Table of contents
How Eclipse Attacks Work
Consequences of an eclipse attack
Double Spending Without Confirmation
Double Spending That Requires N Confirmations
Weakening competition among miners
Mitigating the impact of eclipse attacks
Summarize
An eclipse attack is a relatively simple basic attack that an attacker may use to interfere with nodes on the network. As the name suggests, this attack can prevent the attacked nodes in the peer-to-peer network from obtaining valid information, thereby causing network outages or preparing for more complex attacks.
On the surface, Eclipse Attacks are similar to Sybil Attacks. Although they share certain similarities (attackers disrupt the network by attacking nodes), their ultimate attack targets are different. Eclipse attacks target a single node (the reason will be explained below), while Sybil attacks target the entire network, aiming to tamper with the reputation system of the network protocol.
The concept is discussed in detail in the 2015 paper “Eclipse Attacks on the Bitcoin Peer-to-Peer Network,” in which researchers from Boston University and the Hebrew University report the results of their experiments with eclipse attacks and the countermeasures to combat them.
How Eclipse Attacks Work
Bitcoin miners need specialized equipment to generate and verify new blocks, but non-mining (or full) nodes only require very little computing power to run. In this way, anyone can operate a node on cheap equipment, which also helps Bitcoin's decentralization. The software program maintains a database of transactions that is synchronized with peers in order to stay in sync with the network.
The limiting factor for large numbers of nodes is bandwidth. So, while there are a large number of devices that can run the program, the Bitcoin network has a limit on the number of connections (a maximum of 125 connections) and ordinary devices cannot directly connect to other devices.
In an eclipse attack, the attacker ensures that all connections to the target are made to nodes controlled by the attacker. The attacker will first send a flood from their own IP address to the target address, and the victim may connect to the attacker's IP address when the program restarts. You can force a restart (i.e. DDoS the target), or just wait for the program to restart automatically.
If this happens, unsuspecting victims are at the mercy of malicious nodes, who are fed false data by attackers that they cannot get from the real network.
Consequences of an eclipse attack
An attacker has an incentive to carry out such an attack if they are able to isolate a network node from the network by consuming its resources. If the node is isolated, the attacker can carry out several consecutive attacks.
Double Spending Without Confirmation
If an independent node accepts an unconfirmed transaction, there will be a risk of "double spending". If the transaction may have been broadcast before entering the block (submitted to the blockchain), the sender can easily make a new transaction elsewhere and spend the same amount as the previous transaction. If the newly generated transaction fee is higher, the miners will give priority to this transaction and think that this transaction occurred first, thus invalidating the first transaction.
Some merchants and individuals accept these 0-confirmation transactions. Consider a merchant named Bob who sells high-end cars. He has no idea that Alice has eclipsed his node, and he doesn’t suspect anything when he sees her order for a luxury sports car. Alice creates the transaction, and Bob broadcasts it to the network. Satisfied that the payment is about to be confirmed, he hands the car keys to Alice, who speeds off.
In fact, the transaction was not broadcast to the network. Bob only passed the transaction to Alice's malicious node, and the malicious node controlled by Alice would not pass the transaction to the real node. Therefore, the transaction will be considered invalid. At this time, Alice paid the same amount on the (real) network, either to herself or to someone else. Even if the initial transaction between Bob and Alice is finally seen on the real network, the transaction cannot be verified because the funds in Alice's account have been used up.
Double Spending That Requires N Confirmations
Double spend with N confirmations is similar to double spend without confirmations, but involves more preparation. Many merchants want to wait for a certain number of confirmations before marking a payment as valid. To solve this problem, the attacker must eclipse both the miner and the merchant node. If the attacker has an order with the merchant, they broadcast the transaction to the (eclipsed) miner. The merchant can see the transaction confirmed in the blockchain network, but because the miner and merchant networks are isolated, the blockchain is not witnessed by most real nodes.
The attacker sends the fake blockchain network information to the merchant, and the merchant delivers the goods after seeing that the transaction has been confirmed. When the nodes that have been attacked by the eclipse rejoin the real network, the real blockchain network will consider these nodes invalid and isolate them (this is similar to a 51% attack).
Weakening competition among miners
Nodes that are attacked by the eclipse will continue to operate and will not be affected by being isolated from the network. Miners will continue to verify blocks within the rules specified by the protocol, but the added blocks will be discarded during the process of passing through the real network nodes.
In theory, a large-scale eclipse attack on a majority of miners could be used to facilitate a 51% attack. As it stands, taking over a majority of Bitcoin’s hashrate (around 80TH/s) is prohibitively expensive for even the most resourceful attacker, and the attacker would need to at least attempt it with more than 40TH/s.
Assuming this computing power is distributed among 10 participants (each with approximately 8TH/s), the attacker can greatly reduce the requirements for a 51% attack by isolating these participants from the network. If 5 of the nodes are eclipsed, the attacker can reduce the computing power by 40TH/s to find the next block, and the attacker now only needs to increase the computing power by 20TH/s to achieve control of the node.
Other destructive activities that can be achieved by carrying out eclipse attacks on targets include manipulating nodes to conduct illegal mining activities or taking advantage of the computing power competition between miners to obtain the next block.
Mitigating the impact of eclipse attacks
With enough IP addresses, an attacker can perform an eclipse attack on any node. The most direct way to prevent this is to block illegal access to nodes and only establish outbound connections to specific nodes (such as IPs that have been whitelisted by other nodes in the peer-to-peer network). However, as the research paper points out, this is not a solution that can be implemented on a large scale. If all participants take these measures, new nodes will not be able to join the network.
The authors proposed some adjustments to the Bitcoin program, some of which were integrated into the Bitcoin program after the white paper was published. These measures would make the cost of eclipse attacks higher and higher by making minor changes to the code, such as randomizing new connections and increasing the storage space of addresses.
Summarize
Eclipse attacks are conducted on peer-to-peer networks. As a way to deploy a standalone attack, they are annoying. The real purpose of conducting an eclipse attack is to carry out other attacks that can cause greater impact or provide the attacker with an advantage in mining.
Generally speaking, eclipse attacks have not yet caused serious impacts, and although countermeasures have been deployed in blockchain networks, the threat still exists. Eclipse attacks, like most attacks faced by Bitcoin and most other cryptocurrencies, the best defense is to make it unprofitable for malicious attackers.