etc.

Countermeasures exist (we’re working on it!)

some of which can be deployed today

106Visit our website: https://btc-hijack.ethz.ch

https://btc-hijack.ethz.ch

Final SP btc › files › Final_SP_btc.pdf · 10/15 11/15 12/15 01/16 02/16 03/16 0 50k 100k 150k...

Documents

Transcript of Final SP btc › files › Final_SP_btc.pdf · 10/15 11/15 12/15 01/16 02/16 03/16 0 50k 100k 150k...