|
Title: Cheap way to attack blockchain Post by: amaclin on August 31, 2015, 07:58:03 AM Seems to me that I know new way to attack & flood bitcoin network.
The last attacks were based on filling the blocks with transactions. This is because of limit of block size. (Consensus rule that the blocksize is below 1mb) But there are another limits for block which can not be changed without hard fork. There is a limit of SIGOPS in transactions included to a block. consensus.h Code: /** The maximum allowed size for a serialized block, in bytes (network rule) */ So, MAX_BLOCK_SIGOPS is 20000 How does the client calculate the number of SIGOPS? Let us look to the sources. main.cpp Code: if (fStrictPayToScriptHash) Miner node includes transactions to a block while the nSigOps not exceeds 20000. The block with nSigOps > 20000 will be invalid (consensus rule) and will be rejected by all other nodes. Now let us look the transaction https://blockchain.info/tx/6766e75d6166a0a14bd814921d0f903285e15779e648d7ec52a4f7c0868ec07d and calculate the number of SIGOPS in it All input scripts are redeeming from p2sh-outputs with the inner scripts build on the same template: Code: OP_0 And the total number of SIGOPS in 6766e75d6166a0a14bd814921d0f903285e15779e648d7ec52a4f7c0868ec07d is 15 * 15 = 225 So, the maximum number of such transactions in one block is only 88 (because floor ( 20000 / 225 ) = 88) And inserting 88 such transactions in one block leaves only 200 SIGOPS for regular transactions. Which leaves a room only for ~100 transactions in block for other persons The attack vector should be: 1) create and fund a big number of such p2sh-utxo 2) redeem them to OP_RETURN or to regular output Each such transaction costs 0.00045 for dishonest attacker (can be even less) 88 transactions (attack one block) will cost only 0.0396 BTC Daily attack 5.7024 BTC - not a big deal Wanna hire me for this dirty job? ;D Title: Re: Cheap way to attack blockchain Post by: fairglu on August 31, 2015, 08:17:44 AM Each such transaction costs 0.00045 for dishonest attacker (can be even less) 88 transactions (attack one block) will cost only 0.0396 BTC Daily attack 5.7024 BTC - not a big deal Wanna hire me for this dirty job? ;D Main "weakness" for this attack is that miners could easily just ignore those transactions, without involving any hard fork. Only the pools that accept those transactions *and* that do not prioritize transactions in a block by total fee would be impacted, pools that build their blocks based on max fee they can rack in a block would automatically eliminate them, they may just need to take the SIGOPS limit into their block optimization code, but that's all. In practice only the "faucet pools", those that accept zero-fee tx and do not prioritize tx would likely feel the attack. So the practical spamming would be limited to relaying and the mempool, so no biggy. Title: Re: Cheap way to attack blockchain Post by: amaclin on August 31, 2015, 08:23:19 AM Main "weakness" for this attack is that miners could easily just ignore those transactions, without involving any hard fork. Yes. Miners can blacklist redeeming p2sh outputs with abnormal SIGOPS count.Also they can mark these txs as low priority (need some coding) What do you think about the currency with blacklisted addresses? So the practical spamming would be limited to relaying and the mempool, so no biggy. OK, lets combine this attack with old good spam :)During the last "stress-test" the majority of miners decided to include spam transactions to their blocks. Title: Re: Cheap way to attack blockchain Post by: basil00 on August 31, 2015, 10:49:53 AM Yes this is a known attack. I independently discovered it a few weeks ago:
[Consider the script "OP_0 OP_IF OP_15 OP_CHECKMULTISIG OP_ENDIF OP_1", e.g. Take the sha256 of everything between the square brackets [...] (including empty line at the end) and it will match this (https://www.reddit.com/r/test/comments/3h2dsj/test/) hash. This is a version of the message I sent to Peter Todd to report the problem. Peter informed me that it is a known problem. I didn't release it publicly because it could be used for a very cheap and effective DoS attack (currently just $9USD to "fill" a block). Title: Re: Cheap way to attack blockchain Post by: amaclin on August 31, 2015, 11:04:11 AM I didn't release it publicly because it could be used for a very cheap and effective DoS attack (currently just $9USD to "fill" a block). You put it into blockchain ;D This was releasing the attack vector for everyone :) Title: Re: Cheap way to attack blockchain Post by: basil00 on August 31, 2015, 11:12:30 AM Quote You put it into blockchain ;D This was releasing the attack vector for everyone :) Hey...there's no connection between me an that alleged transaction :). Anyway, as Peter said, this is a known problem, meaning that I was not the first to figure it out. If I figured it out then so will others. I'm not sure what the fix is though. That crappy sigop-counting code is consensus critical. Probably we need a tightening of the IsStandard() rules... Title: Re: Cheap way to attack blockchain Post by: amaclin on August 31, 2015, 11:22:11 AM Hey...there's no connection between me an that alleged transaction. Sorry. So, there are at least 4 persons who has a knowledge how to attack blockchain ;D You, me, Peter Todd and the creator of that transaction :) Title: Re: Cheap way to attack blockchain Post by: fairglu on August 31, 2015, 01:17:09 PM Yes. Miners can blacklist redeeming p2sh outputs with abnormal SIGOPS count. Also they can mark these txs as low priority (need some coding) Blacklisting would be the "cheap fix", on a fairly optimized pool, you can expect there will be some kind of optimizer that tries to optimize the pool blocks by maximizing the tx fee while minimizing block size (to minimize orphans from propagation delays). Which such block optimizations, your SIGOPS-heavy tx would naturally be pushed back as they would prevent more fee-paying tx to get in the block. The "reference" core implementation (as described in https://en.bitcoin.it/wiki/Transaction_fees#Including_in_Blocks) would be vulnerable, but I do not expect any major bitcoin pool to run on that implementation (unless they do it out of charity). What do you think about the currency with blacklisted addresses? You mean XT blacklist? Services that provide taint info and services around it have already existed for years now, official blacklisting would just be acknowledging publicly what has been common knowledge less publicly. Heck, my explorers provide taint analysis information for 130+ cryptos, so it's really something you have to be aware of, and just "deal with it". If you want better technological fungibility, DASH or XMR provide partial solutions, each with its own set of vulnerabilities and issues though, the perfect fungible crypto has not been invented yet IMHO. During the last "stress-test" the majority of miners decided to include spam transactions to their blocks. Yes, and that leaves only two possible explanations in my mind: either the pool operators are not good at maths or it was pushing an agenda in the direction they liked. I do not think they are not good at maths, so let the conspiracy theories begin :) Title: Re: Cheap way to attack blockchain Post by: tommorisonwebdesign on September 01, 2015, 07:32:48 PM Sounds like the best way to plug this loophole is to create the blacklist as suggested. Good to see developers catching this stuff before there is an attack on the whole network.
Title: Re: Cheap way to attack blockchain Post by: amaclin on September 01, 2015, 08:12:47 PM Sounds like the best way to plug this loophole is to create the blacklist as suggested. Good to see developers catching this stuff before there is an attack on the whole network. You can not create a blacklist before the attack start.Because I can create and fund thousands such addresses Code: OP_DUP is spendable by OP_1 Yes, it is possible to change the transaction priority algorithm Title: Re: Cheap way to attack blockchain Post by: basil00 on September 02, 2015, 12:40:08 AM Here is another hash (this time XT/BIP101 related):
Code: d894bd6f1f8222ceb5101cc1d5d3f3eb326e04ce6b9567f74cca151bb2b7b927 You can not create a blacklist before the attack start. Code: OP_<smallInteger> There are a ~1000 6-byte variants. For 7, 8, 9 byte, etc., there can be billions. So a blacklist is not feasible. Probably the correct way is to fix the sigop counting algorithm if there is a hardfork. Title: Re: Cheap way to attack blockchain Post by: amaclin on September 02, 2015, 07:33:10 AM Quoted. Just to prove for future use (forum allows to edit messages, so the date of message does not prove anything)
Here is another hash (this time XT/BIP101 related): Code: d894bd6f1f8222ceb5101cc1d5d3f3eb326e04ce6b9567f74cca151bb2b7b927 Title: Re: Cheap way to attack blockchain Post by: basil00 on September 02, 2015, 09:23:31 AM Quoted. Just to prove for future use (forum allows to edit messages, so the date of message does not prove anything) If only there were some kind of immutable public ledger I could store information on... :) EDIT: evidently needed the ":)" Title: Re: Cheap way to attack blockchain Post by: amaclin on September 02, 2015, 09:29:20 AM Quoted. Just to prove for future use (forum allows to edit messages, so the date of message does not prove anything) If only there were some kind of immutable public ledger I could store information on... Title: Re: Cheap way to attack blockchain Post by: jl2012 on September 02, 2015, 09:39:58 AM Quoted. Just to prove for future use (forum allows to edit messages, so the date of message does not prove anything) If only there were some kind of immutable public ledger I could store information on... Have you heard of a project called "Bitcoin"? Title: Re: Cheap way to attack blockchain Post by: amaclin on September 02, 2015, 10:15:03 AM Have you heard of a project called "Bitcoin"? ;D ;D ;DToday it is immutable. But nothing is permanent under the Moon Title: Re: Cheap way to attack blockchain Post by: speaktome on September 06, 2015, 07:43:42 PM Wanna hire me for this dirty job? ;D
More like to somebody Gonna touch your door. ;D Is joke of course. Title: Re: Cheap way to attack blockchain Post by: amaclin on September 07, 2015, 03:16:35 PM More like to somebody Gonna touch your door. ;D For what? I can tell you my home address.Is joke of course. I do not break country laws. And there are no "laws" in bitcoin protocol. Only math and current consensus. I can flood the network because I am able to do it. Just for fun. (In fact, I try not to spend my time for non-profitable things) Title: Re: Cheap way to attack blockchain Post by: defcon23 on September 07, 2015, 04:29:25 PM Wanna hire me for this dirty job? ;D pweee.. man ... More like to somebody Gonna touch your door. ;D Is joke of course. https://i.imgur.com/JHSZoD6m.jpg Title: Re: Cheap way to attack blockchain Post by: trout on September 12, 2015, 07:46:47 AM to mitigate such an attack, how about introducing a fee policy (min relay fee etc.) that is based not only
on the size but also on the number of SIGOPS ? that doesn't affect the consensus, obviously. I mean, if both the block size and the number of SIGOPS in it are a critical resource, then it's only natural to charge for using each of them. Title: Re: Cheap way to attack blockchain Post by: dooglus on September 16, 2015, 05:57:24 PM Quoted. Just to prove for future use (forum allows to edit messages, so the date of message does not prove anything) Here is another hash (this time XT/BIP101 related): Code: d894bd6f1f8222ceb5101cc1d5d3f3eb326e04ce6b9567f74cca151bb2b7b927 The date of a message becomes underlined if it is ever edited. If you don't edit a message, the timestamp is quite reliable. Someone with direct database access could have edited the message, but not a regular account owner. Title: Re: Cheap way to attack blockchain Post by: scriptman on September 20, 2015, 02:26:41 PM You're not the first and you certainly won't be the last person concerning themselves with how to break the Bitcoin network.
You should use your knowledge and skills for productive means and help the community. Title: Re: Cheap way to attack blockchain Post by: amaclin on September 21, 2015, 04:42:41 AM You're not the first and you certainly won't be the last person concerning themselves with how to break the Bitcoin network. Why?You should use your knowledge and skills for productive means and help the community. Title: Re: Cheap way to attack blockchain Post by: Nancarrow on September 23, 2015, 10:12:30 PM You're not the first and you certainly won't be the last person concerning themselves with how to break the Bitcoin network. You should use your knowledge and skills for productive means and help the community. What exactly do you think computer security professionals DO? Or cryptologists employed by three-letter agencies? Or military strategists? A person who wants to strengthen the bitcoin network and isn't constantly thinking of ways to break it, isn't doing their job. Title: Re: Cheap way to attack blockchain Post by: scriptman on September 25, 2015, 02:09:31 PM You're not the first and you certainly won't be the last person concerning themselves with how to break the Bitcoin network. Why?You should use your knowledge and skills for productive means and help the community. Because building something is a lot more fun than knocking it down Title: Re: Cheap way to attack blockchain Post by: basil00 on September 25, 2015, 02:12:26 PM Just noticed this transaction: 324456fe9ec97a380effba0a0205a226e380790b93e7366d39f2a416a44d2a34 (http://webbtc.com/tx/324456fe9ec97a380effba0a0205a226e380790b93e7366d39f2a416a44d2a34).
2000 sigOps! (http://webbtc.com/script/324456fe9ec97a380effba0a0205a226e380790b93e7366d39f2a416a44d2a34:1). (each OP_CHECKMULTISIGVERIFY inside the unexecuted OP_IF will count as 20 SigOps). Also, it appears that F2Pool will mine non-standard transactions (P2SH with >15 sigOps). It only takes 10 of such transactions to completely "fill" a block. Title: Re: Cheap way to attack blockchain Post by: amaclin on September 25, 2015, 02:13:44 PM Because building something is a lot more fun than knocking it down jedem das seineTitle: Re: Cheap way to attack blockchain Post by: amaclin on September 25, 2015, 02:18:42 PM Just noticed this transaction: 324456fe9ec97a380effba0a0205a226e380790b93e7366d39f2a416a44d2a34. It was my transaction.2000 sigOps!. (each OP_CHECKMULTISIGVERIFY inside the unexecuted OP_IF will count as 20 SigOps). Also, it appears that F2Pool will mine non-standard transactions (P2SH with >15 sigOps). It only takes 10 of such transactions to completely "fill" a block. F2Pool confirms non-standard txs under some conditions. Title: Re: Cheap way to attack blockchain Post by: basil00 on September 25, 2015, 02:21:32 PM It was my transaction. Yes I guessed from the 1aa... addresses. :) Quote F2Pool confirms non-standard txs under some conditions. Interesting. What conditions are these? Title: Re: Cheap way to attack blockchain Post by: amaclin on September 25, 2015, 02:28:19 PM Interesting. What conditions are these? Do not know. You should ask macbook-air (https://bitcointalk.org/index.php?action=profile;u=16114)Title: Re: Cheap way to attack blockchain Post by: basil00 on September 26, 2015, 05:37:58 AM Damn, looks like Amaclin's bot stole my BTC (https://blockchain.info/tx/073be290bdaae60bdab0763beea51454471fb66910604cc9e91afe6745212f80). My tx even had a signature and everything >:(
Edit: I have a new version that uses at least one real sig :) I can create an IsStandard tx that hashes >250MB, or in other words, only 5 tx to "fill" a XT 8MB block. Lucky I'm out of bits to play with. Title: Re: Cheap way to attack blockchain Post by: edric on September 26, 2015, 06:37:39 AM Seems to me that I know new way to attack & flood bitcoin network. The last attacks were based on filling the blocks with transactions. This is because of limit of block size. (Consensus rule that the blocksize is below 1mb) But there are another limits for block which can not be changed without hard fork. There is a limit of SIGOPS in transactions included to a block. consensus.h Code: /** The maximum allowed size for a serialized block, in bytes (network rule) */ So, MAX_BLOCK_SIGOPS is 20000 How does the client calculate the number of SIGOPS? Let us look to the sources. main.cpp Code: if (fStrictPayToScriptHash) Miner node includes transactions to a block while the nSigOps not exceeds 20000. The block with nSigOps > 20000 will be invalid (consensus rule) and will be rejected by all other nodes. Now let us look the transaction https://blockchain.info/tx/6766e75d6166a0a14bd814921d0f903285e15779e648d7ec52a4f7c0868ec07d and calculate the number of SIGOPS in it All input scripts are redeeming from p2sh-outputs with the inner scripts build on the same template: Code: OP_0 And the total number of SIGOPS in 6766e75d6166a0a14bd814921d0f903285e15779e648d7ec52a4f7c0868ec07d is 15 * 15 = 225 So, the maximum number of such transactions in one block is only 88 (because floor ( 20000 / 225 ) = 88) And inserting 88 such transactions in one block leaves only 200 SIGOPS for regular transactions. Which leaves a room only for ~100 transactions in block for other persons The attack vector should be: 1) create and fund a big number of such p2sh-utxo 2) redeem them to OP_RETURN or to regular output Each such transaction costs 0.00045 for dishonest attacker (can be even less) 88 transactions (attack one block) will cost only 0.0396 BTC Daily attack 5.7024 BTC - not a big deal Wanna hire me for this dirty job? ;D My name Boris. I pay 10k USD and 100 barrels oil you do this. I want you take down evil tool of Western intelligence! We have deal? Title: Re: Cheap way to attack blockchain Post by: edric on September 26, 2015, 06:40:18 AM You're not the first and you certainly won't be the last person concerning themselves with how to break the Bitcoin network. You should use your knowledge and skills for productive means and help the community. What exactly do you think computer security professionals DO? Or cryptologists employed by three-letter agencies? Or military strategists? A person who wants to strengthen the bitcoin network and isn't constantly thinking of ways to break it, isn't doing their job. I agree. But one also has to ask themselves, if it is so easy to destroy, why hasn't the government taken out the bitcoin network yet? Clearly there is an agenda behind letting it go forward. I will let you figure that one out. Title: Re: Cheap way to attack blockchain Post by: Syke on September 27, 2015, 11:53:08 PM The date of a message becomes underlined if it is ever edited. If you don't edit a message, the timestamp is quite reliable. Someone with direct database access could have edited the message, but not a regular account owner. There's a small timeframe (5-10 min IIRC) where the msg can be edited without notice. Edited. Previous edit at 53:08. Edit: Ok, so the original timestamp doesn't change, but the text of the msg can change. Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 05:11:14 AM Damn, looks like Amaclin's bot stole my BTC (https://blockchain.info/tx/073be290bdaae60bdab0763beea51454471fb66910604cc9e91afe6745212f80). My tx even had a signature and everything >:( Edit: I have a new version that uses at least one real sig :) I can create an IsStandard tx that hashes >250MB, or in other words, only 5 tx to "fill" a XT 8MB block. Lucky I'm out of bits to play with. This is a provocation. This vile and filthy lie. How can you prove that you did not send the funds to my address to blacken my name? ;D Note: these btc were not stolen. It is not possible to stole btc without a knowledge of private key. Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 05:24:45 AM I agree. But one also has to ask themselves, if it is so easy to destroy, why hasn't the Governments do not need to "destroy" bitcoin.government taken out the bitcoin network yet? Because there is no danger from it. Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 06:25:46 AM My name Boris. I pay 10k USD and 100 barrels oil you do this. Yes. PM me for details. ;DI want you take down evil tool of Western intelligence! We have deal? Title: Re: Cheap way to attack blockchain Post by: letsplayagame on September 28, 2015, 08:47:31 AM You're not the first and you certainly won't be the last person concerning themselves with how to break the Bitcoin network. You should use your knowledge and skills for productive means and help the community. What exactly do you think computer security professionals DO? Or cryptologists employed by three-letter agencies? Or military strategists? A person who wants to strengthen the bitcoin network and isn't constantly thinking of ways to break it, isn't doing their job. I wish more people understood this concept. This type of testing is exactly what bitcoin needs to become stronger. You have to think of different ways to attack bitcoin in order to develop better ways to defend it. Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 09:03:08 AM I wish more people understood this concept. What is the purpose to spend time to "defend a broken thing"?This type of testing is exactly what bitcoin needs to become stronger. You have to think of different ways to attack bitcoin in order to develop better ways to defend it. Nobody will pay for it. Because this is bitcoin. Nobody will fight to increase the value in your pocket. You are in ponzi scheme. Right now you do not understand it. Title: Re: Cheap way to attack blockchain Post by: RealMalatesta on September 28, 2015, 09:05:48 AM I agree. But one also has to ask themselves, if it is so easy to destroy, why hasn't the Governments do not need to "destroy" bitcoin.government taken out the bitcoin network yet? Because there is no danger from it. But there will be competitors who just wait for the right timing... Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 09:09:17 AM But there will be competitors who just wait for the right timing... Yes. There are many ways to get money from your purse.Bitcoin is not the first... And unfortunately not the last ;D Title: Re: Cheap way to attack blockchain Post by: RealMalatesta on September 28, 2015, 09:14:03 AM Yes. There are many ways to get money from your purse. For just one second, you gave me some hope. But then, I opened my purse and there still was no money in it someone could get ;) Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 09:20:02 AM For just one second, you gave me some hope. Do you have any amount in any crypto? How and when you got it? Did you buy it paying fiat money?But then, I opened my purse and there still was no money in it someone could get ;) Sorry, man. I am too late. Someone already got your money and sold you just digits and hope. Title: Re: Cheap way to attack blockchain Post by: RealMalatesta on September 28, 2015, 09:42:24 AM Sorry, man. I am too late. Someone already got your money and sold you just digits and hope. You mean... you really mean we all are part of one big digital church? 8) Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 10:07:00 AM You mean... you really mean we all are part of one big digital church? 8) 1) Those are your words, not mine2) If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. Title: Re: Cheap way to attack blockchain Post by: RealMalatesta on September 28, 2015, 11:43:55 AM You mean... you really mean we all are part of one big digital church? 8) 1) Those are your words, not mine2) If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. Well, I think Uncle Scrooge is a duck, too.... Title: Re: Cheap way to attack blockchain Post by: basil00 on September 28, 2015, 01:31:43 PM It is not possible to stole btc without a knowledge of private key. My precious coins were protected by the script: Code: OP_1, OK, it is really really easy to find such a signature. A 9 byte signature will do: 300602015202015301 The aim is to attack the 1.28GB bytes-hashed limit for XT. This is reasonably easy using these kinds of scripts and tx sizes of a few KBs. Quote How can you prove that you did not send the funds to my address to blacken my name? OK, consider it compensation for the coinwallet spam. :) Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 01:40:08 PM The aim is to attack the 1.28GB bytes hashed limit for XT. Do you want to switch stealing-bot off just for testing?This is reasonably easy using these kinds of scripts and tx sizes of a few KBs. You see - I play this game with my cards open to everyone Title: Re: Cheap way to attack blockchain Post by: basil00 on September 28, 2015, 01:43:09 PM Nobody will pay for it. Because this is bitcoin. Funny how some who deeply understand the protocol are not "true believers". I am also not a "true believer". I find it interesting, e.g. thinking of ways to attack it :) Title: Re: Cheap way to attack blockchain Post by: basil00 on September 28, 2015, 01:48:10 PM Do you want to switch stealing-bot off just for testing? Part of the test was to see if it would be stolen. The answer was "yes". That's OK, there was only 410bits ($0.10) in total. Next test will protect each input with at least one real sig, so cannot be stolen. It is not quite as efficient though. BTW, do you know if the 60byte sigs (using the special K value) are inherently unsafe, or are only unsafe if used more than once per key (e.g. repeated R-value attack)? Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 01:51:57 PM Funny how some who deeply understand the protocol are not "true believers". I told a lot of times that bitcoin network consumes ~$1mln daily only for electricity to process 100k transactions.I am also not a "true believer". I find it interesting, e.g. thinking of ways to attack it :) So the cost for processing and securing one transaction is several dollars! This kind of processing system can not survive in long term. Because it is inefficient and can not be scaled. Title: Re: Cheap way to attack blockchain Post by: amaclin on September 28, 2015, 02:01:46 PM BTW, do you know if the 60byte sigs (using the special K value) are inherently unsafe, or are only unsafe if used more than once per key (e.g. repeated R-value attack)? unsafe. If I know <R,S> (parts of signature) Z (digest) and K (random) I can get your private key. k = ( digest + r . privkey ) / s k . s = digest + r . privkey k . s - digest = r . privkey (k . s - digest) / r = privkey Code: const MyKey32 MyKey32::getPrivateKey ( const MyKey32& r, const MyKey32& s, const MyKey32& k, const MyKey32& z, const MyKey20& addr ) Title: Re: Cheap way to attack blockchain Post by: basil00 on September 28, 2015, 02:06:08 PM I think I get it -- it's because K is known.
Title: Re: Cheap way to attack blockchain Post by: Nancarrow on October 02, 2015, 12:28:16 PM I wish more people understood this concept. What is the purpose to spend time to "defend a broken thing"?This type of testing is exactly what bitcoin needs to become stronger. You have to think of different ways to attack bitcoin in order to develop better ways to defend it. Nobody will pay for it. Because this is bitcoin. Nobody will fight to increase the value in your pocket. You are in ponzi scheme. Right now you do not understand it. So it now appears that my implicit defence of amaclin's character may have been premature. No matter. Amaclin is still exposing shaky parts of the protocol, and doing so (so far) in an honest and transparent fashion, so regardless of the motivation, thanks! Title: Re: Cheap way to attack blockchain Post by: Zombier0 on October 08, 2015, 08:14:46 PM The day bitcoin starts blacklisting will be the end of it
Title: Re: Cheap way to attack blockchain Post by: amaclin on October 08, 2015, 08:24:39 PM The day bitcoin starts blacklisting will be the end of it Not so sure.The main thesis is "Nobody cares". What would you do if most of major pools blacklist an address and publish a note that address belongs to a killer? You will do nothing. You even will not ask a proof for this statement. Title: Re: Cheap way to attack blockchain Post by: tommorisonwebdesign on October 08, 2015, 10:07:52 PM If I were the OP if I wanted to steal somebody's Bitcoins I would look into learning more about programming and networking. Then, you could write a script to steal somebody's private keys. Otherwise There may not be a lot of exploits in the network. People try and get nowhere.
Title: Re: Cheap way to attack blockchain Post by: amaclin on October 09, 2015, 04:04:26 AM If I were the OP if I wanted to steal somebody's Bitcoins I would look into learning more about programming and networking. Why can not you do it whether you are not the OP?Title: Re: Cheap way to attack blockchain Post by: shorena on October 09, 2015, 11:44:52 AM The day bitcoin starts blacklisting will be the end of it So its dead[1] already? [1] look at the date http://www.coindesk.com/blacklist-debate-ok-meddle-bitcoins-code/ Title: Re: Cheap way to attack blockchain Post by: amaclin on October 09, 2015, 12:00:38 PM So its dead[1] already? Nobody cares.[1] look at the date http://www.coindesk.com/blacklist-debate-ok-meddle-bitcoins-code/ Nobody even know that one pool today does not process transactions to/from some set of addresses. Title: Re: Cheap way to attack blockchain Post by: Zombier0 on October 10, 2015, 09:58:22 AM So its dead[1] already? Nobody cares.[1] look at the date http://www.coindesk.com/blacklist-debate-ok-meddle-bitcoins-code/ Nobody even know that one pool today does not process transactions to/from some set of addresses. It was debate, thats i. Bc is digital cash, cash is free to move. Wh btc blaclists then i go full prO LTC Title: Re: Cheap way to attack blockchain Post by: onemorexmr on October 10, 2015, 10:00:22 AM So its dead[1] already? Nobody cares.[1] look at the date http://www.coindesk.com/blacklist-debate-ok-meddle-bitcoins-code/ Nobody even know that one pool today does not process transactions to/from some set of addresses. It was debate, thats i. Bc is digital cash, cash is free to move. Wh btc blaclists then i go full prO LTC LTC is the same as BTC. if bitcoin ever goes with blacklisting (i dont think or hope so) LTC will be next shortly after Title: Re: Cheap way to attack blockchain Post by: Zombier0 on October 10, 2015, 03:04:59 PM So its dead[1] already? Nobody cares.[1] look at the date http://www.coindesk.com/blacklist-debate-ok-meddle-bitcoins-code/ Nobody even know that one pool today does not process transactions to/from some set of addresses. It was debate, thats i. Bc is digital cash, cash is free to move. Wh btc blaclists then i go full prO LTC LTC is the same as BTC. if bitcoin ever goes with blacklisting (i dont think or hope so) LTC will be next shortly after Then we move to nxt and next :) Title: Re: Cheap way to attack blockchain Post by: Bifta on October 19, 2015, 10:42:13 PM I'm looking at the transaction referenced in the OP: https://blockchain.info/tx/6766e75d6166a0a14bd814921d0f903285e15779e648d7ec52a4f7c0868ec07d and I noticed that the input scripts don't seem to verify with the output script of their referenced outpoints. Can someone explain how this is considered valid?
Title: Re: Cheap way to attack blockchain Post by: basil00 on October 31, 2015, 11:57:42 PM It appears that someone launched a limited form of this attack using the address 3G83ox5zw7D6eySoSMCervh9cbhMXdA5t9 (https://blockchain.info/address/3G83ox5zw7D6eySoSMCervh9cbhMXdA5t9). The address corresponds to the script:
Code: OP_IF The script is spent by push 0 in the sigScript. The attacker only generated 960 such outputs, which corresponds to 14400 sigOps, which is not enough even to fill a block. Furthermore the fee rate for the transactions was not very high (37sat/byte), meaning that most normal traffic would be unaffected anyway. So overall this attack had no affect. Maybe this was a test? Title: Re: Cheap way to attack blockchain Post by: amaclin on November 01, 2015, 07:37:27 AM It appears that someone launched a limited form of this attack http://www.youtube.com/watch?v=0QtKDlZ7FKE Title: Re: Cheap way to attack blockchain Post by: Bifta on November 02, 2015, 12:26:23 AM Blockchain have been providing some best wallet services for bitcoins. They're famous for their features, security and privacy, but now some cheap hackers Have tried some typical tricks for hacking the blockchain system. What they used were some fake proxy servers for gaining access to the wallets. They have been successful a few times. But, no longer now as blockchain made their system more secure and strong. That is just not the right blockchain. Please stop confusing blockchain.info for that actual Bitcoin Blockchain. They are two different things. We are talking about the bitcoin blockchain here, and how to spam and perform a DoS attack against full nodes which download the entire blockchain. Also, please read the thread before posting, we don't want your spam here.Title: Re: Cheap way to attack blockchain Post by: Decoded on November 04, 2015, 04:47:56 AM What do people have against bitcoin? It's a revolutionary new currency, and people are trying to use it to hurt other bitcoiners.
You're advertising a service to ruin the experience for other bitcoiners, on the official forum where all the bitcoiners come. Am I missing something? Title: Re: Cheap way to attack blockchain Post by: DuddlyDoRight on November 04, 2015, 05:47:46 AM Be thankful people are doing free security research.. The more they achieve the harder BTC is to hack because it leads to mitigations and patches even if they are blackhat..
Even a really complex algorithmic attack on the block-chain will reveal design flaws that can be fixed and someone will bankrupt a lot of tumblers trying to convert stolen coins.. There are probably companies and criminal groups all over the world with talented people looking for this right now; probably mostly in Russia and China.. Title: Re: Cheap way to attack blockchain Post by: basil00 on November 05, 2015, 01:21:44 AM Looks like the attacker has successfully launched another attack. This time using the address 3EgSUauJG5N27AUfQwiUfjAhHe6y9AKdVs (https://blockchain.info/address/3EgSUauJG5N27AUfQwiUfjAhHe6y9AKdVs) corresponding to the script:
Code: OP_IF 0x42412fb4 OP_15 OP_CHECKMULTISIG OP_ENDIF OP_1 This time the attacker managed to successfully fill the 20,000 sigOp limit for block #382053 (https://blockchain.info/block/00000000000000000efb76c4be6ec42b7323f0c872c2e1666f4ee7b6f769858b), where 1245x15 = 18675 are fake sigOps arising from the attack transactions. This meant that no more transactions (legitimate or otherwise) could be included in the block, leading to an underfull block of ~288KB (of which ~68KB are the attack txs). Note that the network is currently running at capacity, with 1MB or 750KB blocks the norm. The new attack was limited to a single block. Also the attacker used a low fee rate of ~18sat/byte. A higher fee rate would have made the attack for effective (but more expensive). Title: Re: Cheap way to attack blockchain Post by: erickimani on November 05, 2015, 08:40:31 PM we can never be secure anywhere. will just depend on luck and other firms that offer cyber security to protect us from scams..Haha. especially from you guys who understand the language of programming. Be good.
Title: Re: Cheap way to attack blockchain Post by: amaclin on November 05, 2015, 08:50:23 PM Be good. It is not possible for Wolves can not be good for rabbits. Title: Re: Cheap way to attack blockchain Post by: DuddlyDoRight on November 08, 2015, 12:33:28 AM Looks like the attacker has successfully launched another attack. This time using the address 3EgSUauJG5N27AUfQwiUfjAhHe6y9AKdVs (https://blockchain.info/address/3EgSUauJG5N27AUfQwiUfjAhHe6y9AKdVs) corresponding to the script: Code: OP_IF 0x42412fb4 OP_15 OP_CHECKMULTISIG OP_ENDIF OP_1 This time the attacker managed to successfully fill the 20,000 sigOp limit for block #382053 (https://blockchain.info/block/00000000000000000efb76c4be6ec42b7323f0c872c2e1666f4ee7b6f769858b), where 1245x15 = 18675 are fake sigOps arising from the attack transactions. This meant that no more transactions (legitimate or otherwise) could be included in the block, leading to an underfull block of ~288KB (of which ~68KB are the attack txs). Note that the network is currently running at capacity, with 1MB or 750KB blocks the norm. The new attack was limited to a single block. Also the attacker used a low fee rate of ~18sat/byte. A higher fee rate would have made the attack for effective (but more expensive). Worse case scenerio: Buffer Overflow->Code Execution in poorly coded clients. I doubt this person would have the skill to do that espesiaclly since it requires brute forcing with weak hashes for shellcode which is next to impossible unless you have super-computers like a gov... dos will just cause repo commits fixing the handler routines within 72 hours on popular clients.. EDIT: BTC Blockchain and core-implementation have a huge attack surface and design spec. I bet most wallets and miners don't even bounds check and have strict spec handling without error handling. Title: Re: Cheap way to attack blockchain Post by: basil00 on November 08, 2015, 05:18:00 AM Worse case scenerio: Buffer Overflow->Code Execution in poorly coded clients. This is a specific DoS attack vector that has nothing to do with buffer overflows. The worse case scenario is that no transactions are confirmed for a while until centralized mining intervenes. Title: Re: Cheap way to attack blockchain Post by: kbtakbta on November 09, 2015, 11:51:09 AM Hi,
im not a technical guy, but i would fear to use a system, running on a not a self-devloped op. system. Since Snowden we know, how the US try to keep up his superiority above the net. It is possible to defect some of the major op.systems, so large part of the Bitcon system can be compromised on the next op.system update. The Bitcoin Core only a program running above the op. system. Title: Re: Cheap way to attack blockchain Post by: DuddlyDoRight on November 09, 2015, 08:27:56 PM Worse case scenerio: Buffer Overflow->Code Execution in poorly coded clients. This is a specific DoS attack vector that has nothing to do with buffer overflows. The worse case scenario is that no transactions are confirmed for a while until centralized mining intervenes. It depends on what controls the allocation in code. If it's secure it puts x bytes in a x bytes buffer after a verified pointer in meta data with no parsing except after allocation of said buffer. Otherwise it can likely be exploited for code execution through malicious hashing&encoding. Even if it's not the case here with the reference implementation, that doesn't mean it's not the case with other full clients. If we're going to raise alerts over dos and block spamming I could easily post a python script that fork-spams the block-chain and bloats it with orphan blocks. I'm more interested in programming flaws though and not the genius currency design that changes hundredths at second intervals and has arbitrary fees.. EDIT: I only mention it because it's obvious that the reference implementation and all the clients based on it just blindly allocate and mine on the block-chain.. At some point malicious people will exploit it.. Title: Re: Cheap way to attack blockchain Post by: StateOfAffairs on November 09, 2015, 09:03:24 PM So are people actually trying to attack Blockchain? I thought it was fairly secure..
Title: Re: Cheap way to attack blockchain Post by: DuddlyDoRight on November 09, 2015, 10:16:19 PM So are people actually trying to attack Blockchain? I thought it was fairly secure.. The crypto is till quantum computers. The design and economics not so much. The currency itself changes hundredths in seconds and has arbitrary fees.. It wasn't well thought out and anyone who learned programming two years ago are writing tools and solutions for it because it's marketable.. It's trivial to spam and fork the blockchain for anyone with little research.. Governments and botnet industry will eventually start looking for way to exploit things. Title: Re: Cheap way to attack blockchain Post by: amaclin on November 22, 2015, 05:34:30 PM https://statoshi.info/dashboard/db/transactions
https://statoshi.info/render/dashboard-solo/db/transactions?panelId=8&fullscreen&from=1448127324604&to=1448213724604&width=1000&height=500 Title: Re: Cheap way to attack blockchain Post by: basil00 on November 23, 2015, 02:19:38 PM https://statoshi.info/dashboard/db/transactions Another attack, this time block #384831 (https://blockchain.info/block/0000000000000000077b897d419c2c9ff2c34adce5f0b4f4bb2457051c979b91)'s sigOp limit was hit. Is this you amaclin? I thought this would be against your policy of not spending money on attacks? Title: Re: Cheap way to attack blockchain Post by: amaclin on November 23, 2015, 05:52:33 PM I thought this would be against your policy of not spending money on attacks? I changed my mindTitle: Re: Cheap way to attack blockchain Post by: basil00 on November 24, 2015, 01:02:10 AM I changed my mind At least the attack is proven to work in practice. Title: Re: Cheap way to attack blockchain Post by: moneyart on November 24, 2015, 04:08:36 PM Quote Governments do not need to "destroy" bitcoin. Because there is no danger from it. Governments steal our money but because they have to pay so much interest on debt there is no money left for a bitcoin attack. By the way, politicians still dont understand what Bitcoin is. Good for us, because when criminals dont understand something they dont want to steal it. Title: Re: Cheap way to attack blockchain Post by: amaclin on November 24, 2015, 04:44:47 PM By the way, politicians still dont understand what Bitcoin is. You either dont understand what Bitcoin is ;DTitle: Re: Cheap way to attack blockchain Post by: junglist.massive on November 24, 2015, 08:31:31 PM that kind of spamming will be really popular in future. If you add some text to each transaction and send it, it will works same as email spam
Title: Re: Cheap way to attack blockchain Post by: amaclin on November 25, 2015, 06:47:49 AM that kind of spamming will be really popular in future. doubtQuote If you add some text to each transaction and send it, it will works same as email spam Are you sure that you really understand me? and the point of SIGOPs "block fulling" attack?Have a look: https://bitcointalk.org/index.php?topic=1023190.0 http://webbtc.com/tx/300503d19fb80a083723ccfb43d54278f2555838595c3443907156bc9889aeec (stored today) https://github.com/petertodd/python-bitcoinlib/blob/master/examples/publish-text.py Title: Re: Cheap way to attack blockchain Post by: hetecon on November 27, 2015, 05:44:18 AM Why would you want to spam the blockchain.
Title: Re: Cheap way to attack blockchain Post by: amaclin on November 27, 2015, 05:51:26 AM Why would you want to spam the blockchain. Because I have a rightTitle: Re: Cheap way to attack blockchain Post by: achow101 on November 27, 2015, 06:54:59 AM Why would you want to spam the blockchain. Because I have a rightTitle: Re: Cheap way to attack blockchain Post by: amaclin on November 27, 2015, 07:38:09 AM No, it is not your right to spam the blockchain, you simply have the ability. There is no law, no punishment for doing this.Just because I have the ability to rob a store does not make it my right to do so. Same applies here. There are only consensus rules and mining policy in bitcoin. So, in this case right=ability. These are different apples. ;D Title: Re: Cheap way to attack blockchain Post by: YarkoL on November 27, 2015, 05:01:59 PM You guys ought to be grateful for amaclin for doing security testing and even paying for it out of his own pockets. Title: Re: Cheap way to attack blockchain Post by: amaclin on November 27, 2015, 09:11:53 PM https://github.com/bitcoin/bitcoin/pull/7081
Title: Re: Cheap way to attack blockchain Post by: enthus on November 28, 2015, 02:36:02 AM Each such transaction costs 0.00045 for dishonest attacker (can be even less) 88 transactions (attack one block) will cost only 0.0396 BTC Daily attack 5.7024 BTC - not a big deal Wanna hire me for this dirty job? ;D Main "weakness" for this attack is that miners could easily just ignore those transactions, without involving any hard fork. Only the pools that accept those transactions *and* that do not prioritize transactions in a block by total fee would be impacted, pools that build their blocks based on max fee they can rack in a block would automatically eliminate them, they may just need to take the SIGOPS limit into their block optimization code, but that's all. In practice only the "faucet pools", those that accept zero-fee tx and do not prioritize tx would likely feel the attack. So the practical spamming would be limited to relaying and the mempool, so no biggy. Title: Re: Cheap way to attack blockchain Post by: moneyart on November 28, 2015, 11:57:58 AM Quote You either dont understand what Bitcoin is Grin I wrote my Bachelor Thesis about Bitcoin and developed a Paper Wallet site: moneyart.info I know a lot about Bitcoin. Title: Re: Cheap way to attack blockchain Post by: amaclin on November 28, 2015, 12:25:47 PM Quote You either dont understand what Bitcoin is Grin I wrote my Bachelor Thesis about Bitcoin and developed a Paper Wallet site: moneyart.info I know a lot about Bitcoin. http://38.media.tumblr.com/c43e9b6d08367824fb9f9291d9678504/tumblr_inline_na121jfyAU1sygp99.jpg Title: Re: Cheap way to attack blockchain Post by: hetecon on November 29, 2015, 01:53:29 AM Why would you want to spam the blockchain. Because I have a rightBut why does that make you want to do it? Maybe for attention??? Title: Re: Cheap way to attack blockchain Post by: lama-hunter on November 29, 2015, 02:24:39 AM Is it really a atack of the Blockchain :D or simply a slowment/decrease of included tx?
I just know back in Time hwen an transaction took about 14 Days out from Coinbase :D:D that was akward lol regards lama-hunter Title: Re: Cheap way to attack blockchain Post by: BurtW on November 29, 2015, 02:27:46 AM I would like to thank those that have (re)discovered this attack and shown it to be a viable attack using their own money to prove it.
Is anyone planning a large scale attack using this method? That would be interesting. How much would it take to fund a sustained attack, for example a 24 hour period? Title: Re: Cheap way to attack blockchain Post by: hetecon on November 29, 2015, 02:51:52 AM I would like to thank those that have (re)discovered this attack and shown it to be a viable attack using their own money to prove it. Is anyone planning a large scale attack using this method? That would be interesting. How much would it take to fund a sustained attack, for example a 24 hour period? I think it is not ethical to do this attack, but also interested to know these answers for security purpose. Title: Re: Cheap way to attack blockchain Post by: RealBitcoin on November 29, 2015, 04:44:07 AM Shit, the devs shoud fix this asap before the word gets out and FUD-ers start screaming the price down.
Title: Re: Cheap way to attack blockchain Post by: achow101 on November 29, 2015, 05:18:08 AM Shit, the devs shoud fix this asap before the word gets out and FUD-ers start screaming the price down. This is not something that can be easily fixed. The sig op limit is to prevent spamming blocks full of transactions that take a lot of time to process. Yet increasing the limit would mean that more transaction could go in that delay processing even more and a lower limit means that fewer other transactions can make it into the block. I don't think there really is a fix for this.Title: Re: Cheap way to attack blockchain Post by: USB-S on November 29, 2015, 06:39:09 AM Shit, the devs shoud fix this asap before the word gets out and FUD-ers start screaming the price down. This is not something that can be easily fixed. The sig op limit is to prevent spamming blocks full of transactions that take a lot of time to process. Yet increasing the limit would mean that more transaction could go in that delay processing even more and a lower limit means that fewer other transactions can make it into the block. I don't think there really is a fix for this.However when bitcoin increases in price the said attack wouldn't really be that cost efficient, when people could just mitigate this by increasing their trasaction fee. However couldn't we just implement burn fees if this said spam attack gets way out of hand. You know, just to make the spammers profitable for the rest of us? Title: Re: Cheap way to attack blockchain Post by: basil00 on November 29, 2015, 03:40:05 PM Another attack...last 6 blocks (edit: and counting) have been hit.
Example: #385910 (https://blockchain.info/block/000000000000000002d425c0a44d9e309678ddaa6ae687381150c59b231066a8) with 19125 fake sigOps. The block is only 200KB despite a 5MB backlog (according to tradeblock). It seems this attack is very effective. Edit: #385911 (https://blockchain.info/block/000000000000000000cc4a417ce11af36fc2053d493eff6e1aeba2fc0d6afe72) unaffected (enough high-fee legit txs) #385912 (https://blockchain.info/block/000000000000000003c851f8ea54e6ee8938d5c90d6053fd8769ba8a414b00b6) = 18990 fake sigOps, 280KB. #385913 (https://blockchain.info/block/0000000000000000094b9e2ff059badde442b155a1622efaef1cae159ca21347) = 18945 fake sigOps, 281KB. #385914 (https://blockchain.info/block/00000000000000000ab31b6fba2057b46255979cdfeab8023dfd550e8615a559) = 17325 fake sigOps, 470KB. ...etc. Title: Re: Cheap way to attack blockchain Post by: YarkoL on November 29, 2015, 04:25:43 PM I don't think there really is a fix for this. Lower priority of P2SH transactions with multiple sig ops? And/or make them cost more. Title: Re: Cheap way to attack blockchain Post by: hetecon on November 29, 2015, 08:12:29 PM Another attack...last 6 blocks (edit: and counting) have been hit. Example: #385910 (https://blockchain.info/block/000000000000000002d425c0a44d9e309678ddaa6ae687381150c59b231066a8) with 19125 fake sigOps. The block is only 200KB despite a 5MB backlog (according to tradeblock). It seems this attack is very effective. Edit: #385911 (https://blockchain.info/block/000000000000000000cc4a417ce11af36fc2053d493eff6e1aeba2fc0d6afe72) unaffected (enough high-fee legit txs) #385912 (https://blockchain.info/block/000000000000000003c851f8ea54e6ee8938d5c90d6053fd8769ba8a414b00b6) = 18990 fake sigOps, 280KB. #385913 (https://blockchain.info/block/0000000000000000094b9e2ff059badde442b155a1622efaef1cae159ca21347) = 18945 fake sigOps, 281KB. #385914 (https://blockchain.info/block/00000000000000000ab31b6fba2057b46255979cdfeab8023dfd550e8615a559) = 17325 fake sigOps, 470KB. ...etc. Wow this is bad news. Any pull requests on githbu to fix this yet? Title: Re: Cheap way to attack blockchain Post by: trout on November 29, 2015, 09:38:16 PM the fix seems trivial - calculate the min relay fee (and all the rest of the fee thresholds) based on the size and the number of sigops, rather than the size only. I don't get why it's not in the latest release.
Am I missing something? Title: Re: Cheap way to attack blockchain Post by: amaclin on November 29, 2015, 10:52:49 PM Am I missing something? 1) You are missing that miners are interested in fees. They have a right to include/exclude any transaction.2) You are missing that it is almost impossible to upgrade relay policy on thousands of nodes. BTW. This is funny test. Miners just raised the minimum fee, leaving a lot of unconfirmed transactions and screaming users. Blocks are not filled. Right now mempool on https://tradeblock.com/bitcoin/ is 12mb (note: transactions with a fee less than 5 satoshi per byte are ignored) https://en.wikipedia.org/wiki/Tragedy_of_the_commons Edit: 3) Since the start of this stress test the price on exchanges rized up. Everybody likes it ;D Are you sure that you really want to fix this issue? A lot of people would vote against ;D Title: Re: Cheap way to attack blockchain Post by: hetecon on November 30, 2015, 03:46:00 AM Am I missing something? 1) You are missing that miners are interested in fees. They have a right to include/exclude any transaction.2) You are missing that it is almost impossible to upgrade relay policy on thousands of nodes. BTW. This is funny test. Miners just raised the minimum fee, leaving a lot of unconfirmed transactions and screaming users. Blocks are not filled. Right now mempool on https://tradeblock.com/bitcoin/ is 12mb (note: transactions with a fee less than 5 satoshi per byte are ignored) https://en.wikipedia.org/wiki/Tragedy_of_the_commons Edit: 3) Since the start of this stress test the price on exchanges rized up. Everybody likes it ;D Are you sure that you really want to fix this issue? A lot of people would vote against ;D Did they raise min because of this speicif attack? Title: Re: Cheap way to attack blockchain Post by: amaclin on November 30, 2015, 05:57:16 AM Did they raise min because of this speicif attack? I can non prove it. Of course, this is a joke. May be with truth in itTitle: Re: Cheap way to attack blockchain Post by: worhiper_-_ on November 30, 2015, 03:49:17 PM I would like to thank those that have (re)discovered this attack and shown it to be a viable attack using their own money to prove it. Is anyone planning a large scale attack using this method? That would be interesting. How much would it take to fund a sustained attack, for example a 24 hour period? Daily attack 5.7024 BTC - not a big deal Title: Re: Cheap way to attack blockchain Post by: keystroke on November 30, 2015, 04:18:13 PM Nice security research. Can this attack be made profitable, or is it just DoS?
Title: Re: Cheap way to attack blockchain Post by: trout on November 30, 2015, 04:26:03 PM Am I missing something? 1) You are missing that miners are interested in fees. They have a right to include/exclude any transaction.2) You are missing that it is almost impossible to upgrade relay policy on thousands of nodes. BTW. This is funny test. Miners just raised the minimum fee, leaving a lot of unconfirmed transactions and screaming users. Blocks are not filled. Right now mempool on https://tradeblock.com/bitcoin/ is 12mb (note: transactions with a fee less than 5 satoshi per byte are ignored) https://en.wikipedia.org/wiki/Tragedy_of_the_commons Edit: 3) Since the start of this stress test the price on exchanges rized up. Everybody likes it ;D Are you sure that you really want to fix this issue? A lot of people would vote against ;D I've been just speaking about the default policy in the "Core" client. In this sense, fixing the issue is trivial. After such an update miners/ relay nodes are of course still free to run any code they like - nobody forces them to update their policy Edit: All I'm saying is that it is easy to make this kind of attack as expensive as the "traditional" block-size-filling spam attack. I'm surprised this is not done yet. Title: Re: Cheap way to attack blockchain Post by: hetecon on November 30, 2015, 04:39:36 PM Is fixing of this issue requiring a full 'hard forking'
Title: Re: Cheap way to attack blockchain Post by: mezzomix on November 30, 2015, 04:59:04 PM Nice security research. Can this attack be made profitable, or is it just DoS? This "attack" is a nuisance just like the HighS malleability. Is fixing of this issue requiring a full 'hard forking' No. As trout already wrote the miners can just take a higher fee for transactions with a large number of SIGOPS. 1) You are missing that miners are interested in fees. They have a right to include/exclude any transaction. They might be interested in the BTC value, too. So it's interesting for them to include all transactions to preserve the value of their BTC. Title: Re: Cheap way to attack blockchain Post by: amaclin on November 30, 2015, 04:59:42 PM Nice security research. Can this attack be made profitable, or is it just DoS? yesTitle: Re: Cheap way to attack blockchain Post by: keystroke on November 30, 2015, 05:04:09 PM Nice security research. Can this attack be made profitable, or is it just DoS? yesTitle: Re: Cheap way to attack blockchain Post by: hetecon on November 30, 2015, 09:23:31 PM Nice security research. Can this attack be made profitable, or is it just DoS? This "attack" is a nuisance just like the HighS malleability. Is fixing of this issue requiring a full 'hard forking' No. As trout already wrote the miners can just take a higher fee for transactions with a large number of SIGOPS. 1) You are missing that miners are interested in fees. They have a right to include/exclude any transaction. They might be interested in the BTC value, too. So it's interesting for them to include all transactions to preserve the value of their BTC. So this will be able to have a fix but requires convincing of the largest pools. Title: Re: Cheap way to attack blockchain Post by: basil00 on December 01, 2015, 03:23:47 AM Is fixing of this issue requiring a full 'hard forking' Fixing the broken sigOp counting method is indeed a hardfork. It can be fixed when (if?) there is a block-size hardfork, e.g. this (https://github.com/bitcoinxt/bitcoinxt/commit/6e7da38dec680019db0e1a8e7b2c96dc8369c312) is one proposal. This specific attack can also be mitigated by enforcing a bytes-per-sigop limit (policy change), as was merged (https://github.com/bitcoin/bitcoin/pull/7081) into 0.12.0. Any miner that does not adopt this policy will still be vulnerable. Title: Re: Cheap way to attack blockchain Post by: Syke on December 01, 2015, 05:02:19 AM This specific attack can also be mitigated by enforcing a bytes-per-sigop limit (policy change), as was merged (https://github.com/bitcoin/bitcoin/pull/7081) into 0.12.0. Any miner that does not adopt this policy will still be vulnerable. A fee per sigop sounds like a good plan too. Title: Re: Cheap way to attack blockchain Post by: mezzomix on December 01, 2015, 06:51:52 AM So this will be able to have a fix but requires convincing of the largest pools. Yes. Miners are able to immediately require higher fees for these transactions or to ignore these transactions when they create blocks. Title: Re: Cheap way to attack blockchain Post by: hetecon on December 01, 2015, 04:29:47 PM So this will be able to have a fix but requires convincing of the largest pools. Yes. Miners are able to immediately require higher fees for these transactions or to ignore these transactions when they create blocks. To me this means it is not a problem with bitcoin concept, but a problem with certain versions of the wallet/mining wallet systems. Title: Re: Cheap way to attack blockchain Post by: mezzomix on December 01, 2015, 05:45:31 PM It's not limited to the miners. I operate several relay nodes and patched my nodes to reject those transactions before they are stored in the mempool. With this change my nodes no longer forward transactions with a high number of SIGOPS.
With a mining node I would not reject those transactions but require a high fee. Title: Re: Cheap way to attack blockchain Post by: hetecon on December 01, 2015, 05:47:44 PM It's not limited to the miners. I operate several relay nodes and patched my nodes to reject those transactions before they are stored in the mempool. With this change my nodes no longer forward transactions with a high number of SIGOPS. With a mining node I would not reject those transactions but require a high fee. Do you have a github commit for me to look at? Title: Re: Cheap way to attack blockchain Post by: amaclin on December 01, 2015, 06:21:22 PM Do you have a github commit for me to look at? this link have been posted a number of times in this topichttps://github.com/bitcoin/bitcoin/pull/7081 Title: Re: Cheap way to attack blockchain Post by: hetecon on December 01, 2015, 06:35:32 PM Do you have a github commit for me to look at? this link have been posted a number of times in this topichttps://github.com/bitcoin/bitcoin/pull/7081 much simpler then expected :0 Title: Re: Cheap way to attack blockchain Post by: mezzomix on December 01, 2015, 10:18:59 PM Do you have a github commit for me to look at? this link have been posted a number of times in this topichttps://github.com/bitcoin/bitcoin/pull/7081 I use a hard coded limit but this pull request will be more flexible. Title: Re: Cheap way to attack blockchain Post by: basil00 on December 02, 2015, 04:03:04 AM This attack can be made more effective by exploiting this (https://github.com/bitcoin/bitcoin/commit/da894ab5da222ad317039eb008ec6443fb9113d9). That is, instead of a vanilla OP_RETURN you use the script:
Code: OP_RETURN OP_CHECKMULTISIG This counts as a extra 20 sigOps. This bug is fixed in 0.12.0 (by making this script non-standard). Title: Re: Cheap way to attack blockchain Post by: hetecon on December 04, 2015, 06:19:51 AM This attack can be made more effective by exploiting this (https://github.com/bitcoin/bitcoin/commit/da894ab5da222ad317039eb008ec6443fb9113d9). That is, instead of a vanilla OP_RETURN you use the script: Code: OP_RETURN OP_CHECKMULTISIG This counts as a extra 20 sigOps. This bug is fixed in 0.12.0 (by making this script non-standard). interesting thing to see here. i trying to get this script lang down lol Title: Re: Cheap way to attack blockchain Post by: DuddlyDoRight on December 16, 2015, 02:58:58 AM Problem is fees are already arbritrary creating usability issues.. Add more add more problems..
Oh cool I just put my savings in to bitcoin!! Hey what happen to 0.005% of it or why does it get no confirmations.. No refunds wtf? Bitcoin is suppose to be a currency not a quick-profit-scheme for people who buy the hardware or learn the internals.. Title: Re: Cheap way to attack blockchain Post by: sidwaltdo on December 17, 2015, 03:00:01 AM WOW,The day bitcoin starts blacklisting will be the end.
Title: Re: Cheap way to attack blockchain Post by: DuddlyDoRight on December 20, 2015, 01:17:01 AM WOW,The day bitcoin starts blacklisting will be the end. Never blacklist. Just whitelist. I'm not sure why basic reputation scares people here so bad.. There is nothing built in to the block-chain that says a bank is a bank and again, BTC is a currency not a profit system.. Title: Re: Cheap way to attack blockchain Post by: amaclin on December 20, 2015, 01:24:06 AM WOW,The day bitcoin starts blacklisting will be the end. https://gitlab.com/bitcoin/luke-jr-bitcoin/commit/5f8e7180c4b34d5f46c61a6dd2242f4249b5f79a Title: Re: Cheap way to attack blockchain Post by: oakpacific on January 26, 2016, 10:25:29 PM Isn't transaction selection already a NP-hard knapsack problem? What kind of a beast it will become if we throw....computational complexity itself into the mix? "Hmmm, let me estimate if I am gonna spend more time processing these transactions or more time doing the estimation..." ::)
Title: Re: Cheap way to attack blockchain Post by: BlockSense on January 31, 2016, 01:27:25 PM This attack can be made more effective by exploiting this (https://github.com/bitcoin/bitcoin/commit/da894ab5da222ad317039eb008ec6443fb9113d9). That is, instead of a vanilla OP_RETURN you use the script: Code: OP_RETURN OP_CHECKMULTISIG This counts as a extra 20 sigOps. This bug is fixed in 0.12.0 (by making this script non-standard). Will have a read of this. |
