Blockchain Systems: Known Attack Vectors And Countermeasures

2555 0

There is no bulletproof digital network, and blockchain doesn’t stand out from the rest in this regard. However, the attacks targeting distributed ledgers differ from the ones used to compromise conventional computer networks. These exploitation scenarios rely on tampering with the process of achieving consensus to alter the data added to the ledger.

51% attack

If a certain number of network participants, or miners, get the majority of the “votes”, their prerogative to control the consensus may allow them to complement the blockchain with their own data only. If a malefactor has the exclusive privilege to add a block, he is able to include double-spending information into it.

In case such an attack is underway, regular miners will normally ignore the perpetrator’s block and split the blockchain to create a valid parallel branch. Nevertheless, if the crook has 51% of the computing capacity on the network, he can manipulate the consensus and build his own blockchain with inaccurate double-spending transactions that will be wrongfully considered valid.

The 51% attack is hardly viable unless the offender controls 51% of the network. Furthermore, even if it works out, the attacker’s gain wouldn’t be as significant as it may appear. A much more effective way to benefit from controlling half of the network is to conduct ethical mining and earn by solving blocks or perhaps even raise the commission for transactions.

As a matter of fact, the transaction commission is one of the fundamental elements of keeping the Bitcoin blockchain secure. Given that Bitcoin emission is restricted, the increase of the commission is a good way to incentivize the miners and at the same time to secure the network. The greater the number of transactions and the higher the commission per transaction, the more revenue miners can get.

It’s also worth mentioning that the processing capacity of permission-less blockchains – that is, the ones everybody can join – isn’t infinite. This hallmark allows the networks to stay truly decentralized. Because every node needs to process all transactions, the more nodes the network contains – the lower is its bandwidth. In other words, if you raise the bandwidth to hundreds of transactions per second, then the only nodes on the network will be ones owned by major companies.

Sybil attack

The Sybil attack revolves around the fact that peer-to-peer networks cannot efficiently differentiate between the participants. A fraudster may try to inundate a blockchain network with nodes he controls. This activity can bolster a number of stratagems:

  • The attacker may reject the process of submitting and receiving blocks by disconnecting other members from the network.
  • There is a risk of the above-mentioned 51% attack and double-spending hoax.
  • The malicious actor can see all transactions by means of specially crafted utilities.

The use of heuristic rules typically thwarts Sybil attacks in centralized networks. Restricting the number of accounts that can be created from the same IP address within a specified timeframe is one of such preemptive mechanisms. However, recently attackers have started using free trial VPNs and change their IP addresses.

One more technique is to engage a reputable certification entity that will verify all users. Meticulously verifying the nodes is yet another applicable tactic. With this approach in place, the system gauges the network bandwidth, storage size and a number of other values to determine whether the gathered data belongs to different computers or to a single machine with multiple rogue identities.

The Bitcoin blockchain fends off Sybil attacks via peculiar requirements for generating new blocks. As per the Nakamoto Consensus, the ability to create blocks is to be proportional to the processing power of the PoW (Proof-of-Work) mechanism.

DDoS attacks

DDoS (distributed denial-of-service) is a common type of hacker attacks whose gist boils down to firing a large number of similar queries at a network. Bitcoin boasts built-in defenses against this attack vector. In order to avert the congestion of nodes memory, the block size is restricted to 1 MB and the size of a script cannot exceed 10,000 bytes. Additionally, each block cannot request more than 20,000 confirmations. There is also a 20-key limit for multi-confirmations.

Furthermore, clients have the ability to block dubious nodes and transactions. For instance, the most recent edition of the Bitcoin Satoshi client keeps track of anomalous transactions the size of which is greater than 100 kilobytes. As part of the transaction processing routine, this client also makes sure that the outputs aren’t spent.

Attacks targeting cryptography

It is believed that future quantum computers will significantly outperform the traditional systems in terms of the processing power. Some analysts think this evolution will make itself felt in a decade or so. These predictions are making Bitcoin aficionados feel nervous, and here’s why.

The factorization issue is one of the major pitfalls in this context. Quantum algorithms, such as Shor’s algorithm, may be capable of cracking RSA encryption. In theory, this might undermine the security of digital signatures used in blockchain platforms.

Acknowledging the risks, developers are busy masterminding solutions aimed at helping crypto-based projects survive the advent of quantum machines. Time will tell whether these efforts will turn out effective enough. One way or another, gradually shifting towards such solutions will help tackle the “quantum” menace and harden the security of the blockchain technology.

David Balaban
david-balabanDavid Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

David Balaban Web Site
In this article

Join the Conversation

Join the Conversation