Embed Size (px)
Citation preview
Maria Apostolaki
ETH Zürich
Joint work with Gian Marti, Jan Müller and Laurent Vanbever
Protecting Bitcoin against Routing Attacks SABRE
�1
�2
An adversary splits the Bitcoin network in two disjoint components
Partition Attack
�3
Partition attack is general, dangerous, effective, practical
�4
Partition attack is general, dangerous, effective, practical
Any Blockchain system is vulnerable
�5
Partition attack is general, dangerous, effective, practical
Any Blockchain system is vulnerable
Double-spending, Revenue Loss, DoS
�6
Partition attack is general, dangerous, effective, practical
50-50 partition is feasible
Any Blockchain system is vulnerable
Double-spending, Revenue Loss, DoS
�7
Any network in the world is a possible attacker
Partition attack is general, dangerous, effective, practical
50-50 partition is feasible
Any Blockchain system is vulnerable
Double-spending, Revenue Loss, DoS
�8
Any network in the world is a possible attacker
In 2017 we uncovered the practicality and effectiveness of routing attacks in Bitcoin
Double-spending, Revenue Loss, DoS
Any Blockchain system is vulnerable
50-50 partition is feasible
Bitcoin is a distributed network of nodes (Bitcoin clients)
j
k
l
m
n
o
p
q
9
Bitcoin clients establish random connections
j
k
l
m
n
o
p
q
10
Bitcoin clients exchange Blocks
j
k
l
m
n
o
p
q
block
11
Blocks contain the latest transactions
j
k
l
m
n
o
p
q
block
block
block
12
block
block
j
k
l
m
n
o
p
q
block
block
block
Bitcoin clients exchange Blocks
13
block
block
j
k
l
m
n
o
p
q
block
block
block
block
block
block
until all clients have the same view of the transactionsBitcoin clients exchange Blocks
14
�15
What can go wrong?
Bitcoin connections are routed over the Internet using BGP, the default Internet routing protocol
Internet
j
k
l
m
n
o
p
q
16
G
F
E
C
HB
ID
The Internet is composed of Autonomous Systems
j
k
l
m
n
o
p
q
AA
B
D
17
G
F
E
C
HB
ID
Each Bitcoin client n has an IP
j
k
l
m
n
o
p
q
AA
B
D
82.0.0.3
18
G
F
E
C
HB
ID
AS H creates a BGP advertisement for n’s IP prefix
j
k
l
m
n
o
p
q
AA
B
D
82.0.0.3
82.0.0.0/23
Path:
19
G
F
E
C
HB
ID
BGP propagates advertisements in the Internet
j
k
l
m
n
o
p
q
AA
B
D
82.0.0.0/23
Path: H
82.0.0.0/23
Path: H
82.0.0.0/23
Path: H
20
82.0.0.3
82.0.0.3
G
F
E
C
HB
ID
j
k
l
m
n
o
p
q
AA
B
D
82.0.0.0/23
Path: B H Path: G H
82.0.0.0/23
Path: I H
82.0.0.0/23
Path: E H
82.0.0.0/23
82.0.0.0/23
BGP propagates advertisements in the Internet
21
82.0.0.3
G
F
E
C
HB
ID
j
k
l
m
n
o
p
q
AA
B
D 82.0.0.0/23
Path: I H
82.0.0.0/23
Path: H
82.0.0.0/23
Path: H
AS I can directly reach AS H
22
G
F
E
C
HB
ID
j
k
l
m
n
o
p
q
AA
B
D 82.0.0.0/23
Path: I H
82.0.0.0/23
Path: H
82.0.0.0/23
Path: H
BGP does not check the legitimacy of advertisements
23
G
F
E
C
HB
ID
j
k
l
m
n
o
p
q
AA
B
D
82.0.0.0/23
Path: H
82.0.0.0/24
Path: H G
Attacker creates a fake BGP advertisement
24
G
F
E
C
HB
ID
j
k
l
m
n
o
p
q
AA
B
D
82.0.0.0/23
Path: H
82.0.0.0/24
Attacker attracts traffic destined to AS H using BGP hijacking
25
Path: H G
A
F
E
C
HB
I
D
j
k
l
m
n
o
p
q
Attacker attracts connections with BGP hijacking
26
A
F
E
C
HB
I
D
j
k
l
m
n
o
p
q
Attacker drops connections crossing the partition
27
A
F
E
C
HB
I
D
j
k
l
m
n
o
p
q
A new block in the grey zone cannot be propagated further
28
block
�29
SABRE:Additional channel that is engineered to allow clients to exchange blocks, even if the Bitcoin network is partitioned
�30
SABRE:Additional channel that is engineered to allow clients to exchange blocks, even if the Bitcoin network is partitioned
… without the need to deploy secure routing protocols
G
F
E
C
HB
ID
j
k
l
m
n
o
p
q
AA
B
D
SABRE does not affect any of the regular Bitcoin clients
31
GA
F
E
C
HB
I
D
SABRE is an overlay network of special Bitcoin clients
j
k
l
m
n
o
p
q
32
GA
F
E
C
HB
I
D
SABRE nodes are connected to each other
j
k
l
m
n
o
p
q
33
GA
F
E
C
HB
I
D
Each Bitcoin client connects to at least one SABRE node
j
k
l
m
n
o
p
q
34
A
F
E
C
HB
I
D
SABRE protects the Bitcoin network from partition attacks
j
k
l
m
n
o
p
q
35
A
F
E
C
HB
I
D
Block is propagated via the SABRE network
j
k
l
m
n
o
p
q
36
block
�37
The attacker might try to fight back by attacking SABRE itself
�37
�38
The attacker might try to fight back by attacking SABRE itself
Attacker knows SABRE’s locations and code
BGP hijacks against SABRE nodes
malicious requests to take down SABRE nodes
�39
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
�40
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
secure relay-to-relay connections
SABRE needs to…
�41
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
remain reachable by Bitcoin clients
secure relay-to-relay connections
SABRE needs to…
�41
�42
remain reachable by Bitcoin clients
relay blocks seamlessly
secure relay-to-relay connections
SABRE needs to…
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
�43
NetworkDesign
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
remain reachable by Bitcoin clients
relay blocks seamlessly
secure relay-to-relay connections
SABRE needs to…
�44
NetworkDesign
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
remain reachable by Bitcoin clients
relay blocks
secure relay-to-relay connections
SABRE needs to…
NodeDesign
�45
Protecting Bitcoin against Routing Attacks SABRE
SABRE locationinherently safe locations
SABRE design software/hardware
Deployabilitydeployment opportunities
�46
Protecting Bitcoin against Routing Attacks SABRE
SABRE locationinherently safe locations
SABRE design software/hardware
Deployabilitydeployment opportunities
�47
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
remain reachable by Bitcoin clients
relay blocks
secure relay-to-relay connections
SABRE needs to…
NodeDesign
�48
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
remain reachable by Bitcoin clients
relay blocks
secure relay-to-relay connections
SABRE needs to…
NodeDesign
SABRE selects nodes that satisfy three properties
each node is hosted in /24 IP prefixes
nodes are connected via financially & distance-wise optimal paths
relay graph is k-connected
49
longer prefix hijacksare not possible
each node is hosted in /24 IP prefixes
nodes are connected via financially & distance-wise optimal paths
relay graph is k-connected
50
SABRE selects nodes that satisfy three properties
Relays A and relay B are hosted in ASes with customer-provider relationship
BA
relay A relay B
51
$$$
AS A receives a BGP advertisement from AS B for the prefix of relay B
BA
82.0.0.0/23
Path: Brelay A relay B
$$$
52
Relay A sends to relay B via a direct expensive link
BA
82.0.0.0/23
Path: Brelay A relay B
$$$
53
AS A has a malicious or compromised neighbor ASwith a least expensive link
C
82.0.0.0/23
Path: B$$
BA
relay A relay B
$$$
54
$$
Attacker advertises AS B’s prefix to AS A
82.0.0.0/23
C
82.0.0.0/23
Path: B
Path: B C
BA
relay A relay B
$$$
55
$$
AS A prefers the path via the attacker, because it is less expensive
C
82.0.0.0/23
Path: B
BA
relay A relay B
$$$
82.0.0.0/23
Path: B C
56
$$
The attacker can disconnect the relays
C
82.0.0.0/23
Path: B
BA
relay A relay B
$$$
82.0.0.0/23
Path: B C
57
no strictly more preferred path exists
each node is hosted in /24 IP prefixes
nodes are connected via financially & distance-wise optimal paths
relay graph is k-connected
58
SABRE selects nodes that satisfy three properties
Relays A, B are hosted in ASes with a more cost effective agreement
relay A relay B
$
59
Attacker’s advertisement is less preferred,thus attacker cannot discontent the relays
82.0.0.0/23
Path: B
82.0.0.0/23
Path: B C
C
BA
relay A relay B
$$
$$
60
Aggreements can be revoked, link can be cut …
C
82.0.0.0/23
Path: B C
BA
relay A relay B
$$
61
Relay A will inevitably send traffic via ASC
C
Peering agreement can be revoked, link can be cut …
BA
relay A relay B
62
each node is hosted in /24 IP prefixes
nodes are connected via financially & distance-wise optimal paths
relay graph is k-connected relay connectivity is not
disrupted by any k-1 cuts
63
SABRE selects nodes that satisfy three properties
2-k connected graph retains connectivityeven if one peering link is cut
C
BA
relay A relay B
$$
$
$$
relay C 64
If the link between relays A and B is cut
C
BA
relay A relay Brelay B
$$
$ $
relay C 65
Relays A, B can still exchange blocks via the relay C
C
BA
relay A relay Brelay B
$$
$ $
relay C 66
If the link between relays A and B is cut
block
�67
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
remain reachable by Bitcoin clients
relay blocks
secure relay-to-relay connections
SABRE needs to…
NodeDesign
�68
SABRE positions nodes s.t. most clients are protected from each potential attacker
by at least one relay node
see paper for more
�69
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
remain reachable by Bitcoin clients
relay blocks
secure relay-to-relay connections
SABRE needs to…
NodeDesign
Node-levelattacks
We evaluate SABRE’s network design by its effectiveness against two attack types
�70
Network-wide attacks
Node-levelattacks
We evaluate SABRE’s network design by its effectiveness against two attack types
�71
Network-wide attacks
Effective attackAll ASes follow fake advertisement
Node-levelattacks
We evaluate SABRE’s network design by its effectiveness against two attack types
�72
We evaluate SABRE’s network design by its effectiveness against two attack types
Network-wide attacks
Node-levelattacks
What is the largest partitioneach single AS can create?
How many clients are protected against isolation?
�73
What is the largest partition each single AS can create?
current network
20 SABRE nodes single connected
>90% of the clients can be isolated by any single AS in the world
>15% of the clients can be isolated only by 2.5% of ASes in the world
6 SABRE nodes 3-k connected
>15% of the clients can be isolated by only 3% of ASes in the world
�74
What is the largest partition each single AS can create?
current network
�75
any single AS in the world can create partitions of >90% of the clients
What is the largest partition each single AS can create?
current network
6 SABRE nodes 3-connected
only 3% of ASes in the world can create a partition of 15%-30%
�76
see paper for more results
any single AS in the world can create partitions of >90% of the clients
We evaluate SABRE’s network design by its effectiveness against two attack types
What is the largest partitioneach single AS can create?
Network-wide attacks
Node-levelattacks
How many clients are protected against isolation?
�77
How many clients are protected against isolation?
current network
6 SABRE nodes single connected
at most 10% are protected from 50% of ASes
90% of Bitcoin clients are protectedfrom 92.5% of ASes
6 SABRE nodes 5-k connected
89.5% of Bitcoin clients are protectedfrom 92.5% of ASes
�78
How many clients are protected against isolation?
current network at most 10% of Bitcoin clients are protected from 50% of ASes
�79
How many clients are protected against isolation?
current network at most 10% of Bitcoin clients are protected from 50% of ASes
6 SABRE nodes 5-k connected
89.5% of Bitcoin clients are protected from 92.5% of ASes
see paper for more results
�80
�81
Protecting Bitcoin against Routing Attacks SABRE
SABRE locationinherently safe locations
SABRE design software/hardware
Deployabilitydeployment opportunities
�82
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
remain reachable by Bitcoin clients
relay blocks
secure relay-to-relay connections
SABRE needs to…
�83
A SABRE node performs four operations
transmits blocks to Bitcoin clients
verifies blocks
receives blocks
maintains connections with Bitcoin clients
Two ways to deploy a SABRE node
�84
Serving few predefined clients
Two ways to deploy a SABRE node
Private deployment
�85
Serving all Bitcoin clients
Two ways to deploy a SABRE node
Public deployment
�86
Serving few predefined clients
Private deployment
Serving few predefined clients
Two ways to deploy a SABRE node
Private deployment Public deployment
�87
Private SABRE nodes need not scale
establish connection to a predefined set of IPs
SABRE nodes need to
be unreachable for unknown clients
�88
receive and relay blocks
Private SABRE nodes need not scale
establish connection to a predefined set of IPs
SABRE nodes need to
regular Bitcoin client with few whitelisted IPs is sufficient
�89
be unreachable for unknown clients
receive and relay blocks
Private deployment
Serving few predefined clients
Public deployment
Serving all Bitcoin clients
Two ways to deploy a SABRE node
�90
Public SABRE nodes need to scale
maintain thousands of connections
SABRE nodes need to
distinguish spoofing and malicious request
receive, verify and relay blocks fast
�91
Public SABRE nodes need to scale
SABRE nodes need to
distinguish spoofing and malicious request
receive, verify and relay blocks fast
�92
Simple software implementation would not suffice
maintain thousands of connections
SABRE can leverage programmable data planes
SABRE DP
93
SABRE DP allows relay nodes to deal with high malicious or benign load
94
can serve few Billions
of packets per second
scales to increased load
NetChain: Scale-Free Sub-RTT CoordinationNDSI 2018
is faster than any server optimization
95
SABRE DP allows relay nodes to deal with high malicious or benign load
Dynamic Black/White lists Protection from spoofing &
Repetitive request
is faster than any server optimization
protects against malicious requests
96
SABRE DP allows relay nodes to deal with high malicious or benign load
is faster than any server optimization
protects against malicious requests
almost all clients areseven directly from hardwareminimum software interaction
97
SABRE DP allows relay nodes to deal with high malicious or benign load
Not all operations can be done in hardware
98
control plane
data plane
SABRE
hardware
software #A
Bitcoin (TCP) connection
UDP connection
SABRE node has both software and hardware partsNot all operations can be done in hardware
99
�100
remain reachable by Bitcoin clients
relay blocks
secure relay-to-relay connections
SABRE needs to…
SABRE is an additional overlay network which allows communication, even if the Bitcoin network is partitioned
�101
Protecting Bitcoin against Routing Attacks SABRE
SABRE locationinherently safe locations
SABRE design software/hardware
Deployabilitydeployment opportunities
Multiple deployment scenarios
102
decreased cost
allows private deployments
SABRE’s deployment is practical
bootstrap with a software-only SABRE
103
each party (e.g. pool) can deploy their own SABRE
SABRE’s deployment is practical
bootstrap with a software-only SABRE
multiple SABRE relays can co-exist
104
clients can connect to bothrelays and regular clients
SABRE’s deployment is practical
bootstrap with a software-only SABRE
multiple SABRE relays can co-exist
community’s consensus is not required
105
bootstrap with a software-only SABRE
e.g., FIBRE, FALCON can
relocate their nodesaccording to SABRE properties
SABRE’s deployment is practical
multiple SABRE relays can co-exist
community’s consensus is not required
network design applies to other relays
106
�107
Protecting Bitcoin against Routing Attacks SABRE
SABRE locationinherently safe locations
SABRE design software/hardware
Deployabilitydeployment opportunities
�108
Few SABRE relays can protect Bitcoin from partitionsby placing relay nodes in selected locations
SABRE can operate seamlessly under high load by serving clients directly in hardware
SABRE can be partially deployed and benefit early adopterse.g., each pool can deploy SABRE in software
Protecting Bitcoin against Routing Attacks SABRE
SABRE vs FALCON & FIBRE
SABRE FALCON FIBRE
longer prefix hijack
protectedall nodes in /
24
vulnerableno node in /
24
vulnerableno node in /
24
same prefix hijack protected # possible
attackers# possible attackers
109
