Re: [Bitcoin-development] Outbound connections rotation
On Mon, Aug 18, 2014 at 2:02 PM, Ivan Pustogarov wrote: > For each neighbour, a Bitcoin peer keeps the history of addresses that > it forwarded to the neighbour. If an address was already forwarded > to a neighbour it is not retransmitted again. Okay, sorry, I thought you were saying something else. I understand. -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Outbound connections rotation
For each neighbour, a Bitcoin peer keeps the history of addresses that it forwarded to the neighbour. If an address was already forwarded to a neighbour it is not retransmitted again. An attacker can make a list of potential IP addresses of clients (say an IP range of an ISP, or listen for addresses in the Bitcoin network before the attack). Then she periodically "spams" the network with this list and updates the address-forward history at each Bitcoin peer. After each "spam" round, the attacker reconnects her connections to Bitcoin peers and thus clears the retransmission history for her connections only. As the result, when a NAT client connects to the network and advertises its address, the addresses will propagate to the attacker's connections only. On Mon, Aug 18, 2014 at 01:43:44PM -0700, Gregory Maxwell wrote: > On Mon, Aug 18, 2014 at 1:33 PM, Ivan Pustogarov > wrote: > > The attack I'm trying to address is described here: > > https://www.cryptolux.org/index.php/Bitcoin > > It was discussed here: https://bitcointalk.org/index.php?topic=632124.0 > > > > It uses the following observation. Each NATed client connects to the > > Bitcoin network > > through 8 entry peers; he also advertises his public IP address to these > > peers which > > allows an attacker to make the mapping <8-entry-peers, client-IP-address>. > > I'm afraid I'm losing you here. The node advertises himself to > everyone he is connected to and in/or out, those nodes pass along > those advertisements. When I receive an advertisement from a node I > do not know how far away the advertised peers is, presumably I can > accurately exclude it from being 0-hops— itself—) 1 or more should be > indistinguishable. Is there a reason that they're distinguishable that > I'm missing? > > Can you explain to me how you propose to produce this mapping? -- Ivan -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Outbound connections rotation
On Mon, Aug 18, 2014 at 1:33 PM, Ivan Pustogarov wrote: > The attack I'm trying to address is described here: > https://www.cryptolux.org/index.php/Bitcoin > It was discussed here: https://bitcointalk.org/index.php?topic=632124.0 > > It uses the following observation. Each NATed client connects to the Bitcoin > network > through 8 entry peers; he also advertises his public IP address to these > peers which > allows an attacker to make the mapping <8-entry-peers, client-IP-address>. I'm afraid I'm losing you here. The node advertises himself to everyone he is connected to and in/or out, those nodes pass along those advertisements. When I receive an advertisement from a node I do not know how far away the advertised peers is, presumably I can accurately exclude it from being 0-hops— itself—) 1 or more should be indistinguishable. Is there a reason that they're distinguishable that I'm missing? Can you explain to me how you propose to produce this mapping? -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Outbound connections rotation
The attack I'm trying to address is described here: https://www.cryptolux.org/index.php/Bitcoin It was discussed here: https://bitcointalk.org/index.php?topic=632124.0 It uses the following observation. Each NATed client connects to the Bitcoin network through 8 entry peers; he also advertises his public IP address to these peers which allows an attacker to make the mapping <8-entry-peers, client-IP-address>. The probability for two different clients to choose the same entry peers is negligible. When a client generates a transaction, the entry peers of the client are likely to be the first to retransmit it. The attacker establishes many connections to each reachable Bitcoin peer and listens for transactions. For each transaction she records 8-10 peers which were the first to forward this tx. As a result, if two transactions are forwarded by the same set of entry peers, they are likely to belong to the same client. Also each 8-tuples has a mapping to the client's advertised IP address. On Mon, Aug 18, 2014 at 12:37:49PM -0700, Gregory Maxwell wrote: > On Mon, Aug 18, 2014 at 11:37 AM, Ivan Pustogarov > wrote: > > the same for a long time, an attacker which does not have any peers at all > > but just listens the Bitcoin network can link together differed BC addresses > > and learn the IP of the client. > > I don't understand what you're talking about here; if you have no peer > at all you will learn nothing about the Bitcoin network. > > Can you clarify? > > > > The 8 entry peers are unique per client so if two > > users share the same IP, they can be distinguished. > > What mechanism are you referring to specifically? > > > Outbound connections are still rotated from time to time due to remote side > > disconnections. Plus outbound connections do not survive BC client restarts > > (unlike Tor Guard nodes). > > On our initial connections we do have a preference for nodes we knew > were up recently. This could be made further. That the current > behavior isn't great isn't an argument for making it worse on that > dimension. -- Ivan -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Outbound connections rotation
On Mon, Aug 18, 2014 at 11:37 AM, Ivan Pustogarov wrote: > the same for a long time, an attacker which does not have any peers at all > but just listens the Bitcoin network can link together differed BC addresses > and learn the IP of the client. I don't understand what you're talking about here; if you have no peer at all you will learn nothing about the Bitcoin network. Can you clarify? > The 8 entry peers are unique per client so if two > users share the same IP, they can be distinguished. What mechanism are you referring to specifically? > Outbound connections are still rotated from time to time due to remote side > disconnections. Plus outbound connections do not survive BC client restarts > (unlike Tor Guard nodes). On our initial connections we do have a preference for nodes we knew were up recently. This could be made further. That the current behavior isn't great isn't an argument for making it worse on that dimension. -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Outbound connections rotation
Yes, I agree that if a client rotates its outbound connections then sooner or later he will connect to a malicious peer. This case considers an attacker which has some peers in the network. E.g. renting 500 IP addresses for 0.01 USD per IP per hour will cost 3600 USD per month: doable but still not for free. I think that revealing the origin (or rather public IP) of a distinct transaction is tolerable. The learned public IP can be shared by several users. So a big ISP can server as a anonymyzer which prevents from linking tx of the same user. Rotation will help against low-resource attackers with no peers at all. The reason for rotation is that if client's 8 outbound connections stay the same for a long time, an attacker which does not have any peers at all but just listens the Bitcoin network can link together differed BC addresses and learn the IP of the client. The 8 entry peers are unique per client so if two users share the same IP, they can be distinguished. In order to protect himself from this specific attack, a client can also set only 3-4 outbound connections, so the proposed modification is just another potential defence. If it is useful for other things, it' great. > If you rotate where you send out your transactions then with > very high probability a sybil pretending to be many nodes will observe > you transmitting directly. Outbound connections are still rotated from time to time due to remote side disconnections. Plus outbound connections do not survive BC client restarts (unlike Tor Guard nodes). On Mon, Aug 18, 2014 at 10:21:07AM -0700, Gregory Maxwell wrote: > On Mon, Aug 18, 2014 at 9:46 AM, Ivan Pustogarov > wrote: > > Hi there, > > I'd like to start a discussion on periodic rotation of outbound connections. > > E.g. every 2-10 minutes an outbound connections is dropped and replaced > > by a new one. > > Connection rotation would be fine for improving a node's knoweldge > about available peers and making the network stronger against > partitioning. > > I haven't implemented this because I think your motivation is > _precisely_ opposite the behavior. If you keep a constant set of > outbound peers only those peers learn the origin of your transactions, > and so it is unlikely that any particular attacker will gain strong > evidence. If you rotate where you send out your transactions then with > very high probability a sybil pretending to be many nodes will observe > you transmitting directly. > > Ultimately, since the traffic is clear text, if you expect to have any > privacy at all in your broadcasts you should be broadcasting over tor > or i2p. -- Ivan -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Outbound connections rotation
Yes, I believe peer rotation is useful, but not for privacy - just for improving the network's internal knowledge. I haven't looked at the implementation yet, but how I imagined it would be every X minutes you attempt a new outgoing connection, even if you're already at the outbound limit. Then, if a connection attempt succeeds, another connection (according to some scoring system) is replaced by it. Given such a mechanism, plus reasonable assurances that better connections survive for a longer time, I have no problem with rotating every few minutes. On Aug 18, 2014 7:23 PM, "Gregory Maxwell" wrote: > On Mon, Aug 18, 2014 at 9:46 AM, Ivan Pustogarov > wrote: > > Hi there, > > I'd like to start a discussion on periodic rotation of outbound > connections. > > E.g. every 2-10 minutes an outbound connections is dropped and replaced > > by a new one. > > Connection rotation would be fine for improving a node's knoweldge > about available peers and making the network stronger against > partitioning. > > I haven't implemented this because I think your motivation is > _precisely_ opposite the behavior. If you keep a constant set of > outbound peers only those peers learn the origin of your transactions, > and so it is unlikely that any particular attacker will gain strong > evidence. If you rotate where you send out your transactions then with > very high probability a sybil pretending to be many nodes will observe > you transmitting directly. > > Ultimately, since the traffic is clear text, if you expect to have any > privacy at all in your broadcasts you should be broadcasting over tor > or i2p. > > > -- > ___ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Outbound connections rotation
> > Connection rotation would be fine for improving a node's knoweldge > about available peers and making the network stronger against > partitioning. > It's also the first/next step towards decentralising the DNS seeds (for SPV clients), as it'd allow each node to explore the network and return better quality results in getaddr. > If you rotate where you send out your transactions then with > very high probability a sybil pretending to be many nodes will observe > you transmitting directly. > This is sort of what Tor is going through with their guard nodes and how often to rotate them. I think the attack Ivan is talking about does not require sybil attacks to work though, just listening to lots of peers. Raising the bar to require the attacker to receive lots of connections seems like a win. -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Outbound connections rotation
On Mon, Aug 18, 2014 at 9:46 AM, Ivan Pustogarov wrote: > Hi there, > I'd like to start a discussion on periodic rotation of outbound connections. > E.g. every 2-10 minutes an outbound connections is dropped and replaced > by a new one. Connection rotation would be fine for improving a node's knoweldge about available peers and making the network stronger against partitioning. I haven't implemented this because I think your motivation is _precisely_ opposite the behavior. If you keep a constant set of outbound peers only those peers learn the origin of your transactions, and so it is unlikely that any particular attacker will gain strong evidence. If you rotate where you send out your transactions then with very high probability a sybil pretending to be many nodes will observe you transmitting directly. Ultimately, since the traffic is clear text, if you expect to have any privacy at all in your broadcasts you should be broadcasting over tor or i2p. -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Outbound connections rotation
Simply by observing timing from sufficiently geo-graphically and network-ly dispersed nodes, you may deduce the original broadcaster of a transaction. Rotating peers doesn't help. That said, periodic rotation can be helpful. Every 2-10 minutes is excessive. On Mon, Aug 18, 2014 at 12:46 PM, Ivan Pustogarov wrote: > Hi there, > > I'd like to start a discussion on periodic rotation of outbound connections. > E.g. every 2-10 minutes an outbound connections is dropped and replaced > by a new one. > > Motivation: > Each bitcoin non-UPnP client behind NAT has 8 outbound connections > which change only rarely (due to occasional remote side disconnections). > A subset of these 8 entry nodes uniquely identifies a user. > An attacker can listen for transactions in Bitcoin network and for each > transaction record the first 8 peers which forwarded the transaction. > If two distinct transactions (with unrelated bitcoin addresses) > come from the same set of 8 peers, the attacker can conclude that they > originated from the same user. This gives another method (in addition > to transaction graph analysis) for an attacker to link different BC > addresses of the same user. > Also note that by default bitcoin clients advertise their public IP > addresses. The attacker can link the advertised IP's to corresponding > 8 entry nodes and use it to deanonymise Bitcoin clients. > > If a bitcoin client periodically rotates his set of outbound > connections, his 8-peers fingerprint is blurred over time. > > Corresponding pull request is #4723. > > Some details are here: https://www.cryptolux.org/index.php/Bitcoin > > -- > Ivan > > -- > ___ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
[Bitcoin-development] Outbound connections rotation
Hi there, I'd like to start a discussion on periodic rotation of outbound connections. E.g. every 2-10 minutes an outbound connections is dropped and replaced by a new one. Motivation: Each bitcoin non-UPnP client behind NAT has 8 outbound connections which change only rarely (due to occasional remote side disconnections). A subset of these 8 entry nodes uniquely identifies a user. An attacker can listen for transactions in Bitcoin network and for each transaction record the first 8 peers which forwarded the transaction. If two distinct transactions (with unrelated bitcoin addresses) come from the same set of 8 peers, the attacker can conclude that they originated from the same user. This gives another method (in addition to transaction graph analysis) for an attacker to link different BC addresses of the same user. Also note that by default bitcoin clients advertise their public IP addresses. The attacker can link the advertised IP's to corresponding 8 entry nodes and use it to deanonymise Bitcoin clients. If a bitcoin client periodically rotates his set of outbound connections, his 8-peers fingerprint is blurred over time. Corresponding pull request is #4723. Some details are here: https://www.cryptolux.org/index.php/Bitcoin -- Ivan -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development