SlowMist: Alien Attack Vulnerability from P2P Protocol (Released in 2019)

When we talk about blockchain, these technologies are always inseparable: distributed storage, P2P network and consensus mechanism. The topic of this article is the P2P network protocol.

Alien attacks are actually a problem that all public chains may face. We use Ethereum as an example to illustrate. The P2P network of Ethereum is mainly implemented by the Kademlia (Kad) algorithm. Kad is a distributed hash table (DHT) technology. Using this technology, it is possible to quickly and accurately route and locate data in a distributed environment. Question.

What is Alien Attack?

First of all, we first define the concept of a homogeneous chain, which refers to a blockchain system that uses the same or compatible protocol as other blockchains.

Alien attack, also known as address pool pollution, refers to an attack method that induces nodes of the same chain to intrude and pollute each other. The main reason for the vulnerability is that the same chain system does not identify non-similar nodes in the communication protocol.

Alien attack on Ethereum means that Ethereum homogeneous chains (specifically, public chains that use the Ethereum P2P discv4 node discovery protocol, including Ethereum and Ethereum Classic) cannot distinguish whether nodes belong to the same chain due to the use of compatible handshake protocols. An attack method that causes the address pools to pollute each other, degrades node communication performance, and eventually causes node blockage.

1. Normal Node Discovery Process

The nodes of the Ethereum homogeneous chains use 4 UDP communication protocols to complete node discovery. The message structure is as follows:

[1] ping: detect whether a node is online

[2] pong: respond to Ping command

[3] findnode: Find other nodes closest to the Target node

[4] neighbors: In response to the FindNode command, one or more nodes will be returned

2. Attack process

Preparations: Collect Ethereum node addresses

We found an address library made by the community:

https://github.com/smartheye/EthStaticNodesTool/blob/master/MainNet/static-nodes.txt

Step 1: Initiate a malicious handshake

Attacker A simulates the entire handshake process, actively initiates a ping operation, and uses step 4 neighbors of the protocol to modify the returned neighbor table to the Ethereum node address we collected and push it to the victim node B (B is an Ethereum homogeneous chain node). Since a single communication can only push 16 addresses, we need to push multiple times to achieve the attack effect.

Step 2: Pollution address pool

B receives a large number of neighbor lists returned by A, tries to shake hands with these nodes, and adds these nodes to its own address pool (commonly known as K bucket).

Step 3: Automatic diffusion of pollution

Surprisingly, the nodes of different chains successfully shook hands with each other. What is even more frightening is that they pushed the known nodes in their respective address pools to each other, causing more nodes to pollute each other, and eventually spread to the entire network. .

Dangerousness of Vulnerabilities

• The homogeneous chain node attacked by the alien cannot find a real available node, and cannot establish a TCP data synchronization channel, causing the node to be attacked offline.
• Alien attacks may cause broadcast delays or even failures of mining pools or block producing nodes, resulting in loss of revenue.
• Alien attacks can cause all Ethereum homogeneous chain address pools to pollute each other, resulting in a comprehensive decline in node communication efficiency and causing long-term damage to the entire blockchain system.

Affected range

When we conducted a security audit on the well-known public chain QuarkChain, we found that after the nodes of QuarkChain were attacked by aliens, the performance of the nodes deteriorated severely, and it took a long time for external nodes to establish a connection with the victim node. The QuarkChain team then fixed the issue.

In theory, all blockchains that use the Ethereum discv4 protocol may be affected by this vulnerability. After launching the test for a while, we observed that the monitoring nodes of EtherNode were also polluted, and the spread of pollution was faster than expected.

1. Does this vulnerability affect Ethereum?

The number of nodes in Ethereum is much larger than that of other chains of the same kind, and a stable connection has been established between nodes, so the impact is not obvious. But for other similar chain nodes, they will be invaded by the Ethereum nodes, resulting in communication blockage.

2. Many friends have asked whether other public chains have this problem, such as Bitcoin and its altcoins, such as public chains using the libp2p protocol. We will disclose these problems in subsequent articles!

Finally, thanks to the QuarkChain team for assisting with this test!

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.

Website：
https://www.slowmist.com
Twitter：
https://twitter.com/SlowMist_Team
Github：
https://github.com/slowmist/