📅 Original date posted:2017-06-13
📝 Original message:
Hi,
=======
Problem
=======
One major vulnerability of the Lightning network is that, if someone
wants to perform a DoS attack on the network, that possible for the
attacker by sending many large transactions to himself, over a long
route, and letting them time out (never reveal the payment pre-image).
Nobody (including the attacker) gains or loses any funds, but a lot of
funds get locked up, and the total cost of lost opportunity to innocent
nodes is a lot higher than that of the attacker.
In Milan, we came to a solution for this DoS mode, where nodes require
either a fast commit or roll-back within a short amount of time (say 30
seconds), or a proof that another channel was closed. This increases the
cost for the attacker with the cost of closing a channel.
I've always disliked this approach a bit, since a "proof that another
channel was closed" can only be accepted by other nodes in the route if
all those nodes can understand such proof; this means that if a route
hops over channels on different block chains (e.g. alt coins or side
chains), or different channel designs, some nodes have to understand all
these varieties. This limits freedom of node pairs to join the network
with new / unusual channels in a useful way.
So far, I had accepted this, as the DoS-protection really seemed
necessary.
================
Another approach
================
Last week, Michiel de Jong (CC'ed) presented Interledger at a local
cryptocurrency meet-up here in Delft. Since Interledger's core feature
is the routing between different 'ledgers' (including block chains, but
also banks), using HTLCs on different hops in the same way as Lightning,
I asked him how they were planning to avoid this DoS mode.
His answer was basically that transactions were being sent in really
small parts at a time, so that, at any given point in time, only a small
amount would be locked. If it turns out to be locked for a long time,
that would not be a problem since it's only a small amount. I suggested
that, if you do transactions this way, you might as well just add the
locked amount to the channel transaction fee, and thereby avoid the
complexity of the HTLC.
=============
Will it work?
=============
Initially, my concern with splitting a tx into many small parts was that
it creates the possibility that only a part of the funds gets
transferred. I now think that, in most cases, that will not be an issue,
since usually a certain amount of trust is already required between the
endpoints of a transaction, e.g. when you pay for physical goods, you
have to trust they will be delivered. Based on the same trust, the
endpoints of the transaction can cooperate to resolve the situation,
e.g. with an attempt to refund through Lightning, or by paying through a
new channel.
But: does this really resolve the DoS attack mode? I suppose that, after
locking funds in one small transaction, an attacker can easily lock
funds in another small transaction, and so on; in the end locking up the
same amount of funds for the same amount of time as in the original
attack. Once you detect that one small transaction doesn't unlock, you
have to somehow stop all subsequent transactions from the attacker.
If, on a channel-level, you just say "I'll no longer accept any new
transactions as long as one transaction keeps being locked", I think
you'll end up worse: it will allow an attacker to disable entire
channels (potentially very high-capacity channels) with very small
attack funds, for all users, for the same lock time. So, to prevent
this, you have to distinguish the attacker from regular users; this is
difficult in a network where the identity of source and destination are
protected , e.g. by Sphinx routing.
**Maybe this is where Lightning and Interledger are different? I don't
know enough about Interledger.**
==========
Solutions?
==========
Maybe this can be resolved by requiring nodes to "unwrap the onion" in
case of a transaction that stays locked for too long? This would be
mostly useful towards the payee, since the payee side is responsible for
either showing the hash pre-image, or voluntarily canceling the
transaction. This could identify the "closest non-cooperating node" in
the route, but it wouldn't prevent the next locked transaction, since
you can't see in advance where an onion-routed transaction is going.
The next thing you could say is "the last cooperating node in the route
(a direct neighbor of the closest non-cooperating node) is no longer
allowed to forward payments through the non-cooperating node". Instead,
he has to immediately roll back any transaction that is aimed in that
direction.
If the otherwise cooperative node fails this rule, you mark it as
non-cooperative; the next time, the second-last cooperating node is no
longer allowed to forward payments through that node. This may continue
a couple of times, until a truly cooperative node follows all the rules,
and attacker transactions are canceled in a fast an efficient manner by
that node.
This might work if there is only a single route on the network
(line-shaped network), but I'm afraid an attacker can significantly
delay being blocked, by creating a part of the network under his own
control, which has at least one "cooperating" node as gateway, followed
by large numbers of non-cooperating nodes, which are continuously being
replaced once old ones are being flagged as non-cooperating. Also, it
could force Lightning nodes to keep very large lists of which nodes have
to block which of their neighbors.
Do you have any thoughts on this?
CJP
PS.
I couldn't find anything related to this in the Lightning RFC:
https://github.com/lightningnetwork/lightning-rfc
CJP [ARCHIVE] /
npub13q…cuzdm
2023-06-09 12:47:24
in reply to nevent1q…p3z5
Author Public Key
npub13q863scgpsaanrjhfn7dd4h48lgnupgkcs828arzj4pckrq8hh6s4cuzdmPublished at
2023-06-09 12:47:24Event JSON
{
"id": "79ee497ddd43ae634e844967ad99ef18b0e0d4ae481c8afb21293729eed1b31e",
"pubkey": "880fa8c3080c3bd98e574cfcd6d6f53fd13e0516c40ea3f46295438b0c07bdf5",
"created_at": 1686314844,
"kind": 1,
"tags": [
[
"e",
"04a5f2332d9eb14d88359d4f579585e7c59727de252fdc7407c9b46f6dc96af9",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2017-06-13\n📝 Original message:\nHi,\n\n=======\nProblem\n=======\n\nOne major vulnerability of the Lightning network is that, if someone\nwants to perform a DoS attack on the network, that possible for the\nattacker by sending many large transactions to himself, over a long\nroute, and letting them time out (never reveal the payment pre-image).\nNobody (including the attacker) gains or loses any funds, but a lot of\nfunds get locked up, and the total cost of lost opportunity to innocent\nnodes is a lot higher than that of the attacker.\n\nIn Milan, we came to a solution for this DoS mode, where nodes require\neither a fast commit or roll-back within a short amount of time (say 30\nseconds), or a proof that another channel was closed. This increases the\ncost for the attacker with the cost of closing a channel.\n\nI've always disliked this approach a bit, since a \"proof that another\nchannel was closed\" can only be accepted by other nodes in the route if\nall those nodes can understand such proof; this means that if a route\nhops over channels on different block chains (e.g. alt coins or side\nchains), or different channel designs, some nodes have to understand all\nthese varieties. This limits freedom of node pairs to join the network\nwith new / unusual channels in a useful way.\n\nSo far, I had accepted this, as the DoS-protection really seemed\nnecessary.\n\n================\nAnother approach\n================\n\nLast week, Michiel de Jong (CC'ed) presented Interledger at a local\ncryptocurrency meet-up here in Delft. Since Interledger's core feature\nis the routing between different 'ledgers' (including block chains, but\nalso banks), using HTLCs on different hops in the same way as Lightning,\nI asked him how they were planning to avoid this DoS mode.\n\nHis answer was basically that transactions were being sent in really\nsmall parts at a time, so that, at any given point in time, only a small\namount would be locked. If it turns out to be locked for a long time,\nthat would not be a problem since it's only a small amount. I suggested\nthat, if you do transactions this way, you might as well just add the\nlocked amount to the channel transaction fee, and thereby avoid the\ncomplexity of the HTLC.\n\n=============\nWill it work?\n=============\n\nInitially, my concern with splitting a tx into many small parts was that\nit creates the possibility that only a part of the funds gets\ntransferred. I now think that, in most cases, that will not be an issue,\nsince usually a certain amount of trust is already required between the\nendpoints of a transaction, e.g. when you pay for physical goods, you\nhave to trust they will be delivered. Based on the same trust, the\nendpoints of the transaction can cooperate to resolve the situation,\ne.g. with an attempt to refund through Lightning, or by paying through a\nnew channel.\n\nBut: does this really resolve the DoS attack mode? I suppose that, after\nlocking funds in one small transaction, an attacker can easily lock\nfunds in another small transaction, and so on; in the end locking up the\nsame amount of funds for the same amount of time as in the original\nattack. Once you detect that one small transaction doesn't unlock, you\nhave to somehow stop all subsequent transactions from the attacker.\n\nIf, on a channel-level, you just say \"I'll no longer accept any new\ntransactions as long as one transaction keeps being locked\", I think\nyou'll end up worse: it will allow an attacker to disable entire\nchannels (potentially very high-capacity channels) with very small\nattack funds, for all users, for the same lock time. So, to prevent\nthis, you have to distinguish the attacker from regular users; this is\ndifficult in a network where the identity of source and destination are\nprotected , e.g. by Sphinx routing.\n\n**Maybe this is where Lightning and Interledger are different? I don't\nknow enough about Interledger.**\n\n==========\nSolutions?\n==========\n\nMaybe this can be resolved by requiring nodes to \"unwrap the onion\" in\ncase of a transaction that stays locked for too long? This would be\nmostly useful towards the payee, since the payee side is responsible for\neither showing the hash pre-image, or voluntarily canceling the\ntransaction. This could identify the \"closest non-cooperating node\" in\nthe route, but it wouldn't prevent the next locked transaction, since\nyou can't see in advance where an onion-routed transaction is going.\n\nThe next thing you could say is \"the last cooperating node in the route\n(a direct neighbor of the closest non-cooperating node) is no longer\nallowed to forward payments through the non-cooperating node\". Instead,\nhe has to immediately roll back any transaction that is aimed in that\ndirection.\n\nIf the otherwise cooperative node fails this rule, you mark it as\nnon-cooperative; the next time, the second-last cooperating node is no\nlonger allowed to forward payments through that node. This may continue\na couple of times, until a truly cooperative node follows all the rules,\nand attacker transactions are canceled in a fast an efficient manner by\nthat node.\n\nThis might work if there is only a single route on the network\n(line-shaped network), but I'm afraid an attacker can significantly\ndelay being blocked, by creating a part of the network under his own\ncontrol, which has at least one \"cooperating\" node as gateway, followed\nby large numbers of non-cooperating nodes, which are continuously being\nreplaced once old ones are being flagged as non-cooperating. Also, it\ncould force Lightning nodes to keep very large lists of which nodes have\nto block which of their neighbors.\n\nDo you have any thoughts on this?\n\nCJP\n\nPS.\nI couldn't find anything related to this in the Lightning RFC:\nhttps://github.com/lightningnetwork/lightning-rfc",
"sig": "a4df29137123f70cb2184f7581af7b7c60ea89f9bd7513d90146fd869cbd1bcfd5c2ba5134e38a3169ce47e48bf0e98007398ad8bef6cebb1387e79e5cad08e5"
}