Riccardo Spagni Profile picture
Riccardo Spagni
Follow @fluffypony
Twitter logo
14h, 17 tweets, 5 min read
Recently, a largely incompetent attacker bumbled their way through a Sybil attack against Monero, trying to correlate transactions to the IP address of the node that broadcast it. Whilst novel in that it is the 1st Sybil attack of this sort, it was also quite ineffective. 1/n
First off, this clumsy attack had no effect on any of Monero's on-chain privacy mechanisms (ring signatures, stealth addresses, confidential transactions). Additionally, it is important to note that this is an attack that you could execute against nearly every cryptocurrency, 2/n
even privacy-focused cryptocurrencies. This makes it of particular interest, not just to Monero, but to all cryptocurrencies. Naturally, as we've all been aware of the possibility there is lots of work that has been done over the years to mitigate it. 3/n
The biggest mitigation is to use Tor or i2p for your node to broadcast its transactions, and this has been easily supported in Monero for 2 years (see: github.com/monero-project…) and in Bitcoin for over 8 years (see: github.com/bitcoin/bitcoi…) 4/n
bitcoin/bitcoin
Bitcoin Core integration/staging tree. Contribute to bitcoin/bitcoin development by creating an account on GitHub.
https://github.com/bitcoin/bitcoin/blob/master/doc/tor.mdmonero-project/monero
Monero: the secure, private, untraceable cryptocurrency - monero-project/monero
https://github.com/monero-project/monero/blob/master/ANONYMITY_NETWORKS.mdOf course, this isn't a silver bullet, and there are a class of attacks that can still be used to correlate a Tor address with a real-world IP address, & so an excellent group of researchers (Brad Denby, @giuliacfanti, @socrates1024, Shaileshh Bojja Venkatakrishnan, & others) 5/n
created Dandelion in 2017 (see: arxiv.org/pdf/1701.04439…). In 2018 they followed it up with Dandelion++ (see: arxiv.org/pdf/1805.11060…) which fixed many of the weaknesses of the original proposal. 6/n
Dandelion (and, by extension, Dandelion++) has been proposed for Bitcoin as BIP-156 (see: github.com/bitcoin/bips/b…), but is not yet implemented. Dandelion++ was implemented in Monero in a PR merged in April this year (see github.com/monero-project…). 7/n
Adding Dandelion++ support to public networks: by vtnerd · Pull Request #6314 · monero-project/monero
New flag in NOTIFY_NEW_TRANSACTION to indicate stem mode Stem loops detected in tx_pool.cpp Embargo timeout for a blackhole attack during stem phase
https://github.com/monero-project/monero/pull/6314bitcoin/bips
Bitcoin Improvement Proposals. Contribute to bitcoin/bips development by creating an account on GitHub.
https://github.com/bitcoin/bips/blob/master/bip-0156.mediawikiWithout getting technical, Dandelion++ works by randomly "diffusing" transaction broadcasts. This means that for a Sybil attack to link a transaction to a node's IP address it has to be intercepted at the very first node in the "stem" phase of a Dandelion++ broadcast. 8/n
This attack, whilst novel in that it is a live Sybil attack against a network, was simply not large enough to be broadly effective against Dandelion++ - the attacker would have had to launch many thousands more nodes. 9/n
Even if they did do this, they would still not have been able to demonstrably prove a link between a node and a transaction, and it would be a "best guess" heuristic. Naturally this attack was entirely useless against anyone using a light node (eg. MyMonero), 10/n
against anyone using Tor / i2p for their node, against anyone who runs their node behind a VPN, or against anyone using pushtx on a Monero block explorer to broadcast their transactions. It was also largely useless for anyone using a node remotely (eg. Monerujo or the GUI). 11/n
Still, it did teach us some valuable lessons as the Sybil nodes also tried to disrupt the flow of transactions (by not rebroadcasting them), and tried to disrupt nodes syncing up by not serving them blocks. 12/n
Thus, the latest Monero release (0.17.1.3) has fine-tuned the way a node deals with misbehaving peers. If you are running a Monero or Bitcoin node (or a node for any other currency), it is important to be aware that Sybil attacks can be more subtle & less clumsy than this. 13/n
They can also be much harder to detect in practice if the attacker has enough money to deploy reasonable infrastructure. There has also been purpose-built Sybil node software created for Bitcoin (see: github.com/basil00/Pseudo…) that actually behaves pretty well. 14/n
basil00/PseudoNode
PseudoNode - A full node emulator. Contribute to basil00/PseudoNode development by creating an account on GitHub.
https://github.com/basil00/PseudoNodeThey do this without even requiring much in the way of server resources (eg. by proxying block requests through to another peer), and thus fully support initial sync, transaction broadcasts, and so on. They are a little diabolical in their ability to masquerade as a node. 15/n
If you are truly concerned about the efficacy of a Sybil attack (whether you're a Bitcoin or a Monero user) then I strongly recommend you run your node behind Tor, or at least broadcast your transactions on a block explorer's pushtx functionality (also accessible via Tor). 16/fin
Bootnote: here's a Reddit thread on the attack, which also includes a link to a flat file of the attacker's IP addresses that you can pass to --ban-list if you want to make sure your node doesn't connect to these.