amaclin



Offline



Activity: 1260

Merit: 1008







LegendaryActivity: 1260Merit: 1008 Cheap way to attack blockchain August 31, 2015, 07:58:03 AM

Last edit: August 31, 2015, 08:12:51 AM by amaclin #1



The last attacks were based on filling the blocks with transactions.

This is because of limit of block size. (Consensus rule that the blocksize is below 1mb)



But there are another limits for block which can not be changed without hard fork.



There is a limit of SIGOPS in transactions included to a block.



consensus.h

Code: /** The maximum allowed size for a serialized block, in bytes (network rule) */

static const unsigned int MAX_BLOCK_SIZE = 1000000;

/** The maximum allowed number of signature check operations in a block (network rule) */

static const unsigned int MAX_BLOCK_SIGOPS = MAX_BLOCK_SIZE/50;



So, MAX_BLOCK_SIGOPS is 20000



How does the client calculate the number of SIGOPS? Let us look to the sources.



main.cpp

Code: if (fStrictPayToScriptHash)

{

// Add in sigops done by pay-to-script-hash inputs;

// this is to prevent a "rogue miner" from creating

// an incredibly-expensive-to-validate block.

nSigOps += GetP2SHSigOpCount(tx, view);

if (nSigOps > MAX_BLOCK_SIGOPS)

return state.DoS(100, error("ConnectBlock(): too many sigops"),

REJECT_INVALID, "bad-blk-sigops");

}



Miner node includes transactions to a block while the nSigOps not exceeds 20000.

The block with nSigOps > 20000 will be invalid (consensus rule) and will be rejected by all other nodes.



Now let us look the transaction

https://blockchain.info/tx/6766e75d6166a0a14bd814921d0f903285e15779e648d7ec52a4f7c0868ec07d

and calculate the number of SIGOPS in it



All input scripts are redeeming from p2sh-outputs with the inner scripts build on the same template:

Code: OP_0

OP_IF

OP_15

OP_CHECKMULTISIG

OP_ENDIF

OP_SMALLINTEGER

The number of SIGOPS in this small script is 15 (this is maximum value to pass IsStandard)

And the total number of SIGOPS in 6766e75d6166a0a14bd814921d0f903285e15779e648d7ec52a4f7c0868ec07d is 15 * 15 = 225



So, the maximum number of such transactions in one block is only 88 (because floor ( 20000 / 225 ) = 88)

And inserting 88 such transactions in one block leaves only 200 SIGOPS for regular transactions.

Which leaves a room only for ~100 transactions in block for other persons



The attack vector should be:

1) create and fund a big number of such p2sh-utxo

2) redeem them to OP_RETURN or to regular output



Each such transaction costs 0.00045 for dishonest attacker (can be even less)

88 transactions (attack one block) will cost only 0.0396 BTC

Daily attack 5.7024 BTC - not a big deal



Wanna hire me for this dirty job?



Seems to me that I know new way to attack & flood bitcoin network.The last attacks were based on filling the blocks with transactions.This is because of limit of block size. (Consensus rule that the blocksize is below 1mb)But there are another limits for block which can not be changed without hard fork.consensus.hSo, MAX_BLOCK_SIGOPS is 20000How does the client calculate the number of SIGOPS? Let us look to the sources.main.cppMiner node includes transactions to a block while the nSigOps not exceeds 20000.The block with nSigOps > 20000 will be invalid (consensus rule) and will be rejected by all other nodes.Now let us look the transactionand calculate the number of SIGOPS in itAll input scripts are redeeming from p2sh-outputs with the inner scripts build on the same template:The number of SIGOPS in this small script is 15 (this is maximum value to pass IsStandard)And the total number of SIGOPS in 6766e75d6166a0a14bd814921d0f903285e15779e648d7ec52a4f7c0868ec07d is 15 * 15 =So, the maximum number of such transactions in one block is only 88 (because floor ( 20000 / 225 ) = 88)And inserting 88 such transactions in one block leaves only 200 SIGOPS for regular transactions.Which leaves a room only for ~100 transactions in block for other personsThe attack vector should be:1) create and fund a big number of such p2sh-utxo2) redeem them to OP_RETURN or to regular outputEach such transaction costs 0.00045 for dishonest attacker (can be even less)88 transactions (attack one block) will cost only 0.0396 BTCDaily attack 5.7024 BTC - not a big dealWanna hire me for this dirty job?

fairglu



Offline



Activity: 1096

Merit: 1026







LegendaryActivity: 1096Merit: 1026 Re: Cheap way to attack blockchain August 31, 2015, 08:17:44 AM #2 Quote from: amaclin on August 31, 2015, 07:58:03 AM

88 transactions (attack one block) will cost only 0.0396 BTC

Daily attack 5.7024 BTC - not a big deal



Wanna hire me for this dirty job?

Each such transaction costs 0.00045 for dishonest attacker (can be even less)88 transactions (attack one block) will cost only 0.0396 BTCDaily attack 5.7024 BTC - not a big dealWanna hire me for this dirty job?

Main "weakness" for this attack is that miners could easily just ignore those transactions, without involving any hard fork.



Only the pools that accept those transactions *and* that do not prioritize transactions in a block by total fee would be impacted, pools that build their blocks based on max fee they can rack in a block would automatically eliminate them, they may just need to take the SIGOPS limit into their block optimization code, but that's all.



In practice only the "faucet pools", those that accept zero-fee tx and do not prioritize tx would likely feel the attack.



So the practical spamming would be limited to relaying and the mempool, so no biggy. Main "weakness" for this attack is that miners could easily just ignore those transactions, without involving any hard fork.Only the pools that accept those transactions *and* that do not prioritize transactions in a block by total fee would be impacted, pools that build their blocks based on max fee they can rack in a block would automatically eliminate them, they may just need to take the SIGOPS limit into their block optimization code, but that's all.In practice only the "faucet pools", those that accept zero-fee tx and do not prioritize tx would likely feel the attack.So the practical spamming would be limited to relaying and the mempool, so no biggy. -- Chainz - Alternative Explorers for Alternative Crypto-currencies --

basil00



Offline



Activity: 60

Merit: 10







MemberActivity: 60Merit: 10 Re: Cheap way to attack blockchain August 31, 2015, 10:49:53 AM #4

[Consider the script "OP_0 OP_IF OP_15 OP_CHECKMULTISIG OP_ENDIF OP_1", e.g.

see 3PxwzLuPZtgHuz2J9ocg6ejNcci5WbtS3h



This script is 6 bytes and "consumes" 15 sigops if I am not mistaken. An

attacker can use this to fill the block sigop limit of 20000. E.g. See

6766e75d6166a0a14bd814921d0f903285e15779e648d7ec52a4f7c0868ec07d (225 sigops

in ~740 bytes). An attacker spends just 0.04BTC ($10.70) to "fill" a block

with high-fee transactions.



reddit.com/u/basil00



salt: 3md9smcjd7jkafh83mdlsjc9w,03m

]

Take the sha256 of everything between the square brackets [...] (including empty line at the end) and it will match Yes this is a known attack. I independently discovered it a few weeks ago:Take the sha256 of everything between the square brackets [...] (including empty line at the end) and it will match this hash. This is a version of the message I sent to Peter Todd to report the problem. Peter informed me that it is a known problem. I didn't release it publicly because it could be used for a very cheap and effective DoS attack (currently just $9USD to "fill" a block).

basil00



Offline



Activity: 60

Merit: 10







MemberActivity: 60Merit: 10 Re: Cheap way to attack blockchain August 31, 2015, 11:12:30 AM

Last edit: August 31, 2015, 11:29:34 AM by basil00 #6 Quote

This was releasing the attack vector for everyone

You put it into blockchainThis was releasing the attack vector for everyone

Hey...there's no connection between me an that alleged transaction .



Anyway, as Peter said, this is a known problem, meaning that I was not the first to figure it out. If I figured it out then so will others.



I'm not sure what the fix is though. That crappy sigop-counting code is consensus critical. Probably we need a tightening of the IsStandard() rules... Hey...there's no connection between me an that alleged transactionAnyway, as Peter said, this is a known problem, meaning that I was not the first to figure it out. If I figured it out then so will others.I'm not sure what the fix is though. That crappy sigop-counting code is consensus critical. Probably we need a tightening of the IsStandard() rules...

tommorisonwebdesign



Offline



Activity: 448

Merit: 250









Sr. MemberActivity: 448Merit: 250 Re: Cheap way to attack blockchain September 01, 2015, 07:32:48 PM #9 Sounds like the best way to plug this loophole is to create the blacklist as suggested. Good to see developers catching this stuff before there is an attack on the whole network. Signatures? How about learning a skill... I don't care either way. Everybody has to make a living somehow.

amaclin



Offline



Activity: 1260

Merit: 1008







LegendaryActivity: 1260Merit: 1008 Re: Cheap way to attack blockchain September 01, 2015, 08:12:47 PM #10 Quote from: tommorisonwebdesign on September 01, 2015, 07:32:48 PM Sounds like the best way to plug this loophole is to create the blacklist as suggested. Good to see developers catching this stuff before there is an attack on the whole network. You can not create a blacklist before the attack start.

Because I can create and fund thousands such addresses



Code: OP_DUP

OP_NOTIF

OP_15

OP_CHECKMULTISIG

<push couple random bytes>

OP_ENDIF

is spendable by OP_1



Yes, it is possible to change the transaction priority algorithm

You can not create a blacklist before the attack start.Because I can create and fund thousands such addressesis spendable by OP_1Yes, it is possible to change the transaction priority algorithm

amaclin



Offline



Activity: 1260

Merit: 1008







LegendaryActivity: 1260Merit: 1008 Re: Cheap way to attack blockchain September 07, 2015, 03:16:35 PM #18 Quote from: speaktome on September 06, 2015, 07:43:42 PM

Is joke of course. More like to somebody Gonna touch your door.Is joke of course.

I do not break country laws.

And there are no "laws" in bitcoin protocol. Only math and current consensus.

I can flood the network because I am able to do it. Just for fun.

(In fact, I try not to spend my time for non-profitable things)

For what? I can tell you my home address.I do not break country laws.And there are no "laws" in bitcoin protocol. Only math and current consensus.I can flood the network because I am able to do it. Just for fun.(In fact, I try not to spend my time for non-profitable things)