Author [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: The potential for DDoS in DPOS  (Read 758 times)

0 Members and 1 Guest are viewing this topic.

Offline VoR0220

The potential for DDoS in DPOS
« on: December 10, 2014, 07:27:26 AM »

side tangent before I start: Not going to lie, rereading that title made me smile a bit.

Moving on: So I was poking my nose around the interwebz for reviews of the DPOS mechanism, specifically in regards to security. I managed to find this article:
http://tpbit.blogspot.ca/2014/08/thoughts-on-delegated-proof-of-stake.html

while I'm aware there's a response here: http://successcouncil.com/post.php?info=Max-Wrights-thoughts-on-the-Security-threats-of-Delegated-Proof-of-Stake-and-Bitshares I would like to know what the community makes of these accusations regarding the potential for Delegates to be attacked via a DDoS attack and generally mess up everything for everyone?

Are the delegates secure from these attacks with recent updates? Are the accusations unfounded?
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline JA

  • Hero Member
  • *****
  • Posts: 650
    • View Profile
  • Payrate: 666%
Re: The potential for DDoS in DPOS
« Reply #1 on: December 10, 2014, 09:50:38 AM »
from the succescouncil post:
Quote
With regard to DPOS while delegates are known their IP addresses are not known publically
edit: nevermind it's actually pretty easy to find the IP adresses
« Last Edit: December 10, 2014, 10:20:01 AM by jabbajabba »

Offline svk

Re: The potential for DDoS in DPOS
« Reply #2 on: December 10, 2014, 10:01:09 AM »
I'm no expert on this but I suppose a real hacker could analyse the IP addresses of the peers in the client to somehow determine the IPs of delegates. If they then proceed to DDOS those delegates, those delegates would start missing blocks. This would slow down the network but that's all, there's no automatic replacement of inactive delegates or delegates missing blocks as we've seen very clearly with the recent case of delegate.adam.

The delegate who is being DDOS'ed would be notified, either by an automatic service or through other means. He could then shut down that VPS if possible, and could easily spin up a standby VPS or even use his own computer in order to set up a new instance of the delegate and start signing blocks again. The attacker would then need to reidentify the delegate's IP in order to continue the attack.

One could also shield one's delegate behind a web of seed nodes by connecting to them directly and not advertising one's IP I think, and also refuse incoming connections.
Worker: dev.bitsharesblocks

Offline Riverhead

Re: The potential for DDoS in DPOS
« Reply #3 on: December 10, 2014, 10:16:18 AM »
Svk pretty much said it. Since delegates are just block signers and not miners it's easy to abandon a host under attack and switch to the failover. For a ddos attack to be effective they'd need to hit literally dozens of delegates at the same time. The network would then slow down for a few minutes while the delegates brought up new hosts.

Offline monsterer

Re: The potential for DDoS in DPOS
« Reply #4 on: December 10, 2014, 10:37:46 AM »
Svk pretty much said it. Since delegates are just block signers and not miners it's easy to abandon a host under attack and switch to the failover. For a ddos attack to be effective they'd need to hit literally dozens of delegates at the same time. The network would then slow down for a few minutes while the delegates brought up new hosts.

It might be worse than you think. Typically hosting companies will actually remove the server under attack from their network in order to preserve their other customer's service. Then the control is out of the hands of the delegate under attack.
My opinions do not represent those of metaexchange unless explicitly stated.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline svk

Re: The potential for DDoS in DPOS
« Reply #5 on: December 10, 2014, 10:45:01 AM »
Svk pretty much said it. Since delegates are just block signers and not miners it's easy to abandon a host under attack and switch to the failover. For a ddos attack to be effective they'd need to hit literally dozens of delegates at the same time. The network would then slow down for a few minutes while the delegates brought up new hosts.

It might be worse than you think. Typically hosting companies will actually remove the server under attack from their network in order to preserve their other customer's service. Then the control is out of the hands of the delegate under attack.

Isn't that just a good thing? It means you won't risk double-signing blocks when you start signing on your standby server. I'd want to shut down the server that's under attack anyway, and you should have a backup of your delegate wallet in a secure place so you can easily transfer the delegate to a new machine.
Worker: dev.bitsharesblocks

Offline monsterer

Re: The potential for DDoS in DPOS
« Reply #6 on: December 10, 2014, 10:59:11 AM »
Isn't that just a good thing? It means you won't risk double-signing blocks when you start signing on your standby server. I'd want to shut down the server that's under attack anyway, and you should have a backup of your delegate wallet in a secure place so you can easily transfer the delegate to a new machine.

That relies on everyone having a standby server. Imagine if a DDOS just swept over each delegate one by one waiting for them to stop responding; if the hosting companies all took them off the network, and there were no standby servers, you'd have a period of time where all transactions stopped while the dead delegates were down voted.

Actually, if all transactions stopped, no votes could ever be cast, since they take the form of a transaction?
My opinions do not represent those of metaexchange unless explicitly stated.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline svk

Re: The potential for DDoS in DPOS
« Reply #7 on: December 10, 2014, 11:11:26 AM »
Isn't that just a good thing? It means you won't risk double-signing blocks when you start signing on your standby server. I'd want to shut down the server that's under attack anyway, and you should have a backup of your delegate wallet in a secure place so you can easily transfer the delegate to a new machine.

That relies on everyone having a standby server. Imagine if a DDOS just swept over each delegate one by one waiting for them to stop responding; if the hosting companies all took them off the network, and there were no standby servers, you'd have a period of time where all transactions stopped while the dead delegates were down voted.

Actually, if all transactions stopped, no votes could ever be cast, since they take the form of a transaction?

Yes, I'm making the assumption that each delegate has taken some precautions in order to be able to launch a standy server using the same delegates.

Yes no transactions mean no votes, so if all delegates were taken out the network would grind to a halt until at least one delegate came back online, who would then sign one block every 16.833 minutes on average.
Worker: dev.bitsharesblocks

Offline Riverhead

Re: The potential for DDoS in DPOS
« Reply #8 on: December 10, 2014, 11:38:50 AM »
Any IT delegate worth their salt will have failover solutions, even if it's just their home or work PC. I have two failovers on different hosting companies so in total there are three hosts from three vendors. It's not that I'm spending a lot of money on VPS services either. Since block signing is a lightweight process it's easy to have failovers running on other servers you're already using for other things.

Detecting a DDOS attack before you start missing blocks is useful as well. A simple ping monitor of the delegate and a trigger a notification if ping times start to sky rocket. If all goes well you can get in in time to lock the wallet before unlocking your failover. Otherwise, in the case of most VPS hosts, you can shutdown the host under attack via their dashboard web console.

So while DDoS is a real possibility it would be like stepping on a jellyfish. This is different from DDoS'ing a mining pool because all the clients are usually configured to connect to a few known IP's. Take them out and the pool is hosed. With DPoS who the heck knows where the delegate will pop up next :) .
« Last Edit: December 10, 2014, 11:44:32 AM by Riverhead »


Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: The potential for DDoS in DPOS
« Reply #10 on: December 10, 2014, 01:46:47 PM »
you can secure your delegate by something like this:
http://digitalgaia.io/backbone.html

i don't see it as a big thread .. because it's quit easy to "activate" a backup delegate machine if you main one is DDOSed .. and yu can hide it behind proxy nodes
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline VoR0220

Re: The potential for DDoS in DPOS
« Reply #11 on: December 11, 2014, 10:35:32 PM »
The problem here is that I'm coming up with a project that runs generally on the BitShares DPOS consensus mechanism (have yet to post it, but it should be available soon). I'm curious if there is a way to implement something for the Delegates that would allow them to automatically block off a DDoS attack or help mitigate it in some manner so that delegates can continue to process transactions and not have to worry about being booted off. Something that would not require any additional hardware implementations or outsourcing of services. Is this possible?
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: The potential for DDoS in DPOS
« Reply #12 on: December 11, 2014, 10:50:45 PM »
in order to figure out a delegates IP you need to have plenty of nodes on the network and do timing correlations of newly signed blocks for each delegate ..
and connect to the nodes that transmit the block to your first ...
some nodes do not allow to be connected to but only allow self-initiated connections ...

furthermore, switching to a backup delegate takes less than 10 secs and the result would be that the attacker needs to start all over ...
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline VoR0220

Re: The potential for DDoS in DPOS
« Reply #13 on: December 11, 2014, 11:24:06 PM »
in order to figure out a delegates IP you need to have plenty of nodes on the network and do timing correlations of newly signed blocks for each delegate ..
and connect to the nodes that transmit the block to your first ...
some nodes do not allow to be connected to but only allow self-initiated connections ...

furthermore, switching to a backup delegate takes less than 10 secs and the result would be that the attacker needs to start all over ...

When you say "backup delegate" do you mean the next one in round? Or do you mean that same delegate performs a process whereby they can continue to solve blocks? I see that this is probably not a big problem, but I have a feeling that this will turn up down the road, especially if there is frequent contact with the delegate in a DAC.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: The potential for DDoS in DPOS
« Reply #14 on: December 11, 2014, 11:38:39 PM »
When you say "backup delegate" do you mean the next one in round? Or do you mean that same delegate performs a process whereby they can continue to solve blocks? I see that this is probably not a big problem, but I have a feeling that this will turn up down the road, especially if there is frequent contact with the delegate in a DAC.
a delegate can install the private key for that delegate on multiple machines in parallel .. the maintainer just has to make sure that only one machine produces a block at any time ... theres a extra flag to enable block production ... so if your delegates is DDOS and a signed block cannot possibly reach the network .. you can shut that machine down and switch over to a different machine .. on a different IP .. on different hardware .. possibly in a different country .. connected to the internet via different providers ... and continue signing blocks from there ..

no need to "talk" to other delegates ...

by the way .. for the network it is much worse if delegates produce multiple blocks (on different machines) .. which results in a 'soft fork' for 10 secs ... than if a delegate just misses a block .. that's not a big deal
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

 

Google+