From aj at erisian.com.au Mon Oct 19 21:58:01 2015 From: aj at erisian.com.au (Anthony Towns) Date: Tue, 20 Oct 2015 07:58:01 +1000 Subject: [Lightning-dev] Preventing MITM - Providing new nodes with real pubkeys In-Reply-To: References: <20151016230141.GA22262@navy> <20151019014100.GA19146@navy> Message-ID: <20151019215801.GA18268@navy> On Mon, Oct 19, 2015 at 09:45:34AM +0200, Mats Jerratsch wrote: > All of your assumptions have the premise though, that choosing a > 'good' vs a 'bad' guy is pure probability, like picking the right ball > out of a bag. [...] Three sorts of attack: - Vandals randomly join the lightning network with dysfunctional nodes. They don't have special powers to corrupt your network, and aren't targetting anyone in specific, just trying to damage things because they think lightning is a bad idea and want to stop it happening. This is just a denial of service attack. This is the class of attack that gives the "pure probability" of hitting a bad node. - Sybil attack, where someone is targetting you personally, and controlling all the nodes you connect to. This is the "compromised wifi or ISP" case, and afaics denial-of-service is trivial here, so all you can reasonably do is detect that you can't send funds to anyone usefully, and avoid locking up lots of funds while trying. - Pervasive attack, where everyone in some large group is simultaenously suffering from a sybil attack; eg the Chinese gov or an ISP blocks lightning connections unless they're to one of its nodes, so they always see both ends of payments between their victims. This seems very expensive to pull off to me (you have to do deep inspection of a whole bunch of people's internet connections), but I'm not sure it can be effectively defended against. "Oh i was just forwarding that to someone else" doesn't work if there wasn't any way you could make a channel with anyone else (or if secretly forwarding payments is criminal in itself). > Think about an attacker who is able to MITM your internet connection, > like the hotspot you connect to at a Cafe (or your ISP if hijacked). > They can build locally a gigantic network, all pointing to the same > node. You can't tell, and they don't have to necessarily just block > your payments. (see above) But you can tell, just by seeing whether a well-known third party's lightning address is routable? If every node on your network is an attacker's, then you won't see the third party's address. If you do see a route to the third party (ie, Me -> Attacker -> Attacker -> Attacker -> Bob -> Carol -> Third party), then you could work backwards asking Carol and Bob to connect directly to you, which would get you a non-attacker node with reasonable probability, assuming there are any. I guess there's two ways in which a node is "on the network" -- one is if it's reachable by p2p hopping ("Hey, what are your neighbours' network addresses?" "Okay, connect to them and repeat"), the other if it's routable over established channels. If you do a Sybil attack against p2p hopping; my argument is you can still use the payment channels as a way of connecting to other nodes. And if you do a Sybil attack against both p2p hopping /and/ the graph of channels, then that's detectable because well-known nodes simply won't appear in the graph. > Only nuisance is that it requires either SPV or full node to check the > anchor, but I kinda like the idea of having all (or a good amount) of > lightning nodes be full bitcoin nodes as well. You need to monitor the blockchain for spends of your own anchors anyway, so that doesn't seem like a big additional limitation to me. Cheers, aj