Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Maria Apostolaki
ETH Zürich
Joint work with Aviv Zohar, Gian Marti, Jan Müller, Laurent Vanbever
Routing Attacks in Cryptocurrencies
�1
Routing attacks quite often make the news
�2
source: arstechnica.com
�3
source: wired.com
�4
�5
That is only the tip of the iceberg of routing manipulations
�6
Oct. Dec.
# of monthlyprefix hijacks
2015
Nov. Jan. Feb. March
150k
100k
50k
200k
0
2016�7
10/1
5
11/1
5
12/1
5
01/1
6
02/1
6
03/1
6
0
50k
100k
150k
200k
month
# of
hija
ck e
vent
s
Oct. Dec.
# of monthlyprefix hijacks
2015
Nov. Jan. Feb. March
150k
100k
50k
200k
0
2016
212k
176k
112k100k
119k137k
�8
Can routing attacks impact Bitcoin?
�9
Bitcoin is highly decentralized making it robust to routing attacks, in theory…
Bitcoin nodes …
are scattered all around the globe
establish random connections
use multihoming and extra relay networks
�10
In practice, Bitcoin is highly centralized,both from a routing and mining viewpoint
�11
�12
<
0
40
100
1 30
80
60
20
20
# of hosting networks
cumulative % ofmining power
10
1 5 10 15 20 25 300
20
40
60
80
100
# of ASes
cum
m. %
of h
ash
powe
r
<
0
40
100
1 30
80
60
20
20
# of hosting networks
cumulative % ofmining power
10
Mining power is centralized to few hosting networks
�13
1 5 10 15 20 25 300
20
40
60
80
100
# of ASes
cum
m. %
of h
ash
powe
r
<
0
100
1 30
68
# of hosting networks
cumulative % ofmining power
10
68% of the mining power is hosted in 10 networks only
�14
Each attack differs in terms of itsvisibility, impact, and targets
Partitioning Delay
Attack 1 Attack 2
�15
Each attack differs in terms of itsvisibility, impact, and targets
Partitioning Delay
Attack 1 Attack 2
�16
This talk…
Partitioning
Attack 1
visiblenetwork-wide attack
generalizable to all Blockchains
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
BGP & Bitcoin
Background
Partitioning attacksplitting the network
Countermeasures
short-term & long-term
1
2
4
�18
Bitcoin is a distributed network of nodes
A
B
C
D
E F
G
H
I
J
�19
Bitcoin nodes establish random connectionsbetween each other
A
B
C
D
E F
G
H
I
J
�20
Block #42 Block #43
prev: #41
Tx a1a53743
Tx b5x89433
Tx x5f78432
Tx h1t91267
prev: #42
… …
Block #44
Tx x5f78432
Tx h1t91267
prev: #42
…
�21
The Blockchain is a chain of Blocks
Miners are grouped in mining pools
mining pool
A
B
C
D
E F
G
H
I
J
miners
…
�22
Mining pools connect to the Bitcoin networkthrough multiple gateways
mining pool
gateway #1
gateway #2
…
C
E
�23
Internet
Bitcoin connections are routed over the Internet
…
A
B
C
D
E F
G
H
I
J
�24
AS3
AS1AS7
AS4
AS8
AS2
AS6
AS5
The Internet is composed of Autonomous Systems (ASes). BGP computes the forwarding path across them
A
B
C
D
E F
G
H
I
J…
�25
AS3
AS1AS7
AS4
AS8
AS2
AS6
AS5
Bitcoin messages are propagated unencryptedand without any integrity guarantees
Tx
Tx
block
block
block
Tx
A
B
C
D
E F
G
H
I
J…
�26
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
BGP & Bitcoin
Background
Partitioning attacksplitting the network
Countermeasures
short-term & long-term
1
2
4
�27
The goal of a partitioning attack is to split the Bitcoin network into two disjoint components
�28
Double spending
Revenue Loss
Denial of Service
�29
The impact of such an attack is worrying
Bitcoin clients and wallets cannot secure or propagate transactions
Double spending
Revenue Loss
Denial of Service
The impact of such an attack is worrying
�30
Blocks in component with less mining power are discarded
Double spending
Revenue Loss
Denial of Service
�31
The impact of such an attack is worrying
Transactions in components with less mining power can be reverted
Double spending
Revenue Loss
Denial of Service
�32
The impact of such an attack is worrying
How does the attack work?
�33
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5
Let’s say an attacker wants to partition the network into the left and right side
Attacker
F�34
For doing so, the attacker will manipulate BGP routes to intercept any traffic to the nodes in the right
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5Attacker
F�35
Attacker
Let us focus on node F
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5
F�36
Attacker
F’s provider (AS6) is responsible for IP prefix
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5
F82.0.0.1
AS6
�37
AS3
AS1AS7
AS4AS2
AS5
AS6 will create a BGP advertisement
AS8
AS682.0.0.1
�38
82.0.0.0/23
Path: 6
82.0.0.0/23
Path: 8 6 F
AS3
AS1
AS4AS2
AS6’s advertisement is propagated AS-by-ASuntil all ASes in the Internet learn about it
AS6AS7
AS5AS8
82.0.0.1
AS1 AS6
�39
82.0.0.0/23
Path: 7 6
82.0.0.0/23
Path: 8 6
F
AS3
AS1
AS4AS2
AS6’s advertisement is propagated AS-by-ASuntil all ASes in the Internet learn about it
AS6AS7
AS5AS8
82.0.0.1
AS1 AS6
�40
82.0.0.0/23
Path: 7 6
82.0.0.0/23
Path: 8 6
F
BGP does not check the validity of advertisements,meaning any AS can announce any prefix
�41
Consider that the attacker advertises amore-specific prefix covering F’s IP address
AS3
AS1AS7
AS4AS2
AS5
82.0.0.0/23
Path: 6
AS6
82.0.0.0/24
Path: 8Attacker
82.0.0.1
�42
F
As IP routers prefer more-specific prefixes, the attacker route will be preferred
AS3
AS1AS7
AS4AS2
AS5
82.0.0.1AS6
Attacker
�43
82.0.0.0/24
Path: 8
82.0.0.0/23
Path: 6
AS3
AS1
AS4AS2
AS6AS7
AS5
diverted IP traffic
Attacker
82.0.0.1
�44
Traffic to node F is hijacked
F
By hijacking the IP prefixes pertaining to the right nodes,the attacker can intercept all their connections
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5
AS1
AS3
AS7
Attacker
F�45
Once on-path, the attacker can drop all connections crossing the partition
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5Attacker
F�46
The partition is created
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5Attacker
F�47
Not all partition are feasible in practice:some connections cannot be intercepted
�48
Bitcoin connections established…
within a mining pool
within an AS
between mining pools with private agreements
cannot be hijacked (usually)
�49
Bitcoin connections established…
within a mining pool
within an AS
between mining pools
can be detected and located by the attacker
cannot be hijacked (usually)
enabling her to build a similar but feasible partition
but
�50
AS3
AS1AS7
AS4
A
B
C
E F
G
H
I
J
Attacker
AS2
AS6
AS5
51
Same attacker wants to create a different partition
AS3
AS1AS7
AS4
A
B
C
E F
G
H
I
J
Attacker
AS2
AS6
AS5
52
Same attacker wants to create a different partition
AS3
AS1AS7
AS4
A
Stratum
B
C
E F
G
H
I
J
Attacker
AS2
AS6
AS5
There is a mining pool in the topology
53
AS3
AS1AS7
AS4
A
Stratum
B
C
E F
G
H
I
J
Attacker
AS2
AS6
AS5
Attacker hijacks all prefixes pertaining to nodes in the orange side
54
AS3
AS1AS7
A
Stratum
B
C
E F
G
H
I
J
AS2
AS6
Attacker
Attacker hijacks all prefixes pertaining to nodes in the orange side
55
AS4
AS5
AS3
AS1AS7
A
Stratum
B
C
E F
G
H
I
J
AS2
AS6
Attacker
The attacker drops connections
56
AS4
AS5
AS3
AS1AS7
A
Stratum
B
C
E F
G
H
I
J
AS2
AS6
Attacker
The partition is created but is ineffective
57
AS4
AS5
AS3
AS1AS7
A
Stratum
B
C
E F
G
H
I
J
AS2
AS6
Attacker
The partition is infeasible
58
AS4
AS5
Stealth connection
AS3
AS1AS7
A
Stratum
B
C
E F
G
H
I
J
AS2
AS6
Attacker
The attacker monitors the connections and detects leakage
59
AS4
AS5
AS3
AS1AS7
A
Stratum
B
C
E F
G
H
I
J
AS2
AS6
The attacker monitors the connections
60
AS4
AS5Attacker
Theorem Given a set of nodes to disconnect from the network,
there exist a unique maximal subset that can be isolated
and that the attacker will isolate.
see paper for proof
�61
Practicality Time efficiency
Can it actually happen? How long does it take?
We evaluated the partition attack in terms ofpracticality and time efficiency
�62
Practicality Time efficiency
Can it actually happen?
We evaluated the partition attack in terms ofpracticality and time efficiency
�63
Splitting the mining power even to half can be doneby hijacking less than 100 prefixes
�64
Splitting the mining power even to half can be doneby hijacking less than 100 prefixes
negligible with respect to routinely observed hijacks
�65
100
1k
10k
30k
month
max
# p
fxes
hija
cked
at o
nce
(log)
Oct. Dec.
max # of prefixeshijacked at once
2015
Nov. Jan. Feb. March
10k
1k
30k
100
2016
log scale
Hijacks involving up to 1k of prefixes are frequentlyseen in the Internet today
�66
Practicality Time efficiency
How long does it take?
We also evaluated the partition in terms oftime efficiency
�67
We measured the time required to perform a partition attack by attacking our own nodes
�68
ETH
Live Bitcoin network
We hosted a few Bitcoin nodes at ETH and advertised a covering prefix via Amsterdam
Amsterdam
184.164.232.1-6
...
184.164.232.0/22
�69
ETH
Live Bitcoin network
Initially, all the traffic to our nodes transits via Amsterdam
Amsterdam
184.164.232.1-6
...
bitcoin traffic
�70
ETH
Live Bitcoin network
We hijacked our nodes
Amsterdam
184.164.232.1-6
...
bitcoin traffic
Cornell
184.164.232.0/23
�71
ETH
We measured the time required for a rogue AS to divert all the traffic to our nodes
Amsterdam
184.164.232.1-6
...
Cornell
divertedbitcoin traffic
�72
<
0 40 8060# seconds from start of hijack
20
0
100
60
40
80
20
cumulative % ofconnectionsintercepted
�73
Seconds from hijack until traffic is received
CD
F #
Con
nect
ions
0
20
40
60
80
100
0 10 20 30 40 50 60 70 80
<
0 40 8060# seconds from start of hijack
cumulative % ofconnectionsintercepted
20
0
100
60
40
80
20
It takes less than 2 minutes for the attackerto intercept all the connections
�74
Mitigating a hijack is a human-driven process,as such it often takes hours to be resolved
�75
It took Google close to 3h to mitigate a large hijack in 2008 [6]
Mitigating a hijack is a human-driven process,as such it often takes hours to be resolved
(same hold for more recent hijacks)
�76
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
BGP & Bitcoin
Background
Partitioning attacksplitting the network
Countermeasures
short-term & long-term
1
2
4
�77
Countermeasures exist for both types of attacks
�78
Short-term
Countermeasures against partition attacks exist
Host all Bitcoin clients in /24 prefixes
�79
reduce chances of a successful hijack
Short-term
�80
Host all Bitcoin clients in /24 prefixes
reduce chances of a successful hijack
Deploy secure routing protocols (S-BGP, RPKI)
prevent partition attacks
Long-term
Countermeasures against partition attacks exist
�81
Host all Bitcoin clients in /24 prefixes
Deploy secure routing protocols
But are impractical
Countermeasures against partition attacks exist
�82
Host all Bitcoin clients in /24 prefixes
Deploy secure routing protocols
But are impractical
Countermeasures against partition attacks exist
ISP collaboration required
increase BGP routing tables
Build additional secure channel to allow communicationeven if the Bitcoin network is partitioned
�83
�84
SABRE = Secure Relay Location + Robust Design
add few clients that connect to each other and to all other clients
GA
F
E
C
HB
ID
b1h1
g1
g2
g3
d1
d2d3
GA
F
E
C
D
b1h1
g1
g2
g3
d1
d2d3
SABRE: Additional relay network of relay nodes
E
HB
I
b1
Clients connect to at least one relay node
�88
SABRE = Secure Relay Location + Robust Design
�89
additional nodes protected against hijacking attacks
SABRE = Secure Relay Location + Robust Design
�90
Open and Resilient against DDoS attacks
SABRE = Secure Relay Location + Robust Design
relays cover most clients
peering ASes with no customers
nodes in /24 prefix
k-connected graph of relays
Secure Relay Placement
relays cover most clients
peering ASes with no customers
nodes in /24 prefix
k-connected graph of relays
malicious prefix in competitionwith legitimate ones
Secure Relay Placement
Attacker Origin
If the attacker advertises a longer prefix than the origin
Attacker Origin
If the attacker advertises a longer prefix all ASes will be vulnerable
Attacker Origin
The attacker advertises same length prefix as the origin
Attacker Origin
~50% ASes would follow the attacker’s advertisement
Attacker Origin
Business relations define which AS will follow the attackers advertisement
providerprovider
peer peer
customer
peer
customer
relays cover most clients
peering ASes with no customers
nodes in /24 prefix
k-connected graph of relays
Secure Relay Placement
relays cover most clients
peering ASes with no customers
nodes in /24 prefix
k-connected graph of relays
no strictly better prefix advertisement exists
Secure Relay Placement
Relay1
No strictly better advertisement exist
Relay2
Relay1
Peering agreement can be revoked
Relay2
relays cover most clients
peering ASes with no customers
nodes in /24 prefix
k-connected graph of relaysrelay connectivityis not affected by any k cuts
Secure Relay Placement
Relay1
Peering agreement can be revoked
Relay2
Relay1
2-k connected graph retains connectivity
Relay2
Relay3
relays cover most clients
peering ASes with no customers
nodes in /24 prefix
k-connected graph of relays
relays are in path that are morepreferred than any alternative
Secure Relay Placement
relays cover most clients
peering ASes with no customers
nodes in /24 prefix
k-connected graph of relays
Secure Relay Placement
�107
SABRE = Secure Relay Location + Robust Design
control plane
data plane
SABRE
hardware
software #A
Software/Hardware co-design
rarely updated state
communication heavy protocol
Software/Hardware co-design is possible because…
programmable hardware
rarely updated state
communication heavy protocol
Software/Hardware co-design is possible because…
programmable hardwareflexible and expressive data plane pipeline
rarely updated state
communication heavy protocol
Software/Hardware co-design is possible because…
programmable hardware
new Blocks are mined every 10 minutes
rarely updated state
communication heavy protocol
Software/Hardware co-design is possible because…
programmable hardware
simple computations,many message exchanges
dynamic network defenses
keep up with high demand
Software/Hardware co-design is suitable because…
dynamic network defenses
keep up with high demand
Software/Hardware co-design is suitable because…
Tbps of traffic at line ratesustain DDoS attacks
dynamic network defenses
keep up with high demand
Software/Hardware co-design is suitable because…
Whitelists, BlackLists.Spoofing Detection,Amplification mitigation
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
Bitcoin is vulnerable to routing attacks
both at the network and at the node level
The potential impact on the currency is worrying
DoS, double spending, loss of revenues, etc.
Countermeasures exist
Secure routing is best; SABRE is a good alternative
�116https://btc-hijack.ethz.ch