Denial of Service (DoS) Attacks: Miners Make or Break the Game

Abstract: We present a denial-of-service attack on Bitcoin-like blockchains that is much cheaper than previous attacks (requiring only 20% of the network's hashrate). Blockchains rely on incentives to keep the system secure. We show how an attacker can subvert these incentives, causing rational miners to stop mining.

The problem of Denial of Service (DoS) attacks, also known as flooding attacks, has plagued the Internet since its inception. DoS attackers target various services for fun and profit. Most commonly, they flood a server with so many requests that it becomes too busy to serve normal users. Countermeasures are usually to prevent these types of attacks by identifying the source of the flood.

So in a so-called distributed denial of service (DDoS) attack, the attacker must coordinate a flood from multiple computers.

Note: DDoS bandwidth consumption attacks can be divided into two different levels; flooding attacks or amplification attacks. The characteristic of flooding attacks is that they use bots to send a large amount of traffic to the damaged victim system in order to block its bandwidth. Amplification attacks are similar to them, which limit the bandwidth of the victim system by maliciously amplifying the traffic; their characteristics are that they use bots to send requests to certain vulnerable servers through forged source IPs (i.e., the target IP of the attack), and the server sends a response to the forged source IP after processing the request. Due to the special nature of these services, the response packets are longer than the request packets, so using a small amount of bandwidth can enable the server to send a large number of responses to the target host.

Fun fact: The distributed source is usually the user’s victim machines forming a robot network or botnet.

Cryptocurrencies like Bitcoin are a particularly lucrative target for DoS attacks. In theory, futures markets and margin trading allow an attacker to short a cryptocurrency and profit by driving down the price of that currency. Competing cryptocurrencies and governments concerned about the impact of cryptocurrencies on their financial sovereignty are other potential attackers. To our knowledge, no successful DoS attacks have been carried out against any major cryptocurrency in practice.

The reason is the decentralized nature of the blockchain protocol. In the blockchain world, there is no central server that can be attacked. The machines that run the blockchain are called mining machines, and they make a complete copy of the blockchain data. Although attacks on individual machines have occurred, the complete shutdown (or even destruction) of a few machines has little impact on the availability of the entire system.

More interesting fact: Bitcoin’s P2P network was built to be resistant to attack, taking a page from the lessons of botnets (which were built to be resistant to attacks by anti-malware companies).

In reality, DoS attacks on blockchains like Bitcoin are very expensive. The Bitcoin protocol proposed by Satoshi Nakamoto relies on the Proof of Work (PoW) mechanism to ensure the security of the system, and miners can only prove that they have spent resources (i.e. computing power) outside the system to create blocks. The security of the blockchain can only be maintained when most of the computing power in the system is functioning properly. Therefore, in order to conduct a DoS attack, the attacker must have more computing power than the sum of all other participants, i.e. a 51% attack. For major cryptocurrencies, the cost of a 51% attack is unaffordable for most entities.

This type of attack was attempted unsuccessfully during the “hash war” between Bitcoin ABC and Bitcoin SV in late 2018.

The Proposal of BDoS

We find that the inherent properties of the Nakamoto protocol make it vulnerable to a significantly cheaper DoS attack, which exploits the fact that blockchain protocols rely on incentives for security. In blockchains, participants (miners) are rewarded for participating in cryptocurrency mining. When these incentives no longer promote good behavior, the system is in danger. This attack, which we call Blockchain DoS (BDoS), deprives miners of rationality, making it more profitable for them to break the rules than to follow them.

To be fully effective, the attacker needs miners to be aware of the attack and the fact that they can increase their profits through this attack. Obviously, this strategic behavior is not pre-programmed in the mining software. Therefore, we believe that this attack does not pose an imminent risk because miners must reprogram their mining equipment to maximize their profits when faced with the attack.

The existence of this attack is perhaps not surprising, and is indeed a manifestation of the theory proposed by Bryan Ford and Rainer Böhme, who argue that the utility of analyzing systems from the perspective of rational agents is limited because extrinsic incentives are indistinguishable from Byzantine behavior.

Below we will outline the mechanics of this BDoS attack. First, let’s start with some background on Satoshi Nakamoto.

background

The vast majority of cryptocurrencies use the blockchain protocol proposed by Satoshi Nakamoto for Bitcoin. In the Satoshi blockchain, all transactions in the system are placed in blocks and form a growing chain. Miners extend this chain with new blocks consisting of new transactions and publish them to all other system participants. The speed of block production is regulated by requiring miners to provide proof of work (solutions to cryptographic puzzles) in the blocks. (By definition, blocks without PoW are invalid) To incentivize miners to work, some fixed reward will be given for producing blocks (for example, the current fixed block reward for Bitcoin is 12.5 BTC). If the miners are not too large, then they are incentivized to extend the blockchain and receive corresponding rewards.

Since miners are spread all over the world, occasionally two or more miners will produce blocks at the same time, and these blocks have the same parent block, which results in forks, that is, multiple branches of the chain. To determine which chain is the main chain, the rule proposed by Satoshi Nakamoto is: the longest chain is the main chain, all miners should extend this longest chain, and blocks separated from the main chain and their rewards will be ignored.

To avoid losing rewards, miners start mining before receiving and verifying the latest block. Once the metadata of the latest block is received in its header, miners start mining it. This avoids wasting mining resources on old blocks and increases the chances of mining the next block. Generally, this is not a good practice and has caused a lot of concern among security researchers. This block header-based mining method was applied after lightweight clients used the Simplified Payment Verification (SPV) protocol for partial blockchain verification and was called SPV mining.

attack

Our proposed attacker puts the system into a state where the best action for rational miners is to stop mining.

To induce this state and the corresponding proof, the attacker generates a block and publishes only its header. Given a header, a rational miner has three possible actions: (1) he can extend the main chain and then ignore the header; (2) he can extend the header (SPV mining);

(3) It can stop mining, neither consuming computing power nor winning rewards;

If the rational miners follow option 1 and extend the main chain, find and broadcast a new block, then the attacker miner will use its relatively high connectivity (such as selfish mining) and broadcast a complete block corresponding to the block header BA. This will lead to a competition between two groups of miners, one of which receives the attacker's block data first, and the other group receives the rational miner's block first.

There is a high probability that a rational miner will lose the game and block Bi will never be included in the main chain. This reduces the expected reward of mining on the last full block compared to the "no attack" case.

If the rational miner follows option 2 and successfully extends the attacker's block header BA, the attacker will not publish the complete block BA. This causes the rational miner's block to never be included in the main chain, resulting in the expected reward of the block being zero.

Therefore, in both cases, if the raw profitability in the “no attack” setting is not too high, the attacker can ensure that the honest miners will eventually lose money. Therefore, the threat of BDoS attackers means that honest miners are better off giving up rather than choosing to mine, that is, choosing the third option. As the movie “War Games” said, “The only way to win is to not participate.”

Conditions for a successful BDoS attack

Now let's talk about what the conditions are for a BDoS attacker to succeed. Specifically, for a specific rational miner i, we need to consider under what conditions it is more profitable for i to stop mining than to continue mining, regardless of the behavior of other participants. The answer depends on three factors: first, if the attacker's computing power is large enough, then the attack will succeed; second, if miner i's computing power is small enough, then he will succeed; finally, if miner i is not profitable at the beginning, then he will succeed;

The profitability factor for miner i is that every $1 invested in mining would be rewarded if no attack occurred. The following graph shows the maximum rate of return for a successful attack for different attacker sizes (X-axis) and miner sizes (different curves).

In our analysis, we used a property called the profitability factor, which represents the return per dollar invested. This depends on the mining equipment and electricity costs, as well as the price of the relevant cryptocurrency.

To give a specific example, if the largest miner has 20% of the computing power of the entire network, then an attacker with 20% of the computing power of the entire network can incentivize all miners to stop mining when their profit coefficient is lower than 1.37.

Currently, for Bitcoin, at an electricity price of $0.05/kWh, the profit factor of a Bitmain S17 Pro miner is close to 2, while the profit factor of an S9 is close to 1. If the price of the coin drops significantly and the difficulty increases, attackers will be able to incentivize existing miners to stop mining, causing the Bitcoin network to stop operating completely. In addition, the Bitcoin block reward is expected to halve in 2020, which will correspondingly reduce the profitability of miners.

Two coin models

Note that our model is conservative and in a sense underestimates the attacker's chances. So far, we have assumed that a miner can either continue mining or stop mining if the profit is 0. However, cryptocurrency miners often shift their mining efforts to a second cryptocurrency, even temporarily. If the initial profitability of both coins (before the attack) is similar, then switching to the other coin in the event of an attack is almost always profitable. This means that the threat of an attack in this case, which we call the two-coin model, is even higher than our analysis above shows. In fact, the two-coin model is more realistic. For example, there is evidence that miners often switch between BTC and BCH depending on profitability.

Mitigation measures and disclosure obligations

Rather than renting mining equipment to carry out the attack, or shorting Bitcoin and running for cover, we followed best practices for security research and went through a period of responsible disclosure. We alerted the developers of the major affected cryptocurrencies to the attack and discussed mitigation measures.

We propose a small change to the consensus rules so that miners give lower priority to blocks whose block headers are older than some threshold time (e.g. 1 minute) in the past. This will increase the chances of an attacker losing a block propagation race, and therefore reduce the effectiveness of BDoS attacks. Unfortunately, this countermeasure is not radical. As we explain in the paper, an attacker can use smart contracts or zero-knowledge proofs to prove that they found a block (rather than publishing a block header). Using these techniques, it would be indistinguishable between an attacker's blocks and rational miner blocks in a block propagation race, rendering the mitigation technique ineffective.

Another possible solution to BDoS attacks is to use uncle rewards, as Ethereum does. Uncle rewards reward miners for mining blocks that are not part of the main chain (but are directly connected to the main chain). If uncle rewards are used, the chance that a rational miner will stop mining during a BDoS attack is much lower, because it will get a reward (equivalent to 7/8 of Ethereum's full block reward) even if it loses the game. However, this is a tradeoff, because uncles reduce security against selfish mining attacks. In addition, another BDoS-like attack could be longer than the header chain, again causing severe competition losses.

in conclusion

BDoS is a threat to Nakamoto consensus blockchains because it allows attackers to perform denial of service attacks using far less computing power than previous attacks. We have shown how attackers can distort incentives and induce profit-seeking miners to stop mining. The mitigation we proposed is easy to implement (no network fork is required), but only affects a specific type of BDoS attack. Without stronger mitigations, the liveness of Nakamoto consensus blockchains depends on miners' willingness to comply with the protocol in the face of revenue losses, that is, altruism.