Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presentation by Shamili

Published byDiane Patterson Modified over 6 years ago

Similar presentations

Presentation on theme: "Presentation by Shamili"— Presentation transcript:

1 Presentation by Shamili
Hijacking Bitcoin: Routing Attacks on Cryptocurrencies Maria Apostolaki, Aviv Zohar, Laurent Vanbever Presentation by Shamili

2 Cryptocurrency and digital payment system that is de-centralized.
No single repository. Can be exchanged for other currencies, products and services. Around 300,000 transactions daily. Currently, 1 Bitcoin = NZD. What is Bitcoin? Bitcoin is a worldwide cryptocurrency and digital payment system called the first decentralized digital currency, as the system works without a central repository or single administrator. Bitcoins are created as a reward for mining. They can be exchanged for other currencies, products, and services. Created as rewards for mining.

3 Block Chain: Public Ledger that records bitcoin transactions
Block Chain: Public Ledger that records bitcoin transactions. Uses peer-to-peer model and is synchronized. Transactions: At each transaction, ownership and balance must be know to each block which is learnt from the block chain. Mining Pools: Group of miners that divide block creation to lower economic risks. Autonomous System: Set of IPs under the control of one or more operator on behalf of a single administrative entity. Border Gateway Protocol: Protocol used to exchange routing and reachability information among AS on the internet. Terminologies Bitcoin’s blockchain is comprised of blocks, batches of transactions, that are appended to the ledger serially. Each block contains a cryptographic hash of its predecessor, which identifies its place in the chain, and a proof-of-work. Transaction validation requires nodes to be aware of the ownership of funds and the balance of each Bitcoin address. Mining is a record keeping service that is used to keep the block chain consistent. Mining pools represent groups of miners that divide block creation rewards between them in order to lower the high economic risk associated with infrequent (but high) payments. An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the Internet like University. the de-facto routing protocol that regulates how IP packets are forwarded in the Internet. Routes associated with different IP prefixes are exchanged between neighboring networks or Autonomous Systems (AS). For any given IP prefix, one AS (the origin) is responsible for the original route advertisement, which is then propagated ASby- AS until all ASes learn about it.

4 Routing Attacks on Bitcoin
Routed in clear text without integrity check. Both node level and network wide attacks are were considered. Partitioning attack to disconnect a set of nodes form the network. Delay attack to slow down the propagation of blocks towards or from a given set of nodes. Routing Attacks on Bitcoin As Bitcoin connections are routed over the Internet— in clear text and without integrity checks—any third-party on the forwarding path can eavesdrop, drop, modify, inject, or delay Bitcoin messages such as blocks or transactions. Detecting such attackers is challenging as it requires inferring the exact forwarding paths taken by the Bitcoin traffic using measurements. Both node-level attacks along with more challenging, but also more disruptive, network-wide attacks are considered. Impact: node waste, blocks discarded and filter transactions. Miners lose potential revenue.

5 Goal: Isolate a set of nodes from the rest of the network.
Vulnerable connections: A connection is vulnerable if: (i) an attacker can divert it via a BGP hijack; and (ii) it uses the Bitcoin protocol. Stealth connections: A connection is stealth if the attacker cannot intercept it. We distinguish three types of stealth connections: (i) intra-AS; (ii) intra- pool; and (iii) pool-to-pool. Attack Hijacks specific prefixes hosting each of the IP addresses. Intercepts bitcoin traffic to check if the traffic belongs to the partition. If so, packets are dropped. Else, the traffic is monitored for leakage points. Detects these nodes and isolates them. Partitioning Attack Vulnerable connections: A connection is vulnerable if: (i) an attacker can divert it via a BGP hijack; and (ii) it uses the Bitcoin protocol. Stealth connections: A connection is stealth if the attacker cannot intercept it. We distinguish three types of stealth connections: (i) intra-AS; (ii) intra-pool; and (iii) pool-to-pool. intra-AS: An attacker cannot intercept connections within the same AS using BGP hijack. Indeed, internal traffic does not get routed by BGP, but by internal routing protocols intra-pool: This is because mining pools might rely on proprietary or even encrypted protocols for internal communication. pool-to-pool: Finally, an attacker cannot intercept (possibly encrypted) private connections, corresponding to peering agreements between mining pools. From the attacker’s point of view, these connections can be treated as intra-pool connections and the corresponding pair of pools can be considered as one larger pool. he attacker starts by hijacking all the prefixes pertaining to the Bitcoin nodes she wants to isolate, which she splits into two packet streams: relevant and irrelevant. The high-level goal of the algorithms is to isolate as many nodes in P as possible. To do so, the algorithms identify L, the nodes that are leakage points, and disconnect them from the other nodes in P. Then it is checked whether the sender of the packet is advertising information from outside of the partition and particularly if the packet contains an INV message with the hash of a block mined outside of prtn. Particularly, the attacker checks whether the packet contains an INV message with the hash of a block mined outside of P n L (or the block itself). If it does so, the sender must have a path of stealth connections to a node outside of P n L from which the block was transmitted. Thus the sender is a leakage point and is added. The actual packet is also dropped to prevent this information from spreading. To detect whether a node in P n L is a leakage point, an attacker should be able to intercept at least one of that node’s connections.

6 Partitioning Attack Contd.
Findings: Less than 2 minutes to divert traffic. Hijacking 39 prefixes enough to isolate 50% of overall mining power. Partitions do not last longer after the attack stops. Impact Depends on the number of nodes isolated. Isolating few nodes -> Double spending. For side with least mining power, transactions will be discarded. Side with most mining power would cause revenue loss for the other side with risk of double spends. Partitioning Attack Contd. First, we performed a real BGP hijack against our own Bitcoin nodes and show that it takes less than 2 minutes for an attacker to divert Bitcoin traffic. Second, we estimated the number of prefixes to hijack so as to isolate nodes with a given amount of mining power. Third, we show that, while effective, partitions do not last long after the attack stops: the two components of the partition quickly reconnect, owing to natural churn. Yet, it takes hours for the two components to be densely connected again.

7 Evaluation of Partitioning Attack
Few Ases host most of the bitcoin nodes A few ASes naturally intercept the majority of the Bitcoin traffic. >90% of Bitcoin nodes are vulnerable to BGP hijacks. Mining pools tend to be distributed and multi-homed. Bitcoin routing properties are stable over time Evaluation of Partitioning Attack >90% of Bitcoin nodes are vulnerable to BGP hijacks 93% of all prefixes hosting Bitcoin nodes are shorter than /24, making them vulnerable to a global IP hijack using more-specific announcements. Pool multi-homing makes both network attacks more challenging and is one of the main precaution measures node owners can use against routing attacks. While numerous nodes continuously join and leave the Bitcoin network, the routing properties highlighted in this section are stable.

8 Goal: slow down the propagation of new blocks sent to a set of Bitcoin nodes without disrupting their connections. Attack leverages the 3 key aspects: The asymmetry in the way Bitcoin nodes exchange blocks using INV, GETDATA, and BLOCK messages. Messages are not protected against tampering. Bitcoin node waits for 20 minutes after having requested a block from a peer before requesting it again from another peer. If the traffic from victim is intercepted, GETDATA can be modified, but the length and the structure are preserved. If the traffic is towards the node, the contents of the BLOCK message can be corrupted. In both cases, the recipient remains uninformed for 20 minutes. Delay Attack we explore delay attacks, which can cause relatively severe delays in block propagation, even when an attacker intercepts only one of the victim’s connections, and wishes the attack to remain relatively undetectable. the adversary delays the delivery of a block by modifying the content of specific messages. This is possible due to the lack of encryption and of secure integrity checks of Bitcoin messages. In contrast, network-based delay attacks are more effective for at least three reasons: (i) an attacker can act on existing connections, namely she does not need to connect to the victim which is very often not possible (e.g, nodes behind a NAT); (ii) an attacker does not have to be informed about recently mined blocks by the victim’s peers to eclipse it; and (iii) the connection that was used for the attack is not necessarily lost, prolonging the attack. Intercepts outgoing traffic, intercepts incoming traffic. node receives a notification that a new block is available via an INV message, it issues a download request to its sender using a GETDATA message. If the block is not delivered, the victim node will disconnect after 20 minutes. To avoid a disconnection, the attacker can use another GETDATA, sent within the 20 minute window, to perform the reverse operation. Specifically, she modifies the hash back to the original one, requested by the victim. she can see messages received by the victim, but not the messages that it sends. This attack is less effective compared to the attack working in the opposite direction, as it will eventually result in the connection being dropped 20 minutes after the first delayed block A naïve attack would be for the attacker to simply drop any BLOCK message she sees. A better, yet still simple approach is for the attacker to corrupt the contents of a BLOCK message while preserving the length of the packet Surprisingly though, we discovered (and verified) that the victim will not request the block again, be it from the same or any other peer. After the 20 minute timeout elapses, the victim simply disconnects because its requested block did not arrive on time.

9 Delay Attack Contd. Findings
Intercepting 50% of node is enough to keep node uninformed for 63% of its uptime. Only very powerful coalitions of network attackers could perform a network-wide delay attack. Such an attack is thus unlikely to occur in practice. Impact At the node-level, delay attacks can keep the victim eclipsed. Network-wide attacks increase the fork rate and render the network vulnerable to other exploits. A slowdown of block transmission can be used to launch selfish mining attacks by adversaries with mining power. Delay Attack Contd. rather than acting as a normal miner and publishing blocks to the network immediately upon finding them, the attacker selectively publishes blocks, sometimes sacrificing his own revenue but also often publishing many blocks all at once and thus forcing the rest of the network to discard blocks and lose revenue. 

10 Evaluation of Delay Attack
Diverting Bitcoin traffic via BGP is fast (takes <2 minutes) Hijacking <100 prefixes is enough to isolate ~50% of Bitcoin mining power Delay attackers intercepting 50% of a node’s connection can waste 63% of its mining power. Due to pools multi-homing, Bitcoin (as a whole) is not vulnerable to delay attackers, even powerful ones. Even a small degree of multi-homing is enough to protect Bitcoin from powerful attackers. Evaluation of Delay Attack Multihoming is the practice of connecting a host or a computer network to more than one network. This can be done in order to increase reliability or performance, or to reduce cost.

11 Shor-term Countermeasures
Increase the diversity of node connections Select Bitcoin peers while taking routing into account Monitor round-trip time (RTT) Monitor additional statistics Nodes should allow the natural churn of the Network to refresh their connections Use gateways in different ASes Prefer peers hosted in the same AS and in /24 prefixes Shor-term Countermeasures

12 Long-term Countermeasures
Encrypt Bitcoin Communication and/or adopt MAC Use distinct control and data channels Use UDP heartbeats Request a block on multiple connections Long-term Countermeasures Each proxy sends a heartbeat message once per second to one of its peers, which then responds with information about its local state.

13 Does not explore other routing attacks like DoS, Sniffing etc.
If Multihoming is already implemented, delay attacks cannot be performed. Counter measure for the partition to get connected faster is not provided. Criticism

14 References https://btc-hijack.ethz.ch
References

15 THANK YOU

Download ppt "Presentation by Shamili"

Similar presentations

Karlston D'Emanuele Distance Vector Routing Protocols Notes courtesy of Mr. Joe Cordina Password Removed www.uniunderground.com.

Karlston D'Emanuele Distance Vector Routing Protocols Notes courtesy of Mr. Joe Cordina Password Removed
Global States.

Global States.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.

Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.
Delivery, Forwarding, and Routing

Delivery, Forwarding, and Routing
Computer Networks Layering and Routing Dina Katabi

Computer Networks Layering and Routing Dina Katabi
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
INTERNET TOPOLOGY MAPPING INTERNET MAPPING PROBING OVERHEAD MINIMIZATION  Intra- and inter-monitor redundancy reduction IBRAHIM ETHEM COSKUN University.

INTERNET TOPOLOGY MAPPING INTERNET MAPPING PROBING OVERHEAD MINIMIZATION  Intra- and inter-monitor redundancy reduction IBRAHIM ETHEM COSKUN University.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
Chapter 22 Network Layer: Delivery, Forwarding, and Routing

Chapter 22 Network Layer: Delivery, Forwarding, and Routing
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking Multicast routing.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Multicast routing.
1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)

1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.

How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.

Similar presentations

Ads by Google