Its already constantly being "attacked" with probes. As the number of attackers scales linearly, the number of probes scales exponentially. Nodes running old version of LND are already crashing because of a bloated channels.db from all the failed route events.
The bandwidth consumed is still relatively low, but it won't be long before many node's connections are saturated with bogus forward requests.
Bandwidth isn't even the limiting factor. More likely its the number of in flight HTLC slots on a channel. If these probes are designed to not fail quickly, then the ability to DOS the network is even easier.
A single actor could disable a few high throughput channels and increase average fee for everyone transacting during the attack.
If the attacker could specifically target nodes known to run LND, then they could sustain a constant probe attack, forcing the node to log every attempt until the node's disk filled up causing a system crash.
Repeat until a majority of nodes are offline. However, sophisticated node operators can defend this attack.
The systemic issue is that every actor on the network is incentiviced to attack it in order to build a higher resolution map of the network (one that includes channel balance estimates). This additional data gained from spamming could be used to make payment routes more efficiently or to surveil the network and identify payment flows.
IMO the protocol needs to allow charging a fee for attempted payments, not just successful ones.
That way, nodes that charge an "attempt fee" would be probed less. However, it creates a new dynamic where honest senders want to prioritize routes that they think will succeed, instead of just brute-forcing routes until success. Or maybe they just avoid nodes charging attempt fees altogether.
Nodes could adopt a change to their channel policy where they dynamically set MAX_HTLC depending on the local balance in their channel. This would let the network know an estimate of their true balance without needing to be probed. Its a voluntary disclosure that could result in more routes if peers are trying to avoid fees from attempted routes.
But updating the MAX_HTLC policy too frequently will contribute to gossip spam (another DOS vector).
If gossip is spammed too much, payments could fail because the sender did not include adequate fees to pay intermediate nodes along a route. This is because the fee policy change was delayed in propagating thru the network and the sender was using the old fee when they built the onion.
It already takes about 10 minutes for a policy change to propagate. When you change your channel policy, you're effectively disabling it for up to 10 mins. Its currently free to spam gossip as much as you want, thus increasing this "cooldown" time for everyone.
IMO the gossip protocol should limit the relaying of policy updates if the node is updating too frequently. Maybe a node should be allowed 1 batch update per day, for example.
Each solution has a whole set of new issues it introduces. Nothing is likely to change until DOS becomes a common occurance. Even then, Tor gets DOS'd all the time and the maintainers have expressed no desire to address it.
LN is still nascent. If an attacker wanted to cause as much chaos as possible, they would wait until major institutions and global trade depends on LN, then attack.
I'll argue that, as early adopters, its our duty to exploit the network in any way we can while its young and still capable of change.
I don't know the exact prices but I know there are ready to buy botnets on the Darkweb. So it's actually quite commoditized - and there are many +3 year old android phones that don't get security updates anymore, it's not a rare resource.
If a major player does so, they probably need to pay a law firm which in turn uses an IT service shell company which costs a lot - I'm speculating here, this is far from any evidence that this happened.
how long do these attacks typically last? what is the end-goal for the attacker?
this seems like a big deal, but i have no technical knowledge of tor or ddos attacks. can you recommend any resources to read up on why these attacks happen and what success looks like for the attacker?
LN has the same vulnerability. Except its worse since there's an incentive to spam the network with probes.
how come there hasn’t been a widespread attack like this on Lightning yet?
Its already constantly being "attacked" with probes. As the number of attackers scales linearly, the number of probes scales exponentially. Nodes running old version of LND are already crashing because of a bloated channels.db from all the failed route events.
The bandwidth consumed is still relatively low, but it won't be long before many node's connections are saturated with bogus forward requests.
Bandwidth isn't even the limiting factor. More likely its the number of in flight HTLC slots on a channel. If these probes are designed to not fail quickly, then the ability to DOS the network is even easier.
appreciate the insight. what is the worst-case scenario if an attacker tries to harm the lightning network?
said differently, if you were trying to inflict the most damage possible, how would you attack the lightning network?
A single actor could disable a few high throughput channels and increase average fee for everyone transacting during the attack.
If the attacker could specifically target nodes known to run LND, then they could sustain a constant probe attack, forcing the node to log every attempt until the node's disk filled up causing a system crash.
Repeat until a majority of nodes are offline. However, sophisticated node operators can defend this attack.
The systemic issue is that every actor on the network is incentiviced to attack it in order to build a higher resolution map of the network (one that includes channel balance estimates). This additional data gained from spamming could be used to make payment routes more efficiently or to surveil the network and identify payment flows.
IMO the protocol needs to allow charging a fee for attempted payments, not just successful ones.
That way, nodes that charge an "attempt fee" would be probed less. However, it creates a new dynamic where honest senders want to prioritize routes that they think will succeed, instead of just brute-forcing routes until success. Or maybe they just avoid nodes charging attempt fees altogether.
Nodes could adopt a change to their channel policy where they dynamically set MAX_HTLC depending on the local balance in their channel. This would let the network know an estimate of their true balance without needing to be probed. Its a voluntary disclosure that could result in more routes if peers are trying to avoid fees from attempted routes.
But updating the MAX_HTLC policy too frequently will contribute to gossip spam (another DOS vector).
If gossip is spammed too much, payments could fail because the sender did not include adequate fees to pay intermediate nodes along a route. This is because the fee policy change was delayed in propagating thru the network and the sender was using the old fee when they built the onion.
It already takes about 10 minutes for a policy change to propagate. When you change your channel policy, you're effectively disabling it for up to 10 mins. Its currently free to spam gossip as much as you want, thus increasing this "cooldown" time for everyone.
IMO the gossip protocol should limit the relaying of policy updates if the node is updating too frequently. Maybe a node should be allowed 1 batch update per day, for example.
Each solution has a whole set of new issues it introduces. Nothing is likely to change until DOS becomes a common occurance. Even then, Tor gets DOS'd all the time and the maintainers have expressed no desire to address it.
LN is still nascent. If an attacker wanted to cause as much chaos as possible, they would wait until major institutions and global trade depends on LN, then attack.
I'll argue that, as early adopters, its our duty to exploit the network in any way we can while its young and still capable of change.
incredibly thorough response, take my sats!
Top comment two years ago!
Two days in a row!
Thanks, never knew about this.
That alert has been up since June 9th.
However just recently admins for both Bisq and RoboSats have reported their services have been impacted.
Oh wow, I just saw that now.
that's crazy - if you think about who would have incentives/ a motive to do so. I can only think about governments or anti-piracy companies...
how expensive is it to run a ddos attack like this?
I don't know the exact prices but I know there are ready to buy botnets on the Darkweb. So it's actually quite commoditized - and there are many +3 year old android phones that don't get security updates anymore, it's not a rare resource.
If a major player does so, they probably need to pay a law firm which in turn uses an IT service shell company which costs a lot - I'm speculating here, this is far from any evidence that this happened.
.
appreciate the insight!
My vote is that it's a Chainalysis company doing this :P
oh, that makes a lot of sense as well
govts & anti-privacy actors... that's a pretty big list.
We should add Chainalysis companies to the list :)
China?
Netflix & Disney & Warner Music maybe 🤔
Anyone know whether it's possible to run a full node under both TOR and I2P at the same time?
yes, it is possible.
bitcoin over Tor:
https://youtu.be/57GW5Q2jdvw
bitcoin over i2p: https://youtu.be/2kyt6O-T0nA
how long do these attacks typically last? what is the end-goal for the attacker?
this seems like a big deal, but i have no technical knowledge of tor or ddos attacks. can you recommend any resources to read up on why these attacks happen and what success looks like for the attacker?
Congratulations! This was the top post of the day two years ago.
Two days in a row!
Spun up a proxy here to do my part