new bitcoin ddos technique #26585

issue visualbasic6 openend this issue on November 27, 2022
  1. visualbasic6 commented at 3:31 pm on November 27, 2022: none

    edit: the issue has been closed while the bug undergoes further review.

    hi,

    i will keep this concise as the attack is neither innovative nor sophisticated.

    it is possible to slow and entirely halt external connections from communicating with a bitcoin-core node.

    i don’t know whether peer connections remain open or frequently disconnect/reconnect. what happens to sync’d nodes with active peers is yet to be seen. it’s too early, at least for me, to know whether peers would drop a node under attack over timeouts and how bitcoind behaves with peers while tcp/8333 is under fire. so - further research required. this needs to be tested against sync’d nodes. there is a dos here - but also a (probably slim) possibility that a scaled attack would only result in new nodes being unable to enter the network.

    it is accomplished by repeatedly sending a small request, e.g.

    0x
1x

    with thousands of concurrent socket requests. in this screen shot i’m using a handful of cheap digital ocean machines to attack 1 node.

    corn

    as the script exhausts itself and finds trouble assigning itself open sockets the ddos becomes hit or miss in external requests. sometimes connecting, usually not connecting, and sometimes producing “black hole” events wherein it’s impossible to disconnect from an external telnet request until it drops you — which is atypical behavior. the attack works the best within the first 20 seconds of the attack script being launched - and so may require further optimization.

    am i missing something? because i’m definitely able to stress my own nodes with this technique. it is my opinion that a botnet could probably tango down the bitcoin network - or at least slow finality considerably.

    i’ve opted for full disclosure for a variety of reasons.

    -kev https://twitter.com/123456

  2. visualbasic6 added the label Bug on Nov 27, 2022
  3. ghost commented at 5:28 pm on November 27, 2022: none
    Which version of bitcoin core?
  4. visualbasic6 commented at 5:31 pm on November 27, 2022: none

    Which version of bitcoin core?

    0  "version": 240000,
1  "subversion": "/Satoshi:24.0.0/",
  5. ghost commented at 5:38 pm on November 27, 2022: none
    That’s why Bitcoin core needs to use UDP instead of TCP
  6. impredicative commented at 6:27 pm on November 27, 2022: none

    Possibly essential background reading:

    https://en.wikipedia.org/wiki/Slowloris_(computer_security)

  7. visualbasic6 commented at 9:58 pm on November 27, 2022: none
    more research required
  8. visualbasic6 closed this on Nov 27, 2022
  9. ghost commented at 10:00 pm on November 27, 2022: none
    If I understand correctly, this exploit requires that the attacker knows the address of the node, so does this not apply to the overwhelming majority of Bitcoin nodes that aren’t publicly identifiable?
  10. ghost commented at 10:02 pm on November 27, 2022: none
    You cannot communicate to a node without having the IP address, my bad
  11. theolivenbaum commented at 10:13 pm on November 27, 2022: none
    Seems to be public info: https://bitnodes.io/nodes/addresses-list/
  12. visualbasic6 commented at 12:32 pm on November 28, 2022: none
    yeah - more research is required on my end. i think this would only prevent new nodes from entering the network in a scaled attack. if there’s a way to d/dos bitcoind’s p2p i’ll find it. for now i’m closing this issue as completed.
  13. visualbasic6 closed this on Nov 28, 2022
  14. fanquake locked this on Nov 30, 2022


visualbasic6 ghost impredicative theolivenbaum

Labels
Bug

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-09-28 22:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me