IEEE Security & Privacy
Maria Apostolaki
23 May 2017
ETH Zürich
Joint work with Aviv Zohar and Laurent Vanbever
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
1
Routing attacks quite often make the news
2
source: arstechnica.com
3
source: wired.com
4
That is only the tip of the iceberg of routing manipulations
5
Oct. Dec.
# of monthlyrouting hijacks
2015
Nov. Jan. Feb. March
150k
100k
50k
200k
0
20166
10/1
5
11/1
5
12/1
5
01/1
6
02/1
6
03/1
6
0
50k
100k
150k
200k
month
# of
hija
ck e
vent
s
Oct. Dec.
# of monthlyrouting hijacks
2015
Nov. Jan. Feb. March
150k
100k
50k
200k
0
2016
212k
176k
112k100k
119k137k
7
Can routing attacks impact Bitcoin?
8
Bitcoin is highly decentralized making it robust to routing attacks, in theory…
Bitcoin nodes …
are scattered all around the globe
establish random connections
use multihoming and extra relay networks
9
In practice, Bitcoin is highly centralized,both from a routing and mining viewpoint
10
11
<
0
40
100
1 30
80
60
20
20
# of hosting networks
cumulative % ofmining power
10
1 5 10 15 20 25 300
20
40
60
80
100
# of ASes
cum
m. %
of h
ash
powe
r
<
0
40
100
1 30
80
60
20
20
# of hosting networks
cumulative % ofmining power
10
Mining power is centralized to few hosting networks
12
1 5 10 15 20 25 300
20
40
60
80
100
# of ASes
cum
m. %
of h
ash
powe
r
<
0
100
1 30
68
# of hosting networks
cumulative % ofmining power
10
68% of the mining power is hosted in 10 networks only
13
1 10 100 12220
20
40
60
80
100
# of ASes
cum
. %
connect
ions
inte
rcepte
d
<
0
100
1 10 1220
60
100
# of transit networks
cumulative % of connections
40
80
20
14
1 10 100 12220
20
40
60
80
100
# of ASes
cum
. %
connect
ions
inte
rcepte
d
<
0
100
1 10 1220
60
100
# of transit networks
cumulative % of connections
Likewise, a few transit networks can intercepta large fraction of the Bitcoin connections
40
80
20
15
1 10 100 12220
20
40
60
80
100
# of ASes
cum
. %
connect
ions
inte
rcepte
d
<
0
100
1 3 1220
# of transit networks
cumulative % of connections
3 transit networks see more than 60% of all connections
63
16
Because of these characteristics two routing attacks practical and effective today
Partitioning Delay
Attack 1 Attack 2
Split the network in half Delay block propagation
17
Each attack differs in terms of itsvisibility, impact, and targets
Partitioning Delay
Attack 1 Attack 2
visible
network-wide attack
invisible
targeted attack (set of nodes)
18
Each attack differs in terms of itsvisibility, impact, and targets
Partitioning Delay
Attack 1 Attack 2
visible
network-wide attack
invisible
targeted attack (set of nodes)
19
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
BGP & Bitcoin
Background
Partitioning attack
splitting the network
Delay attack
slowing the network down
Countermeasures
short-term & long-term
1
2
3
4
20
BGP & Bitcoin
Background
Partitioning attack
splitting the network
Delay attack
slowing the network down
Countermeasures
short-term & long-term
1
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
21
Bitcoin is a distributed network of nodes
A
B
C
D
E F
G
H
I
J
22
Bitcoin nodes establish random connectionsbetween each other
A
B
C
D
E F
G
H
I
J
23
Each node keeps a ledger of all transactions ever performed: “the blockchain”
Tx a1a53743
Tx b5x89433
Tx x5f78432
Tx h1t91267
… …
Tx x5f78432
Tx h1t91267
…
24
Block #42 Block #43
prev: #41
Tx a1a53743
Tx b5x89433
Tx x5f78432
Tx h1t91267
prev: #42
… …
Block #44
Tx x5f78432
Tx h1t91267
prev: #42
…
25
The Blockchain is a chain of Blocks
The Blockchain is extended by miners
Block #44
Tx z2v67542
Tx p6o74587
prev: #43
…
Block #42 Block #43
prev: #41
Tx a1a53743
Tx b5x89433
Tx x5f78432
Tx h1t91267
prev: #42
… …
26
Miners are grouped in mining pools
mining pool
A
B
C
D
E F
G
H
I
J
miners
…
27
Internet
Bitcoin connections are routed over the Internet
…
A
B
C
D
E F
G
H
I
J
28
AS3
AS1AS7
AS4
AS8
AS2
AS6
AS5
The Internet is composed of Autonomous Systems (ASes). BGP computes the forwarding path across them
A
B
C
D
E F
G
H
I
J…
29
AS3
AS1AS7
AS4
AS8
AS2
AS6
AS5
Bitcoin messages are propagated unencryptedand without any integrity guarantees
Tx
Tx
block
block
block
Tx
A
B
C
D
E F
G
H
I
J…
30
BGP & Bitcoin
Background
Partitioning attack
splitting the network
Delay attack
slowing the network down
Countermeasures
short-term & long-term
2
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
31
The goal of a partitioning attack is to split the Bitcoin network into two disjoint components
32
Double spending
Revenue Loss
Denial of Service
33
The impact of such an attack is worrying
Bitcoin clients and wallets cannot secure or propagate transactions
Double spending
Revenue Loss
Denial of Service
The impact of such an attack is worrying
34
Blocks in component with less mining power are discarded
Double spending
Revenue Loss
Denial of Service
35
The impact of such an attack is worrying
Transactions in components with less mining power can be reverted
Double spending
Revenue Loss
Denial of Service
36
The impact of such an attack is worrying
How does the attack work?
37
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5
Let’s say an attacker wants to partition the network into the left and right side
Attacker
F
38
For doing so, the attacker will manipulate BGP routes to intercept any traffic to the nodes in the right
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5Attacker
F
39
Attacker
Let us focus on node F
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5
F
40
Attacker
F’s provider (AS6) is responsible for IP prefix
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5
F
82.0.0.1AS6
41
AS3
AS1AS7
AS4AS2
AS5
AS6 will create a BGP advertisement
AS8
AS682.0.0.1
42
82.0.0.0/23
Path: 6
82.0.0.0/23
Path: 8 6 F
AS3
AS1
AS4AS2
AS6’s advertisement is propagated AS-by-ASuntil all ASes in the Internet learn about it
AS6AS7
AS5AS8
82.0.0.1
AS1 AS6
43
82.0.0.0/23
Path: 7 6
82.0.0.0/23
Path: 8 6
F
AS3
AS1
AS4AS2
AS6’s advertisement is propagated AS-by-ASuntil all ASes in the Internet learn about it
AS6AS7
AS5AS8
82.0.0.1
AS1 AS6
44
82.0.0.0/23
Path: 7 6
82.0.0.0/23
Path: 8 6
F
BGP does not check the validity of advertisements,meaning any AS can announce any prefix
45
Consider that the attacker advertises amore-specific prefix covering F’s IP address
AS3
AS1AS7
AS4AS2
AS5
82.0.0.0/23
Path: 6
AS6
82.0.0.0/24
Path: 8Attacker
82.0.0.1
46
F
As IP routers prefer more-specific prefixes, the attacker route will be preferred
AS3
AS1AS7
AS4AS2
AS5
82.0.0.1
AS6
Attacker
47
82.0.0.0/24
Path: 8
82.0.0.0/23
Path: 6
AS3
AS1
AS4AS2
AS6AS7
AS5
diverted IP traffic
Attacker
82.0.0.1
48
Traffic to node F is hijacked
F
By hijacking the IP prefixes pertaining to the right nodes,the attacker can intercept all their connections
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5
AS1
AS3
AS7
Attacker
F
49
Once on-path, the attacker can drop all connections crossing the partition
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5Attacker
F
50
The partition is created
AS3
AS1AS7
AS4
A
B
C
D
E
G
H
I
J
AS2
AS6
AS5Attacker
F
51
Not all partition are feasible in practice:some connections cannot be intercepted
52
Bitcoin connections established…
within a mining pool
within an AS
between mining pools with private agreements
cannot be hijacked (usually)
53
Bitcoin connections established…
within a mining pool
within an AS
between mining pools
can be detected and located by the attacker
cannot be hijacked (usually)
enabling her to build a similar but feasible partition
but
54
Theorem Given a set of nodes to disconnect from the network,
there exist a unique maximal subset that can be isolated
and that the attacker will isolate.
see paper for proof
55
Practicality Time efficiency
Can it actually happen? How long does it take?
We evaluated the partition attack in terms ofpracticality and time efficiency
56
Practicality Time efficiency
Can it actually happen?
We evaluated the partition attack in terms ofpracticality and time efficiency
57
Splitting the mining power even to half can be doneby hijacking less than 100 prefixes
58
Splitting the mining power even to half can be doneby hijacking less than 100 prefixes
negligible with respect to
routinely observed hijacks
59
100
1k
10k
30k
month
max
# p
fxes
hija
cked
at o
nce
(log)
Oct. Dec.
max # of prefixeshijacked at once
2015
Nov. Jan. Feb. March
10k
1k
30k
100
2016
log scale
Hijacks involving up to 1k of prefixes are frequentlyseen in the Internet today
60
Practicality Time efficiency
How long does it take?
We also evaluated the partition in terms oftime efficiency
61
We measured the time required to perform a partition attack by attacking our own nodes
62
ETH
Live Bitcoin
network
We hosted a few Bitcoin nodes at ETH and advertised a covering prefix via Amsterdam
Amsterdam
184.164.232.1-6
...
184.164.232.0/22
63
ETH
Live Bitcoin
network
Initially, all the traffic to our nodes transits via Amsterdam
Amsterdam
184.164.232.1-6
...
bitcoin traffic
64
ETH
Live Bitcoin
network
We hijacked our nodes
Amsterdam
184.164.232.1-6
...
bitcoin traffic
Cornell
184.164.232.0/23
65
ETH
We measured the time required for a rogue AS to divert all the traffic to our nodes
Amsterdam
184.164.232.1-6
...
Cornell
divertedbitcoin traffic
66
<
0 40 8060# seconds from start of hijack
20
0
100
60
40
80
20
cumulative % ofconnectionsintercepted
67
Seconds from hijack until traffic is received
CD
F #
Con
nect
ions
0
20
40
60
80
100
0 10 20 30 40 50 60 70 80
<
0 40 8060# seconds from start of hijack
cumulative % ofconnectionsintercepted
20
0
100
60
40
80
20
It takes less than 2 minutes for the attackerto intercept all the connections
68
Mitigating a hijack is a human-driven process,as such it often takes hours to be resolved
69
It took Google close to 3h
to mitigate a large hijack in 2008 [6]
Mitigating a hijack is a human-driven process,as such it often takes hours to be resolved
(same hold for more recent hijacks)
70
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
BGP & Bitcoin
Background
Partitioning attack
splitting the network
Delay attack
slowing the network down
Countermeasures
short-term & long-term
1
2
3
4
71
The goal of a delay attack is to keep the victim uninformed of the latest Block
72
The impact of delay attacks is worryingand depends on the victim
Regular node
Mining pool
Merchant
73
susceptible to be the victimof double-spending attacks
Regular node
Mining pool
Merchant
The impact of delay attacks is worryingand depends on the victim
74
waste their mining power bymining on an obsolete chain
The impact of delay attacks is worryingand depends on the victim
Regular node
Mining pool
Merchant
75
unable to collaborate to the peer-to-peer network
The impact of delay attacks is worryingand depends on the victim
Regular node
Mining pool
Merchant
76
Merchant
How does a delay attack work?
77
tim
e
#
victimA B
Consider these three Bitcoin nodes
78
#
victimattackerA B
An attacker wishes to delay the block propagationtowards the victim
tim
e
79
INV Block #42
INV Block
INV Block
The victim receives two advertisement for the block
victimattackerA Bti
me
80
INV Block #42
#
INV Block
INV Block
GET DATA Block
The victim requests the block to one of its peer, say A
victimattackerA Bti
me
81
INV Block #42
#
INV Block
INV Block
GET DATA Block
As a MITM, the attacker could drop the GETDATA message
victimattackerA Bti
me
82
INV Block #42
#
INV Block
INV Block
GET DATA Block
Similarly, the attacker could drop the delivery of the block message
BLOCK Block
victimattackerA Bti
me
83
INV Block #42
#
INV Block
INV Block
GET DATA Block
BLOCK Block
victimattackerA Bti
me
Similarly, the attacker could drop the delivery of the block message
84
INV Block #42
#
INV Block
INV Block
GET DATA Block
Yet, both cases will lead to the victim killing the connection (by the TCP stack on the victim)
DISCONNECT BLOCK Block
victimattackerA Bti
me
85
INV Block #42
#
INV Block
INV Block
GET DATA Block
GET DATA Block
Instead, the attacker could intercept the GETDATA and modifies its content
victimattackerA Bti
me
86
INV Block #42
BLOCK Block #30
#
INV Block
INV Block
GET DATA Block
GET DATA Block
BLOCK Block
By modifying the ID of the requested block,the attacker triggers the delivery of an older block
victimattackerA Bti
me
87
INV Block #42
BLOCK Block #30
ignored
#
INV Block
INV Block
GET DATA Block
GET DATA Block
BLOCK Block
The delivery of an older block triggersno error message at the victim
victimattackerA Bti
me
88
INV Block #42
BLOCK Block #30
ignored
#
INV Block
INV Block
GET DATA Block
GET DATA Block
BLOCK Block
up to
20 min
From there on, the victim will wait for 20 minutesfor the actual block to be delivered
victimattackerA Bti
me
89
INV Block #42
BLOCK Block #30
ignored
#
INV Block
INV Block
GET DATA Block
GET DATA Block
BLOCK Block
GET DATA Tx
GET DATA Block
up to
20 min
To keep the connection alive, the attacker can trigger the block delivery by modifying another GETDATA message
victimattackerA Bti
me
90
INV Block #42
BLOCK Block #30
ignored
#
INV Block
INV Block
GET DATA Block
GET DATA Block
BLOCK Block
GET DATA Tx
GET DATA Block
up to
20 min
Doing so, the block is delivered before the timeoutand the attack goes undetected (and could be resumed)
BLOCK Block
victimattackerA Bti
me
91
Effectiveness Practicality
How much time does
the victim stay uniformed?
Is it likely to happen?
We evaluated the delay attack in terms ofeffectiveness and practicality
92
MiTMVictim
y%x%
We performed the attackon a percentage of a node’s connections (*)
Live Bitcoin
network
(*) software available online: https://btc-hijack.ethz.ch/93
94
The attacker can keep the victim uninformed for most of its uptime while staying under the radar
even if the attacker intercepts
a fraction of the node connection
95
The attacker can keep the victim uninformed for most of its uptime while staying under the radar
% intercepted connections 50%
96
% intercepted connections
% time victim does not havethe most recent block
50%
63.2%
97
% intercepted connections
% time victim does not havethe most recent block
% nodes vulnerable to attack 67.9%
50%
63.2%
The vast majority of the Bitcoin network is at risk
98
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
BGP & Bitcoin
Background
Partitioning attack
splitting the network
Delay attack
slowing the network down
Countermeasures
short-term & long-term
1
2
3
4
99
Both sort-term and long-term countermeasures exist
100
Short-term Routing-aware peer selection
reduce risk of having one ISP seeing all connections
Monitor changes in peer behavior, statistics, etc.
abnormal changes could be the sign of a partition
101
Short-term countermeasures are simple shifts in the Bitcoin clients
Long-term
Longer-term countermeasures provide more guaranteesbut require protocol or infrastructure changes
Use end-to-end encryption or MAC
prevent delay attacks (not partition attacks)
Deploy secure routing protocols
prevent partition attacks (not delay attacks)
102
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
BGP & Bitcoin
Background
Partitioning attack
splitting the network
Delay attack
slowing the network down
Countermeasures
short-term & long-term
103
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
Bitcoin is vulnerable to routing attacks
both at the network and at the node level
The potential impact on the currency is worrying
DoS, double spending, loss of revenues, etc.
Countermeasures exist (we’re working on it!)
some of which can be deployed today
104
IEEE Security & Privacy
Maria Apostolaki
23 May 2017
ETH Zürich
Visit our website: https://btc-hijack.ethz.ch
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
105
Routing Attacks on Cryptocurrencies
Hijacking Bitcoin
Bitcoin is vulnerable to routing attacks
both at the network and at the node level
The potential impact on the currency is worrying
DoS, double spending, loss of revenues, etc.
Countermeasures exist (we’re working on it!)
some of which can be deployed today
106Visit our website: https://btc-hijack.ethz.ch
Top Related