Routing Attacks in Cryptocurrencies - RIPE 77 › presentations › 19-ripe_15_10.pdf · Routing Attacks in Cryptocurrencies 1. Routing attacks quite often make the news 2. source:

Maria Apostolaki

ETH Zürich

Joint work with Aviv Zohar, Gian Marti, Jan Müller, Laurent Vanbever

Routing Attacks in Cryptocurrencies

�1

Routing attacks quite often make the news

�2

source: arstechnica.com

�3

source: wired.com

�4

�5

That is only the tip of the iceberg of routing manipulations

�6

Oct. Dec.

# of monthlyprefix hijacks

2015

Nov. Jan. Feb. March

150k

100k

50k

200k

0

2016�7

10/1

5

11/1

5

12/1

5

01/1

6

02/1

6

03/1

6

0

50k

100k

150k

200k

month

# of

hija

ck e

vent

s

Oct. Dec.

# of monthlyprefix hijacks

2015


150k

100k

50k

200k

0

2016

212k

176k

112k100k

119k137k

�8

Can routing attacks impact Bitcoin?

�9

Bitcoin is highly decentralized making it robust to routing attacks, in theory…

Bitcoin nodes …

are scattered all around the globe

establish random connections

use multihoming and extra relay networks

�10

In practice, Bitcoin is highly centralized,both from a routing and mining viewpoint

�11

�12

<

0

40

100

1 30

80

60

20

20

# of hosting networks

cumulative % ofmining power

10

1 5 10 15 20 25 300

20

40

60

80

100

# of ASes

cum

m. %

of h

ash

powe

r

<

0

40

100

1 30

80

60

20

20



10

Mining power is centralized to few hosting networks

�13

1 5 10 15 20 25 300

20

40

60

80

100

# of ASes

cum

m. %

of h

ash

powe

r

<

0

100

1 30

68



10

68% of the mining power is hosted in 10 networks only

�14

Each attack differs in terms of itsvisibility, impact, and targets

Partitioning Delay

Attack 1 Attack 2

�15

Each attack differs in terms of itsvisibility, impact, and targets

Partitioning Delay

Attack 1 Attack 2

�16

This talk…

Partitioning

Attack 1

visiblenetwork-wide attack

generalizable to all Blockchains

Routing Attacks on Cryptocurrencies

Hijacking Bitcoin

BGP & Bitcoin

Background

Partitioning attacksplitting the network

Countermeasures

short-term & long-term

1

2

4

�18

Bitcoin is a distributed network of nodes

A

B

C

D

E F

G

H

I

J

�19

Bitcoin nodes establish random connectionsbetween each other

A

B

C

D

E F

G

H

I

J

�20

Block #42 Block #43

prev: #41

Tx a1a53743

Tx b5x89433

Tx x5f78432

Tx h1t91267

prev: #42

… …

Block #44

Tx x5f78432

Tx h1t91267

prev: #42

…

�21

The Blockchain is a chain of Blocks

Miners are grouped in mining pools

mining pool

A

B

C

D

E F

G

H

I

J

miners

…

�22

Mining pools connect to the Bitcoin networkthrough multiple gateways

mining pool

gateway #1

gateway #2

…

C

E

�23

Internet

Bitcoin connections are routed over the Internet

…

A

B

C

D

E F

G

H

I

J

�24

AS3

AS1AS7

AS4

AS8

AS2

AS6

AS5

The Internet is composed of Autonomous Systems (ASes). BGP computes the forwarding path across them

A

B

C

D

E F

G

H

I

J…

�25

AS3

AS1AS7

AS4

AS8

AS2

AS6

AS5

Bitcoin messages are propagated unencryptedand without any integrity guarantees

Tx

Tx

block

block

block

Tx

A

B

C

D

E F

G

H

I

J…

�26


Hijacking Bitcoin

BGP & Bitcoin

Background


Countermeasures


1

2

4

�27

The goal of a partitioning attack is to split the Bitcoin network into two disjoint components

�28

Double spending

Revenue Loss

Denial of Service

�29

The impact of such an attack is worrying

Bitcoin clients and wallets cannot secure or propagate transactions

Double spending

Revenue Loss

Denial of Service


�30

Blocks in component with less mining power are discarded

Double spending

Revenue Loss

Denial of Service

�31


Transactions in components with less mining power can be reverted

Double spending

Revenue Loss

Denial of Service

�32


How does the attack work?

�33

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5

Let’s say an attacker wants to partition the network into the left and right side

Attacker

F�34

For doing so, the attacker will manipulate BGP routes to intercept any traffic to the nodes in the right

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5Attacker

F�35

Attacker

Let us focus on node F

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5

F�36

Attacker

F’s provider (AS6) is responsible for IP prefix

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5

F82.0.0.1

AS6

�37

AS3

AS1AS7

AS4AS2

AS5

AS6 will create a BGP advertisement

AS8

AS682.0.0.1

�38

82.0.0.0/23

Path: 6

82.0.0.0/23

Path: 8 6 F

AS3

AS1

AS4AS2

AS6’s advertisement is propagated AS-by-ASuntil all ASes in the Internet learn about it

AS6AS7

AS5AS8

82.0.0.1

AS1 AS6

�39

82.0.0.0/23

Path: 7 6

82.0.0.0/23

Path: 8 6

F

AS3

AS1

AS4AS2

AS6’s advertisement is propagated AS-by-ASuntil all ASes in the Internet learn about it

AS6AS7

AS5AS8

82.0.0.1

AS1 AS6

�40

82.0.0.0/23

Path: 7 6

82.0.0.0/23

Path: 8 6

F

BGP does not check the validity of advertisements,meaning any AS can announce any prefix

�41

Consider that the attacker advertises amore-specific prefix covering F’s IP address

AS3

AS1AS7

AS4AS2

AS5

82.0.0.0/23

Path: 6

AS6

82.0.0.0/24

Path: 8Attacker

82.0.0.1

�42

F

As IP routers prefer more-specific prefixes, the attacker route will be preferred

AS3

AS1AS7

AS4AS2

AS5

82.0.0.1AS6

Attacker

�43

82.0.0.0/24

Path: 8

82.0.0.0/23

Path: 6

AS3

AS1

AS4AS2

AS6AS7

AS5

diverted IP traffic

Attacker

82.0.0.1

�44

Traffic to node F is hijacked

F

By hijacking the IP prefixes pertaining to the right nodes,the attacker can intercept all their connections

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5

AS1

AS3

AS7

Attacker

F�45

Once on-path, the attacker can drop all connections crossing the partition

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5Attacker

F�46

The partition is created

AS3

AS1AS7

AS4

A

B

C

D

E

G

H

I

J

AS2

AS6

AS5Attacker

F�47

Not all partition are feasible in practice:some connections cannot be intercepted

�48

Bitcoin connections established…

within a mining pool

within an AS

between mining pools with private agreements

cannot be hijacked (usually)

�49

Bitcoin connections established…

within a mining pool

within an AS

between mining pools

can be detected and located by the attacker

cannot be hijacked (usually)

enabling her to build a similar but feasible partition

but

�50

AS3

AS1AS7

AS4

A

B

C

E F

G

H

I

J

Attacker

AS2

AS6

AS5

51

Same attacker wants to create a different partition

AS3

AS1AS7

AS4

A

B

C

E F

G

H

I

J

Attacker

AS2

AS6

AS5

52

Same attacker wants to create a different partition

AS3

AS1AS7

AS4

A

Stratum

B

C

E F

G

H

I

J

Attacker

AS2

AS6

AS5

There is a mining pool in the topology

53

AS3

AS1AS7

AS4

A

Stratum

B

C

E F

G

H

I

J

Attacker

AS2

AS6

AS5

Attacker hijacks all prefixes pertaining to nodes in the orange side

54

AS3

AS1AS7

A

Stratum

B

C

E F

G

H

I

J

AS2

AS6

Attacker

Attacker hijacks all prefixes pertaining to nodes in the orange side

55

AS4

AS5

AS3

AS1AS7

A

Stratum

B

C

E F

G

H

I

J

AS2

AS6

Attacker

The attacker drops connections

56

AS4

AS5

AS3

AS1AS7

A

Stratum

B

C

E F

G

H

I

J

AS2

AS6

Attacker

The partition is created but is ineffective

57

AS4

AS5

AS3

AS1AS7

A

Stratum

B

C

E F

G

H

I

J

AS2

AS6

Attacker

The partition is infeasible

58

AS4

AS5

Stealth connection

AS3

AS1AS7

A

Stratum

B

C

E F

G

H

I

J

AS2

AS6

Attacker

The attacker monitors the connections and detects leakage

59

AS4

AS5

AS3

AS1AS7

A

Stratum

B

C

E F

G

H

I

J

AS2

AS6

The attacker monitors the connections

60

AS4

AS5Attacker

Theorem Given a set of nodes to disconnect from the network,

there exist a unique maximal subset that can be isolated

and that the attacker will isolate.

see paper for proof

�61

Practicality Time efficiency

Can it actually happen? How long does it take?

We evaluated the partition attack in terms ofpracticality and time efficiency

�62


Can it actually happen?

We evaluated the partition attack in terms ofpracticality and time efficiency

�63

Splitting the mining power even to half can be doneby hijacking less than 100 prefixes

�64

Splitting the mining power even to half can be doneby hijacking less than 100 prefixes

negligible with respect to routinely observed hijacks

�65

100

1k

10k

30k

month

max

# p

fxes

hija

cked

at o

nce

(log)

Oct. Dec.

max # of prefixeshijacked at once

2015


10k

1k

30k

100

2016

log scale

Hijacks involving up to 1k of prefixes are frequentlyseen in the Internet today

�66


How long does it take?

We also evaluated the partition in terms oftime efficiency

�67

We measured the time required to perform a partition attack by attacking our own nodes

�68

ETH

Live Bitcoin network

We hosted a few Bitcoin nodes at ETH and advertised a covering prefix via Amsterdam

Amsterdam

184.164.232.1-6

...

184.164.232.0/22

�69

ETH


Initially, all the traffic to our nodes transits via Amsterdam

Amsterdam

184.164.232.1-6

...

bitcoin traffic

�70

ETH


We hijacked our nodes

Amsterdam

184.164.232.1-6

...

bitcoin traffic

Cornell

184.164.232.0/23

�71

ETH

We measured the time required for a rogue AS to divert all the traffic to our nodes

Amsterdam

184.164.232.1-6

...

Cornell

divertedbitcoin traffic

�72

<

0 40 8060# seconds from start of hijack

20

0

100

60

40

80

20

cumulative % ofconnectionsintercepted

�73

Seconds from hijack until traffic is received

CD

F #

Con

nect

ions

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

<

0 40 8060# seconds from start of hijack

cumulative % ofconnectionsintercepted

20

0

100

60

40

80

20

It takes less than 2 minutes for the attackerto intercept all the connections

�74

Mitigating a hijack is a human-driven process,as such it often takes hours to be resolved

�75

It took Google close to 3h to mitigate a large hijack in 2008 [6]

Mitigating a hijack is a human-driven process,as such it often takes hours to be resolved

(same hold for more recent hijacks)

�76


Hijacking Bitcoin

BGP & Bitcoin

Background


Countermeasures


1

2

4

�77

Countermeasures exist for both types of attacks

�78

Short-term

Countermeasures against partition attacks exist

Host all Bitcoin clients in /24 prefixes

�79

reduce chances of a successful hijack

Short-term

�80


reduce chances of a successful hijack

Deploy secure routing protocols (S-BGP, RPKI)

prevent partition attacks

Long-term


�81


Deploy secure routing protocols

But are impractical


�82


Deploy secure routing protocols

But are impractical


ISP collaboration required

increase BGP routing tables

Build additional secure channel to allow communicationeven if the Bitcoin network is partitioned

�83

�84

SABRE = Secure Relay Location + Robust Design

add few clients that connect to each other and to all other clients

GA

F

E

C

HB

ID

b1h1

g1

g2

g3

d1

d2d3

GA

F

E

C

D

b1h1

g1

g2

g3

d1

d2d3

SABRE: Additional relay network of relay nodes

E

HB

I

b1

Clients connect to at least one relay node

�88


�89

additional nodes protected against hijacking attacks


�90

Open and Resilient against DDoS attacks


relays cover most clients

peering ASes with no customers

nodes in /24 prefix

k-connected graph of relays

Secure Relay Placement



nodes in /24 prefix


malicious prefix in competitionwith legitimate ones


Attacker Origin

If the attacker advertises a longer prefix than the origin

Attacker Origin

If the attacker advertises a longer prefix all ASes will be vulnerable

Attacker Origin

The attacker advertises same length prefix as the origin

Attacker Origin

~50% ASes would follow the attacker’s advertisement

Attacker Origin

Business relations define which AS will follow the attackers advertisement

providerprovider

peer peer

customer

peer

customer



nodes in /24 prefix





nodes in /24 prefix


no strictly better prefix advertisement exists


Relay1

No strictly better advertisement exist

Relay2

Relay1

Peering agreement can be revoked

Relay2



nodes in /24 prefix

k-connected graph of relaysrelay connectivityis not affected by any k cuts


Relay1

Peering agreement can be revoked

Relay2

Relay1

2-k connected graph retains connectivity

Relay2

Relay3



nodes in /24 prefix


relays are in path that are morepreferred than any alternative




nodes in /24 prefix



�107


control plane

data plane

SABRE

hardware

software #A

Software/Hardware co-design

rarely updated state

communication heavy protocol

Software/Hardware co-design is possible because…

programmable hardware




programmable hardwareflexible and expressive data plane pipeline





new Blocks are mined every 10 minutes





simple computations,many message exchanges

dynamic network defenses

keep up with high demand

Software/Hardware co-design is suitable because…




Tbps of traffic at line ratesustain DDoS attacks




Whitelists, BlackLists.Spoofing Detection,Amplification mitigation


Hijacking Bitcoin

Bitcoin is vulnerable to routing attacks

both at the network and at the node level

The potential impact on the currency is worrying

DoS, double spending, loss of revenues, etc.

Countermeasures exist

Secure routing is best; SABRE is a good alternative

�116https://btc-hijack.ethz.ch

Documents

Routing Attacks in Cryptocurrencies - RIPE 77 › presentations › 19-ripe_15_10.pdf · Routing Attacks in Cryptocurrencies 1. Routing attacks quite often make the news 2. source: