Bitcoin Forum
November 05, 2024, 10:16:16 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: New vulnerability: know your peer public addresses in 14 minutes  (Read 12960 times)
Sergio_Demian_Lerner (OP)
Hero Member
*****
expert
Offline Offline

Activity: 555
Merit: 654


View Profile WWW
January 11, 2013, 03:27:19 AM
 #1

I really thought this had been fixed, because I commented the problem of using IsFromMe / IsMine to the developers in the github forums (https://github.com/bitcoin/bitcoin/pull/1648), but no. Not fixed, so I'd better alert people before they can be tracked...

The attack requires you to connect and be disconnected from the same node almost 11 times. Nodes do ban DoS offenders for some time, so the attack can take some days mounted from a single IP. Nevertheless, if you can control 11 different IPs (very easy), and you can re-connect to the peer, you cant still mount a successful attack in a few minutes.

The attack allows only to know the Bitcoin public address related to an IP. If a peer is using Tor, then there is no loss of anonymity.

Affected Systems
-----------------

The problem affects all versions of the Satoshi Bitcoin Client.

Summary
---------

The method CTxMemPool::accept() has a protection against 'penny-flooding'. The protection prevents a transaction with very low fees and big size to be forwarded or even stored in the memory pool.

The problem is that this protection tests if a transaction is from a wallet owned by the user, and if it's the case, then the protection is skipped. This fact can be used by the attacker as an oracle.

There are currently around 1M addresses with non-zero balance (an estimation based on http://bitcoin.stackexchange.com/questions/3524/how-many-unspent-transaction-outputs-are-there).

An attacker can discover which of the addresses are owned by a peer by the following procedure:

1. For each address, the attacker choose one unspent output Out(i)

2. Group the 1M unspent outputs in 1632 transactions Tx(j), each one containing 613 previns. Each transaction would be approximately 26999 Kbytes long. Add one output. Put zero fees. (GetMinFee() will return zero)

3. Send each Tx(j) one by one to the victim node.

4. After sending each transaction, the victim node may:

- Reject the transaction because it penny-floods (normally). In this case you will be still able to send more transactions.

- Disconnect you (DoS detection) you since you are not providing the correct signature scripts (this is the case when you have hit an owned address)


5. If you have been disconnected, repeat recursively a binary search grouping the prevouts of this transaction until you find a single one that disconnects you. Note that you may need to add additional dummy previns or prevouts to the transaction if it becomes too small to be blocked by the peer with the penny-flooding protection system.

With a 54 Kb/sec link, sending each Tx takes 1/2 sec so finding the first tx takes in the worst case, 13 minutes. Afterwards each binary search step takes 1/2 seconds in the worst case, so with 10 additional tests you can find an prevout with the desired property in 2^10 prevouts, more than the 613 originally contained, in a few seconds.

I haven´t tested the attack but, check for yourself. The explanation is clear enough. But without testing the attack, I can be mistaken.

You can protect very easily from the attack by rising the "-limitfreerelay" value to something like 1000000. Of course, that will also disable the penny-flooding protection.

Until the next vuln report,
  Yours sincerely,  Sergio.



Sergio_Demian_Lerner (OP)
Hero Member
*****
expert
Offline Offline

Activity: 555
Merit: 654


View Profile WWW
January 11, 2013, 04:08:33 AM
 #2

I realized that the attack can also be mounted using much smaller transactions, as long as you keep sending them fast enough to trigger penny flooding algorithm.
So just a single disconnection may be required to detect a remote public address.
No need to do any binary search. Just send each Out(i) in a single Tx(j).


Sergio.
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652
Merit: 2301


Chief Scientist


View Profile WWW
January 11, 2013, 04:38:45 AM
 #3

While we ponder this, if you are worried about this, there is a fairly straightforward workaround that will make you immune from this.

Run two bitcoin daemons.  One that is a full peer in the network, but has an empty, never-used wallet.

And another with a full wallet that connects to the full peer. You could even run them both on the same machine (you'll use double the CPU and disk space, unfortunately).

RE: "I better alert people before they can be tracked" :

Dan Kaminsky demonstrated that it is pretty easy to tie bitcoin addresses to IP addresses by watching the network last year. If you are worried about being tracked, you should be running bitcoin over Tor and connecting to only trusted nodes. We make no anonymity guarantees.

How often do you get the chance to work on a potentially world-changing project?
zvs
Legendary
*
Offline Offline

Activity: 1680
Merit: 1000


https://web.archive.org/web/*/nogleg.com


View Profile WWW
January 11, 2013, 02:13:12 PM
 #4

While we ponder this, if you are worried about this, there is a fairly straightforward workaround that will make you immune from this.

Run two bitcoin daemons.  One that is a full peer in the network, but has an empty, never-used wallet.

And another with a full wallet that connects to the full peer. You could even run them both on the same machine (you'll use double the CPU and disk space, unfortunately).

RE: "I better alert people before they can be tracked" :

Dan Kaminsky demonstrated that it is pretty easy to tie bitcoin addresses to IP addresses by watching the network last year. If you are worried about being tracked, you should be running bitcoin over Tor and connecting to only trusted nodes. We make no anonymity guarantees.

i entrust nogleg with all my transactions
piuk
Hero Member
*****
expert
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
January 11, 2013, 02:38:47 PM
 #5

Dan Kaminsky demonstrated that it is pretty easy to tie bitcoin addresses to IP addresses by watching the network last year.

In practice this is difficult to do accurately due to network latency and the fact that many nodes don't accepting incoming connections.

Using Sergio's method you could for example log the first 10 nodes to relay a transaction then pole each node with a penny flood transaction in order to accurately determine which one was the true sender. I may have a go implementing this to improve blockchain.info's relayed by accuracy.

kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
January 11, 2013, 02:49:57 PM
 #6

Dan Kaminsky demonstrated that it is pretty easy to tie bitcoin addresses to IP addresses by watching the network last year.

In practice this is difficult to do accurately due to network latency and the fact that many nodes don't accepting incoming coming connections.

Using Sergio's method you could for example log the first 10 nodes to relay a transaction then pole each node with a penny flood transaction in order to accurately determine which one was the true sender. I may have a go implementing this to improve blockchain.info's relayed by accuracy.

No, the conditional probability that a node was the origin of a transaction given that you first saw it from that node is rather small, even when you have a large number of connections.

I've checked the transactions first seen by blockchain.info from my personal node, and virtually none of the transactions that you first received from me are actually from me.

As an aside, this attack wouldn't find my wallet anyway because I run multiple nodes, and the one node that talks to the outside world has an empty wallet.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
piuk
Hero Member
*****
expert
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
January 11, 2013, 03:00:15 PM
 #7

No, the conditional probability that a node was the origin of a transaction given that you first saw it from that node is rather small, even when you have a large number of connections.

I've checked the transactions first seen by blockchain.info from my personal node, and virtually none of the transactions that you first received from me are actually from me.

If you look at the propagation data e.g. http://blockchain.info/inv/69d689f000f59d2a9c082e50f8c6e2eb2de3a6e67dc56a13c2e7f0bd78862763 does your ip appear on the list? Sergio's method can be used to fine a list of ip's like this to find the true sender, even if it wasn't the first to relay it. If the node does not have a direct connection at all it still won't work though. In my opinion it is not a very severe issue but does make it easier to track transactions.

jgarzik
Legendary
*
qt
Offline Offline

Activity: 1596
Merit: 1100


View Profile
January 14, 2013, 12:58:29 AM
 #8

Using Sergio's method you could for example log the first 10 nodes to relay a transaction then pole each node with a penny flood transaction in order to accurately determine which one was the true sender. I may have a go implementing this to improve blockchain.info's relayed by accuracy.

Doesn't that sort of strip a lot of privacy away from a lot of bitcoin users, without their consent?


Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own.
Visit bloq.com / metronome.io
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
eb3full
VIP
Full Member
*
Offline Offline

Activity: 198
Merit: 101


View Profile
January 14, 2013, 01:32:09 AM
 #9

Doesn't that sort of strip a lot of privacy away from a lot of bitcoin users, without their consent?

Eventualities must be embraced sooner rather than later. Running buggy/trackable software is consent enough. ;P

"With four parameters I can fit an elephant, and with five I can make him wiggle his trunk." John von Neumann
buy me beer: 1HG9cBBYME4HUVhfAqQvW9Vqwh3PLioHcU
piuk
Hero Member
*****
expert
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
January 18, 2013, 12:45:38 AM
 #10

Doesn't that sort of strip a lot of privacy away from a lot of bitcoin users, without their consent?

I was a little hasty proposing to implement it. But perhaps if it is considered a privacy leak without consent then it is probably an issue that should be patched.

Sergio_Demian_Lerner (OP)
Hero Member
*****
expert
Offline Offline

Activity: 555
Merit: 654


View Profile WWW
January 23, 2013, 06:00:07 PM
 #11

I added additional information regarding this vulnerability:  an additional timing attack to find the Bitcoin address of a peer, using spent outputs (before, I had discussed how to do it using only unspent outputs).

The report is on my blog: https://bitslog.wordpress.com/2013/01/23/new-bitcoin-vulnerability-get-your-peer-public-addresses/

Sergio.
hackjealousy
Newbie
*
Offline Offline

Activity: 53
Merit: 0



View Profile
January 23, 2013, 09:25:12 PM
 #12

While we ponder this, if you are worried about this, there is a fairly straightforward workaround that will make you immune from this.

Run two bitcoin daemons.  One that is a full peer in the network, but has an empty, never-used wallet.

And another with a full wallet that connects to the full peer. You could even run them both on the same machine (you'll use double the CPU and disk space, unfortunately).

Similarly, using the Armory client mitigates this issue.

While this is certainly not a critical vulnerability, it is very important in terms of privacy.  Excellent find Sergio.

The root-cause of this information leak is that large transactions with insufficient fees are not forwarded or stored unless that transaction involves addresses owned by the user.  Perhaps this should be an option and the default should simply be not to forward?

The vast majority of clients will most likely keep the default which makes this essentially equivalent to enforcing transaction fees.  However, this may be a good enough reason to do so.
Sukrim
Legendary
*
Offline Offline

Activity: 2618
Merit: 1007


View Profile
February 24, 2013, 07:31:07 PM
 #13

While we ponder this, if you are worried about this, there is a fairly straightforward workaround that will make you immune from this.

Run two bitcoin daemons.  One that is a full peer in the network, but has an empty, never-used wallet.

And another with a full wallet that connects to the full peer. You could even run them both on the same machine (you'll use double the CPU and disk space, unfortunately).

If you run (or know) a full node that you trust 100%, there's no need to replicate the block chain - the biggest amount of data you might need is a listing of all unspent outputs, the minimum amount would be probably the unspent outputs of your own addresses (doable now with bloom filters in 0.8 as far as I understood)

I think the main issue with this attack is still that Bitcoin (the "finance application") and bitcoind (the "full network node") started and still are closely interlinked. I guess in the longer run something like the approach by the armory client will emerge, where the node does not know and care anything about a wallet and the finance application won't know anything about the block chain but has to trust a node (most likely on the same PC/installation).

https://www.coinlend.org <-- automated lending at various exchanges.
https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.
Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2576
Merit: 1186



View Profile
February 26, 2013, 10:25:01 PM
 #14

For reference, this has been assigned CVE-2013-2272

burnside
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Lead Blockchain Developer


View Profile WWW
February 28, 2013, 07:39:36 AM
 #15

While we ponder this, if you are worried about this, there is a fairly straightforward workaround that will make you immune from this.

Run two bitcoin daemons.  One that is a full peer in the network, but has an empty, never-used wallet.

And another with a full wallet that connects to the full peer. You could even run them both on the same machine (you'll use double the CPU and disk space, unfortunately).


Is there an article in the wiki about how to do this?

+1

What would the configs look like for the full network peer and the internal wallet peer?
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!