There is currently an attack that is possible on the BitShares network where an attacker could:
- use timing of block propagations to discover which are the IP addresses of delegates
- use a DDoS attack on those delegates to take them down
This has been described more in details in this thread
This can be easily thwarted by "hiding" the delegates and making sure that it is not possible to identify the source of a newly signed block. To this end, I propose the following solution:http://digitalgaia.io/backbone.htmltl;dr:
hide the delegates behind some public relay nodes. In this way, it looks like that all blocks originate from the backbone and it is not possible to know who signed them. At first I would like to have 2 nodes in the US, 2 in Europe and 2 in Asia.How to make it happen?
Just vote for my delegate, btstools.digitalgaia
(30% payrate), and as soon as it gets elected I will buy some VPS instances for the backbone nodes and start working on setting them up, as well as developing the software required to manage those nodes.
Note that I would also set up seed nodes / chain servers, which can make initial sync to the network faster, as well as allowing nodes to get on the correct chain in case of a fork (by syncing with a chain server that's on the main fork, you also get on the main fork).Criticism
Although a good start, this is not a perfect solution (yet!):
- Whoever runs the backbone nodes can perform the same attack on the delegates (although it is now limited to the person running the backbone nodes, instead of basically anyone simply connected to the network).
- The backbone itself can be DDoS'ed. In this case:
- if delegates are only connected to the backbone, and the entire backbone falls, then they don't have connections anymore to the network. This can be mitigated by delegates starting to connect to normal nodes when they see that the backbone starts falling.
- the delegates can also maintain their own set of relays instead of trusting the backbone's operator. This is more work (and more money spent on VPS), but you don't need to trust anyone else than yourself. Being able to run the software developed for the backbone would be a great help here, so even though a delegate doesn't plan on using the backbone, he could still benefit from it being developed.Why you should trust me
I already am the author of the bts_tools python package (GitHub
), which help delegates monitor their own running instance, and I'd like to expand the functionality of the tools so as to also be able to manage a group of nodes or specialized instances of nodes in the BitShares network. In particular, I'd like them to be able to manage a configuration of seed nodes + backbone nodes as described previously.Is this going to be a cost for the blockchain forever?
For now, I request a 30% delegate, as this would cover the cost of the VPS instances and my time for developing the software and maintaining the backbone.
Assuming that the backbone is running and fully operational, the following can happen in the future:
- I further investigate ways to make the backbone itself completely DDoS resistant, and/or try to make it autonomous and able to replace fallen nodes automatically with nodes provided by trusted members of the community. If this is achievable, and the backbone can self-sustain itself, then my delegate's position would not be required anymore.
- Instead of being paid as a delegate, I can monetize the backbone service by asking delegates wanting to use it to pay me directly for the service, as well as other ways of securing a delegate that I might come up with. Initially, I think that making it available for everyone is beneficial for the entire network, though, hence the delegate's position.Conclusion
I'd like to be elected as a 30% paid delegate to implement a solution for DDoS protection for delegates, and potentially investigate more avenues in order to enhance the security of the BitShares network.
I'd also be interested to hear feedback on whether people think that the backbone is an interesting and effective solution to the DDoS problem, and if not, what could be done instead.