Bitcoin Forum
November 03, 2024, 11:39:02 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: [1] 2 »  All
  Print  
Author Topic: Sabotaging Mining Pools  (Read 5457 times)
nibor (OP)
Sr. Member
****
Offline Offline

Activity: 438
Merit: 291


View Profile
July 20, 2012, 09:57:02 PM
 #1


If someone was to make a few line change to cgminer or other mining software that just meant that if you found a share that was a BLOCK it discarded it instead of sending to the mining pool this would soon kill the pool for virtually zero cost to the sabotager.

Only cost to the sabotager (assuming they were mining anyway) would be that one in 1.8 millions shares would not be submitted so reducing their personal income by a tiny amount. (Plus the 5% cost of mining PPS).

But the cost to the mining pool would be massive as they would be paying out on shares to someone who could NEVER find a block.

E.g. to sabotage slush who are charging 2-5% you would only need to have 2-5% of the pools hashing power (so about 25-60 g/hash) to wipe out their entire profits and so soon them. You would just mine PPS and only submit non-block shares!.

And if you were a Pool yourself you could possible redirect some of your users to solve other pools share hashes, collect the fees from the other pool but never send them successful blocks. In this way you can kill the competition without having any hashing power and only relatively small costs.

I know that p2pool tries to work round this by adding a 0.25BTC bonus if you submit a block making share but this hardly changes the costs significantly.

Obviously the pools could drop PPS, but then the costs would just look like bad luck to their users!



Ferroh
Member
**
Offline Offline

Activity: 111
Merit: 100



View Profile
July 21, 2012, 05:51:13 AM
Last edit: July 21, 2012, 09:17:18 AM by Ferroh
 #2

if you found a share that was a BLOCK

It doesn't work this way.

If it did work that way, you could just keep the block for yourself.

You can't tell which share solves a block for the pool.

Edit:

Or it does, and I'm really tired, sorry Smiley
Graet
VIP
Legendary
*
Offline Offline

Activity: 980
Merit: 1001



View Profile WWW
July 21, 2012, 09:04:30 AM
 #3

if you found a share that was a BLOCK

It doesn't work this way.

If it did work that way, you could just keep the block for yourself.

You can't tell which share solves a block for the pool.
um actually. cgminer shows you blocks you find so you can tell.

this is called a witholding attack, you would need to be a large part of the pool. only way to do it without costing yourself lots is on a PPS pool.

| Ozcoin Pooled Mining Pty Ltd https://ozcoin.net Double Geometric Reward System https://lc.ozcoin.net for Litecoin mining DGM| https://crowncloud.net VPS and Dedicated Servers for the BTC community
wabber
Member
**
Offline Offline

Activity: 85
Merit: 10


View Profile
July 21, 2012, 09:09:49 AM
 #4

if you found a share that was a BLOCK

It doesn't work this way.

If it did work that way, you could just keep the block for yourself.

You can't tell which share solves a block for the pool.

You can.
But you can't change the payout address of the block after it was solved or you have to solve it again if you change it which is why you can't keep it for yourself.
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
July 21, 2012, 09:26:00 AM
 #5

When a pool does mine a block, it can immediately assign that same work unit to many miners. Any that pull a new work unit and don't mine the block are highly suspect.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
ChrisKoss
Full Member
***
Offline Offline

Activity: 169
Merit: 100



View Profile WWW
July 28, 2012, 12:21:10 AM
 #6

When a pool does mine a block, it can immediately assign that same work unit to many miners. Any that pull a new work unit and don't mine the block are highly suspect.
+1.  Nice solution.

Now, couldn't a smart withholding attack check to see if the block already exists in the block chain, and only then send it up to the pool server?

I suppose you could hold back releasing the block to the Bitcoin network for 30 secs while you wait for all your workers to prove themselves, but you risk another miner finding a block in the mean time.

I am a consultant providing services to CoinLab, Inc.
nibor (OP)
Sr. Member
****
Offline Offline

Activity: 438
Merit: 291


View Profile
July 28, 2012, 08:11:16 AM
 #7

if you found a share that was a BLOCK

It doesn't work this way.

If it did work that way, you could just keep the block for yourself.

You can't tell which share solves a block for the pool.
um actually. cgminer shows you blocks you find so you can tell.

this is called a witholding attack, you would need to be a large part of the pool. only way to do it without costing yourself lots is on a PPS pool.

You do not need a large percentage. Just slightly more than the fee. So 5%.
And you still get paid for mining there! So if you had a mining set up that was 5% (i.e. 50-75 Ghash for the 2nd tier pools) you just need to point it at them as pps and withhold the blocks and the attack really costs you nothing.
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
July 28, 2012, 09:43:22 PM
 #8

Now, couldn't a smart withholding attack check to see if the block already exists in the block chain, and only then send it up to the pool server?
Yes, but nobody's that smart yet.

Quote
I suppose you could hold back releasing the block to the Bitcoin network for 30 secs while you wait for all your workers to prove themselves, but you risk another miner finding a block in the mean time.
I think you could withhold for just 4 seconds and still get a pretty good idea. This would incur about a .7% chance of losing the block, with an expected cost of about $3.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
dree12
Legendary
*
Offline Offline

Activity: 1246
Merit: 1077



View Profile
July 28, 2012, 10:03:47 PM
 #9

Now, couldn't a smart withholding attack check to see if the block already exists in the block chain, and only then send it up to the pool server?
Yes, but nobody's that smart yet.

Quote
I suppose you could hold back releasing the block to the Bitcoin network for 30 secs while you wait for all your workers to prove themselves, but you risk another miner finding a block in the mean time.
I think you could withhold for just 4 seconds and still get a pretty good idea. This would incur about a .7% chance of losing the block, with an expected cost of about $3.
Many pools do not require a password. If a malignant individual mines on someone else's account, they could possibly get them into trouble.
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
July 28, 2012, 11:01:12 PM
 #10

Many pools do not require a password. If a malignant individual mines on someone else's account, they could possibly get them into trouble.
This seems like a pretty unlikely scenario from a practical standpoint. Most likely, you'd just wind up helping them because unless you actually mine a block, you are indistinguishable from a legitimate miner. Someone would have to dedicate huge amounts of hashing power to do this, and the most likely outcome is that they would just enrich the person they are trying to get in trouble.

However, it is definitely worth thinking about.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
K1773R
Legendary
*
Offline Offline

Activity: 1792
Merit: 1008


/dev/null


View Profile
October 25, 2012, 01:25:03 PM
 #11

source code or it didnt happen Tongue

[GPG Public Key]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
-ck
Legendary
*
Offline Offline

Activity: 4284
Merit: 1645


Ruu \o/


View Profile WWW
October 26, 2012, 02:29:30 AM
 #12

You could definitely do a withholding attack, but why on earth would you do it? It doesn't benefit you, you just make the pool poorer that you mine with, and unless you have ultramegahashes to waste, your effect of withholding a block solve will be insignificant to the final outcome. There is nothing suspect about not returning a share from any work gathered from a pool, and a block solve is no different to returning a share. There is no way to check if a miner is returning all the shares it's "supposed to" as there is no such metric. Pools never send the same work item out to two different miners, so they'd have to have some reason to suspect this is the case, so unless you mine with a pool and after 10x difficulty submission of shares you still haven't sent a block solve, then they'd have to start investigating. Even then, bad luck alone is enough for even 10x difficulty and no block solve to occur. So at current difficulty, for example, a pool operator would have to get suspicious only after you had sent 30 million shares without a block solve. That's a heck of a lot of work you're doing just to withhold one block. So unless you personally have something like >1% of the total bitcoin network hashrate, this is a futile exercise.

On the other hand, if you get enough people running the same malicious mining software you could achieve this. But to what end? It doesn't benefit you directly in any way. Luckily all the source code for my mining software (along with most other mining software) is free and open and anyone can audit it to ensure it's not doing this.

Developer/maintainer for cgminer, ckpool/ckproxy, and the -ck kernel
2% Fee Solo mining at solo.ckpool.org
-ck
K1773R
Legendary
*
Offline Offline

Activity: 1792
Merit: 1008


/dev/null


View Profile
October 26, 2012, 05:00:09 AM
 #13

You could definitely do a withholding attack, but why on earth would you do it? It doesn't benefit you, you just make the pool poorer that you mine with, and unless you have ultramegahashes to waste, your effect of withholding a block solve will be insignificant to the final outcome. There is nothing suspect about not returning a share from any work gathered from a pool, and a block solve is no different to returning a share. There is no way to check if a miner is returning all the shares it's "supposed to" as there is no such metric. Pools never send the same work item out to two different miners, so they'd have to have some reason to suspect this is the case, so unless you mine with a pool and after 10x difficulty submission of shares you still haven't sent a block solve, then they'd have to start investigating. Even then, bad luck alone is enough for even 10x difficulty and no block solve to occur. So at current difficulty, for example, a pool operator would have to get suspicious only after you had sent 30 million shares without a block solve. That's a heck of a lot of work you're doing just to withhold one block. So unless you personally have something like >1% of the total bitcoin network hashrate, this is a futile exercise.

On the other hand, if you get enough people running the same malicious mining software you could achieve this. But to what end? It doesn't benefit you directly in any way. Luckily all the source code for my mining software (along with most other mining software) is free and open and anyone can audit it to ensure it's not doing this.
there is only one goal where it could be usefull, if a pool owner wants to take down a others pool and only if the others pool is PPS. Prop isnt worth it since u lose too.

[GPG Public Key]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
-ck
Legendary
*
Offline Offline

Activity: 4284
Merit: 1645


Ruu \o/


View Profile WWW
October 26, 2012, 05:04:08 AM
 #14

there is only one goal where it could be usefull, if a pool owner wants to take down a others pool and only if the others pool is PPS. Prop isnt worth it since u lose too.
Certainly this is a real danger with a proxy pool...

Developer/maintainer for cgminer, ckpool/ckproxy, and the -ck kernel
2% Fee Solo mining at solo.ckpool.org
-ck
K1773R
Legendary
*
Offline Offline

Activity: 1792
Merit: 1008


/dev/null


View Profile
October 26, 2012, 05:28:11 AM
Last edit: January 15, 2013, 06:22:40 PM by K1773R
 #15

Certainly this is a real danger with a proxy pool...
but only if the proxy pool is using PPS, otherwise it wouldnt harm much. i wonder if anyone already created some patches for miners to do this...

[GPG Public Key]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
-ck
Legendary
*
Offline Offline

Activity: 4284
Merit: 1645


Ruu \o/


View Profile WWW
October 26, 2012, 06:27:40 AM
 #16

Certainly this is a real danger with a proxy pool...
but only if the proxy pool is using PPS, otherwise it would harm much. i wonder if anyone already created some patches for miners to do this...
Indeed, but they could easily redirect shares to a PPS should they feel malicious.

Developer/maintainer for cgminer, ckpool/ckproxy, and the -ck kernel
2% Fee Solo mining at solo.ckpool.org
-ck
K1773R
Legendary
*
Offline Offline

Activity: 1792
Merit: 1008


/dev/null


View Profile
October 26, 2012, 07:09:30 AM
 #17

Certainly this is a real danger with a proxy pool...
but only if the proxy pool is using PPS, otherwise it would harm much. i wonder if anyone already created some patches for miners to do this...
Indeed, but they could easily redirect shares to a PPS should they feel malicious.
or a proxy pool just simply switches to another PPS pool to kill it and pay the surpases. this could be really nasty

[GPG Public Key]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
dust
Hero Member
*****
Offline Offline

Activity: 840
Merit: 1000



View Profile WWW
October 26, 2012, 07:22:47 AM
Last edit: October 26, 2012, 07:43:54 AM by dust
 #18

This attack has the advantage of keeping the difficulty artificially low.  It is economically advantageous to the attacker if they control > (share_difficulty / difficulty) of the network.

Cryptocoin Mining Info | OTC | PGP | Twitter | freenode: dust-otc | BTC: 1F6fV4U2xnpAuKtmQD6BWpK3EuRosKzF8U
Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 2058
Merit: 1054



View Profile WWW
October 26, 2012, 08:02:53 AM
 #19

I'd like to remind everyone that block withholding can be used for a profitable attack against non-PPS pools, called "Lie in wait". I estimate the max profit can be achieved from it to be multiplying the rewards by (1 + h/(4H)), where h is the attacker's hashrate and H is the network's total hashrate. And, if block withholding ever becomes a problem one solution is to modify the protocol to allow oblivious shares.

This attack has the advantage of keeping the difficulty artificially low.  It is economically advantageous to the attacker if they control > (share_difficulty / difficulty) of the network.
Almost. If the difficulty / share_difficulty is D, then by doing this they lose 1/D, and assuming everyone's hashrate stays the same, they difficulty drops by h/H meaning they get h/H, so this is indeed profitable if (h/H)>(1/D).

But if the difficulty goes down, mining becomes more profitable and people will add more hashrate. So the difference between the old and new equilibrium will not be as large as h/H, maybe it will be h/(2H). With this assumption you'd need twice as much hashrate to make this profitable.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
dree12
Legendary
*
Offline Offline

Activity: 1246
Merit: 1077



View Profile
November 14, 2012, 03:00:42 AM
 #20

But if the difficulty goes down, mining becomes more profitable.
Not if the pools begin increasing fees to compensate, which they inevitably will.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!