Bitcoin Forum
November 04, 2024, 06:19:18 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Double-spending with 6 confirmations  (Read 2850 times)
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
October 06, 2012, 12:13:43 PM
 #1

This idea came after reading https://bitcointalk.org/index.php?topic=114102.00:

Imagine that someone opened a lot of connections with multiple IPs to other nodes. Number of such connections so big that there are a lot of nodes connected only to the attacker. Let's assume the attacker attempts double-spending attack with the following scenario:

1. He chooses a victim and says that he will pay some bitcoins for something.
2. The attacker sends a transaction only to the victim, all other nodes know nothing about the transaction.
3. The attacker solves 6 blocks so the transaction gets 6 confirmations.
4. The victim sees the confirmations and complete its part of the deal.
5. While the attaker was solving his blocks the main blockchain got higher cumulative difficulty coz more than 6 blocks were solved. Even if the victim reconnects to other nodes it will see that non-legit transaction disappeared from the blockchain and the attacker still owns "spent" coins.

Is it possible theoretically and practically? What could be used to prevent such an attack?
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
October 06, 2012, 12:17:45 PM
 #2

2. The attacker sends a transaction only to the victim, all other nodes know nothing about the transaction.

Unless the "victim" is running some non-standard software or have been configured specifically to not broadcast tx's this should not be possible (unless you are saying the attacker owns the victims internet connection).

Actually even if they did own the victims internet connection they would still have to be rather amazing to be able to complete the 6 confirmations within one hour. Wink

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
October 06, 2012, 12:19:34 PM
 #3

2. The attacker sends a transaction only to the victim, all other nodes know nothing about the transaction.

Unless the "victim" is running some non-standard software or have been configured specifically to not broadcast tx's this should not be possible (unless you are saying the attacker owns the victims internet connection).


If the victim broadcasts tx then only the attacker receives it.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
October 06, 2012, 12:21:11 PM
 #4

2. The attacker sends a transaction only to the victim, all other nodes know nothing about the transaction.

Unless the "victim" is running some non-standard software or have been configured specifically to not broadcast tx's this should not be possible (unless you are saying the attacker owns the victims internet connection).


If the victim broadcasts tx then the attacker receives it.

I thought that your point was that other nodes know nothing about the transaction - how has the attacker stopped that from occurring (i.e. the victim won't only send the tx to the attacker)?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
October 06, 2012, 12:23:39 PM
 #5


I thought that your point was that other nodes know nothing about the transaction - how has the attacker stopped that from occurring?


Does client use P2P broadcasting (with explicit connection) or it's IP broadcasting to the whole Internet? If it's P2P, then tx won't be really broadcasted, coz only the attacker will receive it.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
October 06, 2012, 12:25:27 PM
 #6

Sorry - I edited the last post a bit late - as far as I know the standard client will send the tx to all the connections it has (nothing to do with who you are sending actual bitcoin to and in all likelihood your attacker would not even be one of those connections).

Is the point that the attacker is somehow the only connection the victim has to the P2P network?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
October 06, 2012, 12:34:19 PM
 #7

Actually even if they did own the victims internet connection they would still have to be rather amazing to be able to complete the 6 confirmations within one hour. Wink
If there is only a bot on victim's side it won't care if it takes 10 hours for 6 confirmations.


As far as I know the standard client will send the tx to all the connections it has (nothing to do with who you are sending actual bitcoin to and in all likelihood your attacker would not even be one of those connections).

Is the point that the attacker is somehow the only connection the victim has to the P2P network?


Yes. The attacker is the only who has connections to the victim.
joecascio
Full Member
***
Offline Offline

Activity: 137
Merit: 100

Semi-retired software developer, tech consultant


View Profile WWW
October 06, 2012, 12:39:04 PM
 #8

I believe the servers forward the transaction to other servers. (Can someone verify this?). The client can't control who the server forwards the transaction to, therefore the assumption you base the exploit on would not be valid.

Joe Cascio
Python/Django & Android developer
Twitter: @joecascio
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
October 06, 2012, 12:40:23 PM
 #9

Yes. The attacker is the only who has connections to the victim.

And how exactly does the attacker control that (without having first hacked the victim's computer)?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
October 06, 2012, 12:45:32 PM
 #10

Yes. The attacker is the only who has connections to the victim.

And how exactly does the attacker control that (without having first hacked the victim's computer)?


https://en.bitcoin.it/wiki/Weaknesses:

Quote
It's trivial for an attacker to fill the network with clients controlled by him. This might be helpful in the execution of other attacks.
For example, an attacker might connect 100,000 IP addresses to the IRC bootstrap channel. You would then be very likely to connect only to attacker nodes. This state can be exploited in (at least) the following ways:
The attacker can refuse to relay blocks and transactions from everyone, disconnecting you from the network.
The attacker can relay only blocks that he creates, putting you on a separate network. You're then open to double-spending attacks.
If you rely on transactions with 0 confirmations, the attacker can just filter out certain transactions to execute a double-spending attack.
Low-latency encryption/anonymization of Bitcoin's transmissions (With Tor, JAP, etc.) can be defeated relatively easy with a timing attack if you're connected to several of the attacker's nodes and the attacker is watching your transmissions at your ISP.
Bitcoin makes these attacks more difficult by only making an outbound connection to one IP address per /16 (x.y.0.0). Incoming connections are unlimited and unregulated, but this is generally only a problem in the anonymity case, where you're probably already unable to accept incoming connections.
Looking for suspiciously low network hash-rates may help prevent the second one.

Cancer nodes attack is implemented right now as it's said in the thread I made a link to.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
October 06, 2012, 12:49:53 PM
 #11

For example, an attacker might connect 100,000 IP addresses to the IRC bootstrap channel. You would then be very likely to connect only to attacker nodes.

AFAIA the IRC bootstrap is no longer used so I still don't see how this could happen (unless the victim was running an old version of the client).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
October 06, 2012, 12:56:06 PM
 #12

For example, an attacker might connect 100,000 IP addresses to the IRC bootstrap channel. You would then be very likely to connect only to attacker nodes.

AFAIA the IRC bootstrap is no longer used so I still don't see how this could happen (unless the victim was running an old version of the client).


It's already happened:

a lot of nodes connected almost exclusively to them, so they got all the notifications and forwarded them.

so it looked like all blocks came from them.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
October 06, 2012, 12:58:33 PM
 #13

It's already happened:

I don't think that is quite correct.

Seems you are mistaken.
Well I was wondering how long it would take for people to notice. It's me

And no I am not putting lots of hashing power to the network, notice that it just says "relayed by" and not "mined by". I'm performing some measurements, paper is due in a few weeks.

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
October 06, 2012, 01:02:48 PM
 #14

OK. But what to do if someone makes successful Cancer Nodes attack?
Yurock
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
October 06, 2012, 01:03:23 PM
 #15

Theoretically, it is possible. The difficulties are:
  • making sure that the victim is not connected to any honest nodes,
  • generating blocks.

Even though IRC is no longer used by default, the node has to obtain peers' addresses somehow. And it is possible to interfere with this process. If the target node accepts tcp connections, an attacker can open many connections with the node as soon as it starts, and feed it with addresses of nodes controlled by the attacker. This way chances of the target node to connect to any honest node are significantly lower.

As for generating blocks, today, even 10% of the total hashing power is a lot.
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
October 06, 2012, 01:05:48 PM
 #16

OK. But what to do if someone makes successful Cancer Nodes attack?

I think if someone has complete control over a potential victim's computer then just stealing their wallet (or installing a trojan that changes the payment address when you send BTC) would probably be much easier than this idea so I wouldn't really be too worried about this "cancer node" scenario (although keeping the client up-to-date is important).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
October 06, 2012, 01:08:58 PM
 #17

As for generating blocks, today, even 10% of the total hashing power is a lot.

Today. But what about when BFL ships ASICs?

Well... Seems to me there is no a 100% solution to the problem. Thx for the replies, guys.
Yurock
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
October 06, 2012, 01:17:32 PM
 #18

Solution: Make sure your nodes are always connected to at least one honest node. Make an agreement with miners, they are always connected to the main network, otherwise they lose money. Make encrypted channels between your own nodes and some miners. Monitor these connections. This way, even if an attacker will be controlling your internet connection, it will not go unnoticed.

As technology improves, total hashing power increases. 10% will likely always be a lot.
MatthewLM
Legendary
*
Offline Offline

Activity: 1190
Merit: 1004


View Profile
October 06, 2012, 01:42:02 PM
 #19

I'm looking to create a secure connection with the client I'm making. So the chance of an attack using this method would be impossible. The most an attacker could therefore do is prevent someone using bitcoin if the attacker has control over the internet connection.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
October 08, 2012, 05:20:42 AM
 #20

Well... Seems to me there is no a 100% solution to the problem.

As always, the level of security needed should be proportionate to the risk.

If a merchant is going to run their own node, there are two recommendations:  Disable incoming transactions, and have an explicit connection to a well known, trusted node. 

That's the recommendation for the merchant selling donuts.

For a merchant that has a higher volume (.e.g, ecommerce site or exchange, etc with larger volumes), it would be prudent to have listening nodes to confirm that your longest chain is the same as the rest of the world's longest chain.

There are situations where bitcoin is not an appropriate payment method.  Accepting Bitcoin payments requires relatively continuous network communications:
 - http://bitcointalk.org/index.php?topic=106302.0

Certainly though, with there existing these attack vectors, there will be poorly configured merchants out there and there will be thefts on merchants accepting payment with 0/unconfirmed.

But to see losses on confirmed transactions would only occur if you didn't follow the basic recommendations.

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!