Mats Jerratsch [ARCHIVE] on Nostr: š Original date posted:2015-10-19 š Original message: All of your assumptions ...
š
Original date posted:2015-10-19
š Original message:
All of your assumptions have the premise though, that choosing a
'good' vs a 'bad' guy is pure probability, like picking the right ball
out of a bag. There are other systematic attacks though, where an
attacker can trick you into his network for practically zero costs,
especially if there is no other solution in place (like checking the
blockchain for all of the networks anchors).
Think about an attacker who is able to MITM your internet connection,
like the hotspot you connect to at a Cafe (or your ISP if hijacked).
They can build locally a gigantic network, all pointing to the same
node. You can't tell, and they don't have to necessarily just block
your payments. (see above)
I am mainly concerned over those. Especially since there is not really
anything we can do about dishonest nodes joining our network, but it's
encouraging to see your math. Since everything security-wise so far
stands only with knowing pubkeys of nodes actually connected to the
network, this should be the first thing to tackle. (that is, making it
expensive to attack it this way)
Only nuisance is that it requires either SPV or full node to check the
anchor, but I kinda like the idea of having all (or a good amount) of
lightning nodes be full bitcoin nodes as well.
cheers
Mats Jerratsch
2015-10-19 3:41 GMT+02:00 Anthony Towns <aj at erisian.com.au>:
> On Sun, Oct 18, 2015 at 01:25:29PM +0200, Mats Jerratsch wrote:
>> > It only works if you actually setup a channel, though -- so you have to
>> > lock some money into the channel for however many confirmations until
>> > the channel activates, before you can test, plus the OP_CSV delay if
>> > the test fails.
>> And there's the catch. If an attacker achieves nodes opening up
>> channels with him, he already succeeded in vandalism.
>
> I'm not sure this is true? Supposing there are V vandals on the system,
> compared to T total nodes, so V/T is your probability of selecting a
> vandal. Then, to join the lightning network, you open up N channels
> with randomly chosen nodes at $1 each, committing $N in total, and
> (if they're all run by vandals and have to get closed) spending about
> 2*N*2c (so 4%?) in fees. If there are 1000 nodes (ie, lots), then the
> probability of finding at least one good node is about 1-(V/T)^N. If you
> want a probability of 99% of getting a good node on your first try, then:
>
> V/T = 10%: N = 2
> V/T = 20%: N = 3
> V/T = 30%: N = 4
> V/T = 40%: N = 6
> V/T = 50%: N = 7
> V/T = 60%: N = 9
> V/T = 70%: N = 13
> V/T = 80%: N = 21
> V/T = 90%: N = 43
> V/T = 95%: N = 86
> V/T = 99%: N = 368
>
> So with 90% of nodes being hostile, that'd be getting expensive, but
> not completely implausible. If 40%-plus of the network is legit, though,
> just trying out 10 random nodes seems like it works fine, and only locks
> up $10 for a couple of days and costs about 40c in bitcoin fees...
>
> Also, if you've got to run 2.5 times as many vandal nodes as there are
> legitimate nodes for people to even really be bothered, I don't think
> you'll see many vandals in the first place...
>
> (Once you've got a node that actually works, you can expand your channel
> from $1 to $10 or $100, and/or open additional channels, and at that point
> (afaics) you're set.)
>
> That's only necessary if you don't know anyone with a lightning account
> already, though. Since anyone can forward for you, you could start with
> someone you trust in real life -- eg, a friend, a bank, a government,
> etc. If Rusty tells me he'll route my payments (as long as they're made
> between 10am and 3pm Adelaide time on a weekday, maybe) then I can open
> a $5 channel with him, and use that to send 1 satoshi payments to test
> connectivity. So, if I'm wondering whether BOBSBANK is reliable, I work
> out a route:
>
> aj -> rusty -> a -> b -> c -> BOBSBANK -> x -> y -> z -> rusty -> aj
>
> apply it as an onion so it can't get short-circuited, and see if it gets
> back to me, at a cost of maybe 10% of a satoshi (10 hops at 1% each)...
> If it does, BOBSBANK is connected and functional, and I can try opening a
> channel. If it doesn't, I can try a different route to BOBSBANK, or try
> someone else entirely.
>
>> Furthermore, an
>> attacker can always play by the rules and forward all payments up to
>> one point where he stops.
>
> (For example, he could happily route payments on $1 channels, but refuse
> to do likewise when the channel capacity was upped to $10)
>
> In the general case though, does that even count as an attack? Isn't
> that just like a web site going down or being put behind a paywall? ie,
> annoying, but completely legitimate? I mean, if someone downloads the
> lightning software to try it out, runs it for a while, then decides it's
> no fun and stops, they'll be "playing by the rules up to one point where
> they stop"; but they're not trying to "attack" the system.
>
> Coping with unreliability is definitely important, but running a node that
> works sometimes but is deliberately unreliable is a lot more effort than
> running a node that claims to work, but never does. It's also more work
> (and less profitable) than just running a node that actually work...
>
>> And even worse, if everyone connect to his
>> nodes, he can relay all payments, but he is able to distinctively
>> identify payee and payers, even with onion routing.
>
> That's a different attack isn't it? To get everyone to connect to your
> nodes, you'd have to be running the majority of nodes -- ie, there's
> 5000 different organisations running lightning nodes, but 4999 of them
> run one or two nodes each, but one of them runs 100,000 nodes.
>
> But if it were cheap enough for one org to run 100k nodes, why wouldn't
> the others treat it as an arms race and end up running, say, 20-50
> nodes each? They'd have an economic incentive to do so, in that it
> increases their odds of collecting fees... At that point the attacker's
> already reduced to 28%-50% of nodes. ie, I think that's likely to be
> self-correcting?
>
> But! An arms race in nodes-per-person would probably cause a scaling
> problem for the network (depending on how routing actually works), and
> you'd have to address that by creating some cost to run (or at least
> register?) a node/channel. But if they're all legitimate nodes, I think
> that's just a scaling problem, rather than vandalism per se.
>
> (An additional but: even if spamming the list of nodes doesn't work as
> an effective attack, if you can spam the list of *channels* with valid
> looking edges that won't actually route payments successfully, you can
> screw over the network pretty well)
>
> Cheers,
> aj
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
š Original message:
All of your assumptions have the premise though, that choosing a
'good' vs a 'bad' guy is pure probability, like picking the right ball
out of a bag. There are other systematic attacks though, where an
attacker can trick you into his network for practically zero costs,
especially if there is no other solution in place (like checking the
blockchain for all of the networks anchors).
Think about an attacker who is able to MITM your internet connection,
like the hotspot you connect to at a Cafe (or your ISP if hijacked).
They can build locally a gigantic network, all pointing to the same
node. You can't tell, and they don't have to necessarily just block
your payments. (see above)
I am mainly concerned over those. Especially since there is not really
anything we can do about dishonest nodes joining our network, but it's
encouraging to see your math. Since everything security-wise so far
stands only with knowing pubkeys of nodes actually connected to the
network, this should be the first thing to tackle. (that is, making it
expensive to attack it this way)
Only nuisance is that it requires either SPV or full node to check the
anchor, but I kinda like the idea of having all (or a good amount) of
lightning nodes be full bitcoin nodes as well.
cheers
Mats Jerratsch
2015-10-19 3:41 GMT+02:00 Anthony Towns <aj at erisian.com.au>:
> On Sun, Oct 18, 2015 at 01:25:29PM +0200, Mats Jerratsch wrote:
>> > It only works if you actually setup a channel, though -- so you have to
>> > lock some money into the channel for however many confirmations until
>> > the channel activates, before you can test, plus the OP_CSV delay if
>> > the test fails.
>> And there's the catch. If an attacker achieves nodes opening up
>> channels with him, he already succeeded in vandalism.
>
> I'm not sure this is true? Supposing there are V vandals on the system,
> compared to T total nodes, so V/T is your probability of selecting a
> vandal. Then, to join the lightning network, you open up N channels
> with randomly chosen nodes at $1 each, committing $N in total, and
> (if they're all run by vandals and have to get closed) spending about
> 2*N*2c (so 4%?) in fees. If there are 1000 nodes (ie, lots), then the
> probability of finding at least one good node is about 1-(V/T)^N. If you
> want a probability of 99% of getting a good node on your first try, then:
>
> V/T = 10%: N = 2
> V/T = 20%: N = 3
> V/T = 30%: N = 4
> V/T = 40%: N = 6
> V/T = 50%: N = 7
> V/T = 60%: N = 9
> V/T = 70%: N = 13
> V/T = 80%: N = 21
> V/T = 90%: N = 43
> V/T = 95%: N = 86
> V/T = 99%: N = 368
>
> So with 90% of nodes being hostile, that'd be getting expensive, but
> not completely implausible. If 40%-plus of the network is legit, though,
> just trying out 10 random nodes seems like it works fine, and only locks
> up $10 for a couple of days and costs about 40c in bitcoin fees...
>
> Also, if you've got to run 2.5 times as many vandal nodes as there are
> legitimate nodes for people to even really be bothered, I don't think
> you'll see many vandals in the first place...
>
> (Once you've got a node that actually works, you can expand your channel
> from $1 to $10 or $100, and/or open additional channels, and at that point
> (afaics) you're set.)
>
> That's only necessary if you don't know anyone with a lightning account
> already, though. Since anyone can forward for you, you could start with
> someone you trust in real life -- eg, a friend, a bank, a government,
> etc. If Rusty tells me he'll route my payments (as long as they're made
> between 10am and 3pm Adelaide time on a weekday, maybe) then I can open
> a $5 channel with him, and use that to send 1 satoshi payments to test
> connectivity. So, if I'm wondering whether BOBSBANK is reliable, I work
> out a route:
>
> aj -> rusty -> a -> b -> c -> BOBSBANK -> x -> y -> z -> rusty -> aj
>
> apply it as an onion so it can't get short-circuited, and see if it gets
> back to me, at a cost of maybe 10% of a satoshi (10 hops at 1% each)...
> If it does, BOBSBANK is connected and functional, and I can try opening a
> channel. If it doesn't, I can try a different route to BOBSBANK, or try
> someone else entirely.
>
>> Furthermore, an
>> attacker can always play by the rules and forward all payments up to
>> one point where he stops.
>
> (For example, he could happily route payments on $1 channels, but refuse
> to do likewise when the channel capacity was upped to $10)
>
> In the general case though, does that even count as an attack? Isn't
> that just like a web site going down or being put behind a paywall? ie,
> annoying, but completely legitimate? I mean, if someone downloads the
> lightning software to try it out, runs it for a while, then decides it's
> no fun and stops, they'll be "playing by the rules up to one point where
> they stop"; but they're not trying to "attack" the system.
>
> Coping with unreliability is definitely important, but running a node that
> works sometimes but is deliberately unreliable is a lot more effort than
> running a node that claims to work, but never does. It's also more work
> (and less profitable) than just running a node that actually work...
>
>> And even worse, if everyone connect to his
>> nodes, he can relay all payments, but he is able to distinctively
>> identify payee and payers, even with onion routing.
>
> That's a different attack isn't it? To get everyone to connect to your
> nodes, you'd have to be running the majority of nodes -- ie, there's
> 5000 different organisations running lightning nodes, but 4999 of them
> run one or two nodes each, but one of them runs 100,000 nodes.
>
> But if it were cheap enough for one org to run 100k nodes, why wouldn't
> the others treat it as an arms race and end up running, say, 20-50
> nodes each? They'd have an economic incentive to do so, in that it
> increases their odds of collecting fees... At that point the attacker's
> already reduced to 28%-50% of nodes. ie, I think that's likely to be
> self-correcting?
>
> But! An arms race in nodes-per-person would probably cause a scaling
> problem for the network (depending on how routing actually works), and
> you'd have to address that by creating some cost to run (or at least
> register?) a node/channel. But if they're all legitimate nodes, I think
> that's just a scaling problem, rather than vandalism per se.
>
> (An additional but: even if spamming the list of nodes doesn't work as
> an effective attack, if you can spam the list of *channels* with valid
> looking edges that won't actually route payments successfully, you can
> screw over the network pretty well)
>
> Cheers,
> aj
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev