Developers of Ethereum, the world's No. 2 digital currency by market capitalization, have closed a serious security hole that allowed virtually anyone with an Internet connection to manipulate individual users' access to the publicly accessible ledger.
So-called eclipse attacks work by preventing a cryptocurrency user from connecting to honest peers. Attacker-controlled peers then feed the target a manipulated version of the blockchain the entire currency community relies on to reconcile transactions and enforce contractual obligations. Eclipse attacks can be used to trick targets into paying for a good or service more than once and to co-opt the target's computing power to manipulate algorithms that establish crucial user consensus. Because Ethereum supports "smart contracts" that automatically execute transactions when certain conditions in the blockchain are present, Ethereum eclipse attacks can also be used to interfere with those self-enforcing agreements.
Like most cryptocurrencies, Ethereum uses a peer-to-peer mechanism that compiles input from individual users into an authoritative blockchain. In 2015 and again in 2016, separate research teams devised eclipse attacks against Bitcoin that exploited P2P weaknesses. Both were relatively hard to pull off. The 2015 attack required a botnet or a small ISP that controlled thousands of devices, while the 2016 attack relied on the control of huge chunks of Internet addresses through a technique known as border gateway protocol hijacking. The demands made it likely that both attacks could be carried out only by sophisticated and well-resourced hackers.
Many researchers believed that the resources necessary for a successful eclipse attack against Ethereum would considerably higher than the Bitcoin attacks. After all, Ethereum's P2P network includes a robust mechanism for cryptographically authenticating messages and by default peers establish 13 outgoing connections, compared with eight for Bitcoin. Now, some of the same researchers who devised the 2015 Bitcoin attack are back to set the record straight. In a paper published Thursday, they wrote:
We demonstrate that the conventional wisdom is false. We present new eclipse attacks showing that, prior to the disclosure of this work in January 2018, Ethereum's peer-to-peer network was significantly less secure than that of Bitcoin. Our eclipse attackers need only control two machines, each with only a single IP address. The attacks are off-path-the attacker controls endhosts only and does not occupy a privileged position between the victim and the rest of the Ethereum network. By contrast, the best known off-path eclipse attacks on Bitcoin require the attacker to control hundreds of host machines, each with a distinct IP address. For most Internet users, it is far from trivial to obtain hundreds (or thousands) of IP addresses. This is why the Bitcoin eclipse attacker envisioned [in the 2015 research] was a full-fledged botnet or Internet Service Provider, while the BGP-hijacker Bitcoin eclipse attacker envisioned [in the 2016 paper] needed access to a BGP-speaking core Internet router. By contrast, our attacks can be run by any kid with a machine and a script.
In January, the researchers reported their findings to Ethereum developers. They responded by making changes to geth, the most popular application supporting the Ethereum protocol. Ethereum users who rely on geth should ensure they've installed version 1.8 or higher. The researchers didn't attempt the same attacks against other Ethereum clients. In an email, Ethereum developer Felix Lange wrote:
"We have done our best to mitigate the attacks within the limits of the protocol. The paper is concerned with 'low-resource' eclipse attacks. As far as we know, the bar has been raised high enough that eclipse attacks are not feasible without more substantial resources, with the patches that have been implemented in geth v1.8.0." Lange went on to say he didn't believe another popular Ethereum app called Parity is vulnerable to the same attacks.
The paper, titled Low-Resource Eclipse Attacks on Ethereum's Peer-to-Peer Network, described two separate attacks. The simplest one relied on two IP addresses, which each generate large numbers of cryptographic keys that the Ethereum protocol uses to designate peer-to-peer nodes. The attacker then waits for a target to reboot the computer, either in the due course of time, or after the hacker sends various malicious packets that cause a system crash. As the target is rejoining the Ethereum network, the attacker uses the pool of nodes to establish incoming connections before the target can establish any outgoing ones.
The second technique works by creating a large number of attacker-controlled nodes and sending a special packet that effectively poisons the target's database with the fraudulent nodes. When the target reboots, all of the peers it connects to will belong to the attacker. In both cases, once the target is isolated from legitimate nodes, the attacker can present a false version of the blockchain. With no peers challenging that version, the target will assume the manipulated version is the official blockchain.
The researchers presented a third technique that makes eclipse attacks easier to carry out. In a nutshell, it works by setting the target's computer clock 20 or more seconds ahead of the other nodes in the Ethereum network. To prevent so-called replay attacksin which a hacker resends an old authenticated message in an attempt to get it executed more than oncethe Ethereum protocol rejects messages that are more than 20 seconds old. By setting a target's clock ahead, attackers can cause the target to lose touch with all legitimate users. The attackers use malicious nodes with the same clock time to connect to the target. Some of the same researchers behind the Ethereum eclipse technique described a variety of timing attacks in a separate paper published in 2015.
Ethereum developers put a countermeasure in place against the first attack that ensures each node will always make outgoing connections to other peers. The fix for the second attack involved limiting the number of outgoing connections a target can make to the same /24 chunk of IP address to 10. The changes are designed to make it significantly harder to completely isolate a user from other legitimate users. When even a single node presents users with a different version of the blockchain, they will be warned of an error that effectively defeats the attack.
Ethereum developers haven't implemented a fix for the time-based attack. Since it generally requires an attacker to manipulate traffic over the target's Internet connection or to exploit non-Ethereum vulnerabilities on the target's computer, it likely poses less of a threat than the other two attacks.
The researchers, from Boston University and the University of Pittsburgh, warned users to protect themselves against the eclipse threat.
"Given the increasing importance of Ethereum to the global blockchain ecosystem, we think it's imperative that countermeasures preventing them be adopted as soon as possible," they wrote. "Ethereum node operators should immediately upgrade to geth v1.8."
Here is the original post:
Ethereum fixes serious eclipse flaw that could be exploited ...
- How does Ethereum work - Medium - February 3rd, 2018 [February 3rd, 2018]
- Ethereum - BTCMANAGER - February 19th, 2018 [February 19th, 2018]
- This Giant Infographic Compares Bitcoin, Ethereum, and ... - February 19th, 2018 [February 19th, 2018]
- What is Ethereum? | CryptoCompare.com - February 23rd, 2018 [February 23rd, 2018]
- The Top 10 Best Ethereum Wallets (2018 Edition) - February 23rd, 2018 [February 23rd, 2018]
- How does Ethereum work, anyway? - Medium - April 25th, 2018 [April 25th, 2018]
- Free-Ethereum.com - Free Ether! - May 31st, 2018 [May 31st, 2018]
- What is Ethereum? | The Ultimate Beginners' Guide - June 20th, 2018 [June 20th, 2018]
- Ethereum Mining Guide for AMD and NVidia GPUs - Windows ... - June 20th, 2018 [June 20th, 2018]
- Ethereum: Blockchains, Digital Assets, Smart Contracts ... - July 16th, 2018 [July 16th, 2018]
- Ethereum Price - Mobile Friendly Price of Ether - July 16th, 2018 [July 16th, 2018]
- Ethereum Soars with over a 2,800% Rally - Coin News Asia - July 28th, 2018 [July 28th, 2018]
- Ethereum Co-Founder Joseph Lubin Says Speculators Driving ... - August 20th, 2018 [August 20th, 2018]
- Bitcoin and Ethereum: A Look At The Week Ahead - September 2nd, 2018 [September 2nd, 2018]
- EthereumPrice - Official Site - October 3rd, 2018 [October 3rd, 2018]
- Ethereum Classic Price Analysis: ETC/USD Could Revisit $12 - October 6th, 2018 [October 6th, 2018]
- Ethplorer Ethereum tokens explorer and data viewer. Top ... - October 6th, 2018 [October 6th, 2018]
- Buy and Sell Ether With The Peer-to-Peer Ethereum ... - October 6th, 2018 [October 6th, 2018]
- Ethereum Price - CoinDesk - October 18th, 2018 [October 18th, 2018]
- EthereumPrice.org - USD Price, Charts & History - October 18th, 2018 [October 18th, 2018]
- Report: Whales Accumulate Ethereum (ETH) En-Masse Amid Bear ... - December 7th, 2018 [December 7th, 2018]
- GitHub - ethereum/go-ethereum: Official Go implementation of ... - December 7th, 2018 [December 7th, 2018]
- Ethererum Crypto-Economics Index Real-time Price Charts and ... - December 7th, 2018 [December 7th, 2018]
- Ethereum Definition | Investopedia - December 7th, 2018 [December 7th, 2018]
- What is Ethereum Gas: Step-By-Step Guide - Blockgeeks - December 19th, 2018 [December 19th, 2018]
- Ethereum Price Analysis: ETH Could Extend Losses Below $80 ... - December 19th, 2018 [December 19th, 2018]
- Ethereum Price Analysis: ETH Could Turn Bullish Above $90 ... - December 19th, 2018 [December 19th, 2018]
- Bitcoin, Ethereum, Ripple Prices Surge Higher; FOMO Santa Rally? - December 26th, 2018 [December 26th, 2018]
- Ethereum Co-Founder Calls the Cryptobottom of 2018 ... - December 26th, 2018 [December 26th, 2018]
- Part 1: Ethereum vs NEO Which blockchain will provide ... - December 31st, 2018 [December 31st, 2018]
- Ethereum Price Analysis: ETH Corrects Sharply, Can It Hold ... - December 31st, 2018 [December 31st, 2018]
- Ethereum: JPMorgan, Microsoft, Banks Form ... - fortune.com - January 3rd, 2019 [January 3rd, 2019]
- Ethereum News | Ethereum News today | Latest Ethereum News - January 3rd, 2019 [January 3rd, 2019]
- Ethereum (ETH) - Price, Chart, Info | CryptoSlate - January 3rd, 2019 [January 3rd, 2019]
- Ethereum Cash Pro - January 3rd, 2019 [January 3rd, 2019]
- What Is Ethereum? Here's What You Need To Know - January 3rd, 2019 [January 3rd, 2019]
- What is Ethereum? | The Ultimate Beginners Guide - January 27th, 2019 [January 27th, 2019]
- Ethereum Classic - A smarter blockchain that takes digital ... - January 27th, 2019 [January 27th, 2019]
- Ethereum Price Analysis: ETH Relatively Muted, Next Move ... - January 27th, 2019 [January 27th, 2019]
- Buy and Sell Ether With The Peer-to-Peer Ethereum Marketplace ... - January 27th, 2019 [January 27th, 2019]
- What is Ethereum? | The Ultimate Beginners' Guide - CoinCentral - January 30th, 2019 [January 30th, 2019]
- Ethereum Price Analysis: ETH Breaks Down, Turned Sell on ... - January 30th, 2019 [January 30th, 2019]
- Ethereum Price Analysis: ETH Remains Sell Near $128 ... - March 6th, 2019 [March 6th, 2019]
- Ethereum Price Analysis: ETH Remains Sell Near $128, Target ... - March 11th, 2019 [March 11th, 2019]
- Create a cryptocurrency contract in Ethereum - March 11th, 2019 [March 11th, 2019]
- Ethereum Price Analysis: ETH Buyers Wont Give Up Easily ... - March 11th, 2019 [March 11th, 2019]
- Buy and Sell ETH With The Peer-to-Peer Ethereum Marketplace ... - March 18th, 2019 [March 18th, 2019]
- Ethereum Technical Analysis - FXStreet - March 18th, 2019 [March 18th, 2019]
- Ethereum - Investopedia - March 18th, 2019 [March 18th, 2019]
- Ethereum - reddit - March 18th, 2019 [March 18th, 2019]
- Ethereum vs Bitcoin: The Battle for the Crypto Throne - Coindoo - March 18th, 2019 [March 18th, 2019]
- Ethereum Price Analysis: ETH Could Make a Sustained Move ... - March 18th, 2019 [March 18th, 2019]
- Ethereum Project - March 18th, 2019 [March 18th, 2019]
- Ethereum - Official Site - April 20th, 2019 [April 20th, 2019]
- Ethereum (ETH) Price Starts Much Awaited Rebound To $170 - May 9th, 2019 [May 9th, 2019]
- Ethereum Price Analysis: ETH Corrects But More Upsides Likely ... - May 9th, 2019 [May 9th, 2019]
- Ethereum Price Analysis: ETH Primed For Additional Losses ... - May 9th, 2019 [May 9th, 2019]
- Ethereum Won't Fail: Joseph Lubin - ccn.com - May 9th, 2019 [May 9th, 2019]
- Ethereum (ETH) Price Starts Fresh Increase: Bitcoin Leading ... - May 9th, 2019 [May 9th, 2019]
- Bitcoin Booming As Ethereum, Ripple's XRP, EOS And Litecoin ... - May 9th, 2019 [May 9th, 2019]
- Ethereum Bounty Program - May 30th, 2019 [May 30th, 2019]
- Dark Horses of dApps: 6 Blockchains With Ethereum In Their Sights - Crypto Briefing - October 21st, 2019 [October 21st, 2019]
- Latin Americans get two new ways to trade Bitcoin, Ethereum, and more - Decrypt - October 21st, 2019 [October 21st, 2019]
- Ethereums Bearish Wave Count Outlined by Cryptocurrency Analyst - BeInCrypto - October 21st, 2019 [October 21st, 2019]
- XRPs Third Quarter Inflation Rate Was Lower Than Ethereum (ETH) and Litecoin (LTC) - SludgeFeed - October 21st, 2019 [October 21st, 2019]
- Ethereum (ETH) Dives To $170, Is $160 Next Bear Target? - newsBTC - October 21st, 2019 [October 21st, 2019]
- Thomson Reuters: Bringing Smart Contracts to the Mainstream With Ethereum & Chainlink - Blockonomi - October 21st, 2019 [October 21st, 2019]
- Crypto Analyst: Ethereum Has Bottomed, Expected To See Extended Rally - newsBTC - October 21st, 2019 [October 21st, 2019]
- WATCH: MyCrypto CEO Taylor Monahan on Crypto Adoption and Ethereum - Coindesk - October 21st, 2019 [October 21st, 2019]
- Cryptocurrency market update: Kicks of a dying horse as Bitcoin, Ethereum and Ripple remain suppressed - FXStreet - October 24th, 2019 [October 24th, 2019]
- Cryptocurrencies price prediction: Bitcoin, Ethereum & Litecoin - American Wrap - 22 October - FXStreet - October 24th, 2019 [October 24th, 2019]
- Ethereums gas prices show an unusual surge when the Asian market sleeps - AMBCrypto - October 24th, 2019 [October 24th, 2019]
- Whale Consolidates $88M Worth of Ethereum in Two Transactions - BeInCrypto - October 24th, 2019 [October 24th, 2019]
- Ethereum Falls 10% In Selloff - Yahoo Finance - October 24th, 2019 [October 24th, 2019]
- TRON Joins Bitcoin And Ethereum On Opera Browser - Crypto Briefing - October 24th, 2019 [October 24th, 2019]
- Ethereum (ETH) Rebound Faces Major Hurdle Near $180 - newsBTC - October 24th, 2019 [October 24th, 2019]
- Ethereum Breakout Above $360 Means Skys the Limit, Believes Cryptocurrency Analyst - BeInCrypto - October 24th, 2019 [October 24th, 2019]
- Ethereum Futures: The Next Big Derivative to Hit the Market? - Cointelegraph - October 24th, 2019 [October 24th, 2019]
- Ethereum and Stellars Lumen Daily Tech Analysis 23/10/19 - Yahoo Finance - October 24th, 2019 [October 24th, 2019]
- Why Bear Market Ethereum Futures Are a Better Bet That Bitcoins - newsBTC - October 24th, 2019 [October 24th, 2019]