Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Demonstrating Pinning Attacks under Real-World Conditions
298 views
Skip to first unread message
Antoine Riard
Aug 27, 2024, 5:13:13 PM8/27/24
to Bitcoin Development Mailing List
Hi list,
I'm following-up on Dave Harding''s proposition in another recent email thread.
> How would that work? AFAIK, there's no LN software using TRUC, very few
> relay nodes are using it (since it isn't yet enabled by default in a
> release version), and no miners are using it (again, since it hasn't
> been released). I'm willing to put money at stake to settle a
> disagreement that can't be settled with words, but I want to at least
> learn something from the process.
I think it would benefit greatly the bitcoin ecosystem to have in place few
lightning nodes running on mainnet, against which folks can freely exercise
sophisticated cross-layers attacks (e.g pinning) to demonstrate their feasibility
and severity, in a plain fashion.
Indeed, this is one thing to execute an attack on a private regtest or even
testnet, another on mainnet in real-world conditions where the results can be
evaluated and discussed by a wide audience. I already call to put in place such
attack demonstration experiences in the past (cf. in the context of the transaction
relay workshop in 2021 [0]) and it would be more akin to the research standards
at major sec confs demanding for artifacts.
So if we have more candidates, beyond Dave, who wish to put in place "free-to-pown"
lightning nodes, the basic setup could be the following for useful demo attacks results:
- a full-node (e.g core or btcd)
- a ligtning node (e.g core-lightning / ldk / lnd)
- running default mainnet setting for both softwares
What else ?
It is more interesting to run with default mainnet settings, as testnet / regtest
have usually myriads of specific behaviors and have all the real mempools congestion
cycles to deal with. As someone wishing to do attack demo, I'm fine pouring the satoshis
funds to open new channels, you only need to be above the dust threshold to exercise
interesting attacks.
A cynical observer of bitcoin and lightning protocol development (of which, of course
I'm not !), could say that given the level of technical complexity of a full-node
software and a lightning implementation and the hardness to evaluate cross-layer attacks like pinning, some lightning domain experts and maintainers are deliberately abusing the belief of lightning end-users about the protocol robustness and as such misleading end-users about the safety of their moneys (and LSPs about the viability of their economics units) [1].
From the viewpoint of a security researcher wishing to demonstrate the feasibility
and severity of some cross-layers attacks in bitcoin, having running public nodes would
be very useful. There is also the option to do that on private infra and come back with
a trace on mainnet, though it would lose its public verifiability aspect.
My utmost pleasure to demonstrate some pinning attacks on nodes under real-world conditions.
Cheers,
Antoine
ots hash: 63f58d2557beef5eb1b04f530f91d3febd682ae078933790fcdc1ac94356cf40
[0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-May/018925.html
[1] And on that regard, it's often the ones who are spending their time on social medias
and numerous podcasts whining about the purity of their intention or always recalling their FOSS veterans credentials as some mark of authority who are the more suspicious to falter about some sense of accountability towards end-users...It can be good to re-read Nietzsche.
I'm following-up on Dave Harding''s proposition in another recent email thread.
> How would that work? AFAIK, there's no LN software using TRUC, very few
> relay nodes are using it (since it isn't yet enabled by default in a
> release version), and no miners are using it (again, since it hasn't
> been released). I'm willing to put money at stake to settle a
> disagreement that can't be settled with words, but I want to at least
> learn something from the process.
I think it would benefit greatly the bitcoin ecosystem to have in place few
lightning nodes running on mainnet, against which folks can freely exercise
sophisticated cross-layers attacks (e.g pinning) to demonstrate their feasibility
and severity, in a plain fashion.
Indeed, this is one thing to execute an attack on a private regtest or even
testnet, another on mainnet in real-world conditions where the results can be
evaluated and discussed by a wide audience. I already call to put in place such
attack demonstration experiences in the past (cf. in the context of the transaction
relay workshop in 2021 [0]) and it would be more akin to the research standards
at major sec confs demanding for artifacts.
So if we have more candidates, beyond Dave, who wish to put in place "free-to-pown"
lightning nodes, the basic setup could be the following for useful demo attacks results:
- a full-node (e.g core or btcd)
- a ligtning node (e.g core-lightning / ldk / lnd)
- running default mainnet setting for both softwares
What else ?
It is more interesting to run with default mainnet settings, as testnet / regtest
have usually myriads of specific behaviors and have all the real mempools congestion
cycles to deal with. As someone wishing to do attack demo, I'm fine pouring the satoshis
funds to open new channels, you only need to be above the dust threshold to exercise
interesting attacks.
A cynical observer of bitcoin and lightning protocol development (of which, of course
I'm not !), could say that given the level of technical complexity of a full-node
software and a lightning implementation and the hardness to evaluate cross-layer attacks like pinning, some lightning domain experts and maintainers are deliberately abusing the belief of lightning end-users about the protocol robustness and as such misleading end-users about the safety of their moneys (and LSPs about the viability of their economics units) [1].
From the viewpoint of a security researcher wishing to demonstrate the feasibility
and severity of some cross-layers attacks in bitcoin, having running public nodes would
be very useful. There is also the option to do that on private infra and come back with
a trace on mainnet, though it would lose its public verifiability aspect.
My utmost pleasure to demonstrate some pinning attacks on nodes under real-world conditions.
Cheers,
Antoine
ots hash: 63f58d2557beef5eb1b04f530f91d3febd682ae078933790fcdc1ac94356cf40
[0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-May/018925.html
[1] And on that regard, it's often the ones who are spending their time on social medias
and numerous podcasts whining about the purity of their intention or always recalling their FOSS veterans credentials as some mark of authority who are the more suspicious to falter about some sense of accountability towards end-users...It can be good to re-read Nietzsche.
Peter Todd
Sep 3, 2024, 9:20:55 AM9/3/24
to Antoine Riard, Bitcoin Development Mailing List
On Tue, Aug 27, 2024 at 02:10:15PM -0700, Antoine Riard wrote:
> My utmost pleasure to demonstrate some pinning attacks on nodes under
> real-world conditions.
Antoine Riard: until Oct 1st, you have permission to test your attacks against
> My utmost pleasure to demonstrate some pinning attacks on nodes under
> real-world conditions.
my Lightning node running at:
023345274dd80a01c0e80ec4892818878...@alice.opentimestamps.org:9735
That also happens to be my Alice OpenTimestamps calendar, in production, so
please don't do anything you expect to be CPU or RAM intensive. But if you
accidentally take down the server, not the end of the world: OTS is a very
redundant protocol and one calendar going down for a few hours is unlikely to
do any harm.
It has about $400 of outgoing capacity at the moment, and $2000 inbound. It
gets hardly any donations at the moment, so if you manage to knock LND offline
that's no big deal.
That's not my money - it's donations to the OTS calendars that I have no right
to spend - so I'll ask you to pay for any expenses incurred by it during
testing, and make a $100 net donation when you're done testing to make it
worthwhile for the OTS community. If you manage to lose more than that on
justice transactions, I'll consider that a donation. :)
--
https://petertodd.org 'peter'[:-1]@petertodd.org
Antoine Riard
Sep 3, 2024, 4:13:46 PM9/3/24
to Peter Todd, Bitcoin Development Mailing List
> That also happens to be my Alice OpenTimestamps calendar, in production, so
> please don't do anything you expect to be CPU or RAM intensive. But if you
> accidentally take down the server, not the end of the world: OTS is a very
> redundant protocol and one calendar going down for a few hours is unlikely to
> do any harm.
>
> It has about $400 of outgoing capacity at the moment, and $2000 inbound. It
> gets hardly any donations at the moment, so if you manage to knock LND offline
> that's no big deal.
>
> That's not my money - it's donations to the OTS calendars that I have no right
> to spend - so I'll ask you to pay for any expenses incurred by it during
> testing, and make a $100 net donation when you're done testing to make it
> worthwhile for the OTS community. If you manage to lose more than that on
> justice transactions, I'll consider that a donation. :)
> please don't do anything you expect to be CPU or RAM intensive. But if you
> accidentally take down the server, not the end of the world: OTS is a very
> redundant protocol and one calendar going down for a few hours is unlikely to
> do any harm.
>
> It has about $400 of outgoing capacity at the moment, and $2000 inbound. It
> gets hardly any donations at the moment, so if you manage to knock LND offline
> that's no big deal.
>
> That's not my money - it's donations to the OTS calendars that I have no right
> to spend - so I'll ask you to pay for any expenses incurred by it during
> testing, and make a $100 net donation when you're done testing to make it
> worthwhile for the OTS community. If you manage to lose more than that on
> justice transactions, I'll consider that a donation. :)
Many thanks Peter for that.
No worries, I won't play with CPU or RAM, it's just all the transaction-relay
and mempool logic that one can interfere with. I'll make you whole of the $2400
if the LND node goes down too hard, though I'm just looking for a node running
on mainnet, for a pinning the attacker has two open to channels and re-balance
the liquidity at its advantage a bit. I'll provide the liquidity by myself.
If you have an on-chain donation address on the OTS website (?), I'll make a
$100 donation now, it's a nice tool. And for the justice transaction...well
for some scenarios you can use the latest valid commitment state to pin no risk
of being slashed by a justice transaction.
Best,
Antoine
ots hash: 19d9b61ed5238e2922205a0a0194e0830b260a691f45b4189b1d145f72c9e031
No worries, I won't play with CPU or RAM, it's just all the transaction-relay
and mempool logic that one can interfere with. I'll make you whole of the $2400
if the LND node goes down too hard, though I'm just looking for a node running
on mainnet, for a pinning the attacker has two open to channels and re-balance
the liquidity at its advantage a bit. I'll provide the liquidity by myself.
If you have an on-chain donation address on the OTS website (?), I'll make a
$100 donation now, it's a nice tool. And for the justice transaction...well
for some scenarios you can use the latest valid commitment state to pin no risk
of being slashed by a justice transaction.
Best,
Antoine
ots hash: 19d9b61ed5238e2922205a0a0194e0830b260a691f45b4189b1d145f72c9e031
Antoine Riard
Oct 10, 2024, 8:29:02 PM10/10/24
to Bitcoin Development Mailing List
Hi all,
> If you have an on-chain donation address on the OTS website (?), I'll make a
> $100 donation now, it's a nice tool. And for the justice transaction...well
> for some scenarios you can use the latest valid commitment state to pin no risk
> of being slashed by a justice transaction.
Been late on demonstrating a real-world pinning attack against a production lightning
node. But I swear it's real sport having to jungle with more than one category of
exploit to soundly test.
OTS is a great project. I'll make a donation to it of 1 gram of gold or the equivalent
in fiats or satoshis at settlement (as $100 sounds to be almost equal to 1 gram of gold,
i.e $84.66 those days) for each month late on doing a demonstrationg of real-world pinning
attack, as a lateness penalty.
Beyond it's a great tool to make notarization of any kind of digital info, inside the
chain where for every block there are probably two-digit terawatt hours burnt, which
starts to be a f*cking lot of hydro power plants.
More generally, I called since late 2020 at least for making real-world demonstration
of pinning attacks against lightning nodes, among others types of cross-layers attacks,
At the exception of 2 ligthning protocol devs if my memory is correct, all the others
ones since then have shunned away from participating in a real-world demo, and Peter
Todd was the first one to consent and make available a lightning node available for
real-world demos in a "black box" fashion (indeed, it's far easier to execute exploits
on testing envs fully set by the researcher...).
In the future, I believe it can only be great if bitcoin security exploits are gauged
more or less on the lines of artifacts available, evaluated and reproduced, as done
usually by major infosec confs.
Best,
Antoine
ots hash: 9d227f7832154c4c8bce9fce260ac84537489c1bc8c4b8c2ba990ceb197c84fc
> If you have an on-chain donation address on the OTS website (?), I'll make a
> $100 donation now, it's a nice tool. And for the justice transaction...well
> for some scenarios you can use the latest valid commitment state to pin no risk
> of being slashed by a justice transaction.
node. But I swear it's real sport having to jungle with more than one category of
exploit to soundly test.
OTS is a great project. I'll make a donation to it of 1 gram of gold or the equivalent
in fiats or satoshis at settlement (as $100 sounds to be almost equal to 1 gram of gold,
i.e $84.66 those days) for each month late on doing a demonstrationg of real-world pinning
attack, as a lateness penalty.
Beyond it's a great tool to make notarization of any kind of digital info, inside the
chain where for every block there are probably two-digit terawatt hours burnt, which
starts to be a f*cking lot of hydro power plants.
More generally, I called since late 2020 at least for making real-world demonstration
of pinning attacks against lightning nodes, among others types of cross-layers attacks,
At the exception of 2 ligthning protocol devs if my memory is correct, all the others
ones since then have shunned away from participating in a real-world demo, and Peter
Todd was the first one to consent and make available a lightning node available for
real-world demos in a "black box" fashion (indeed, it's far easier to execute exploits
on testing envs fully set by the researcher...).
In the future, I believe it can only be great if bitcoin security exploits are gauged
more or less on the lines of artifacts available, evaluated and reproduced, as done
usually by major infosec confs.
Best,
Antoine
ots hash: 9d227f7832154c4c8bce9fce260ac84537489c1bc8c4b8c2ba990ceb197c84fc
waxwing/ AdamISZ
Oct 11, 2024, 11:23:47 AM10/11/24
to Bitcoin Development Mailing List
Antoine,
Perhaps it would be an idea to write a gist or some other public facing page with what you need from volunteers, so it's kind of step by step?
Unlike Peter in this thread, I think most people would want/have to set up new nodes to do this.
You have said: Current and default installs of Core/btcd + lnd/cln/ldk . I know that e.g. Core has some pretty non-trivial choices but I guess we can stick religiously to whatever is default.
But other details like:
amount in channels - does it matter?
How many channels? Channels of specific types (thinking e.g. unannounced)
Should volunteers have channels with each other? is there any aspect of topology you require?
Network connectivity - I guess it's not important, but just in case worth mentioning, e.g. should/should not use Tor etc.
Forgive me if some of the questions are ignorant, I have not paid a ton of attention to the discussion around these attacks.
Antoine Riard
Oct 12, 2024, 3:34:18 AM10/12/24
to Bitcoin Development Mailing List
Hi waxwing,
Thanks for the idea of writing some gist, yes it's worthy to explain step-by-step if there are volunteers.
We did at least once such "blackbox" testing of attacks affecting lightning implementation for the dust
outputs inflation vuln, and since then the few skilled devs who knows how to set correctly lightning+bitcoind
nodes are usually very busy.
Yes, usually for Core it's sticking to the transaction-relay / mempool defaults, as it's how the lightning specs
are mostly written.
For the other questions:
amount in channel - does not really matter as long as you can do few non dust outputs (i.e above `GetDustThreshold`)
how many channels - only two are necessary for all the pinning kind of stuff, maybe one more to rebalance the liquidty accordingly
should volunteers have channels with each other? is there any aspect of topology you require? - no, for the simple scenario it's only a routing node setup
network connectivity - no Tor connections doesn't play to test the easy scenarios.
If you wish to catch-up a bit on all those attacks, see that years-old gist of mine which was
documenting a bit transaction-relay jamming: https://gist.github.com/ariard/7e509bf2c81ea8049fd0c67978c521af
After browsing it again, a lot of the stuff is still actual, the only big thing missing is
the replacement cycling attack. That one I still have remorses towards the whole bitcoin community
to not have caught it back at the time in 2020, and that it took me 2 more years to find it.
Best,
Antoine
ots hash: fbbc40b46cdf7c2877b5e2720519fd3dcaa99dbd1ac96ac5cbd0c08f0c3e94e5
Thanks for the idea of writing some gist, yes it's worthy to explain step-by-step if there are volunteers.
We did at least once such "blackbox" testing of attacks affecting lightning implementation for the dust
outputs inflation vuln, and since then the few skilled devs who knows how to set correctly lightning+bitcoind
nodes are usually very busy.
Yes, usually for Core it's sticking to the transaction-relay / mempool defaults, as it's how the lightning specs
are mostly written.
For the other questions:
amount in channel - does not really matter as long as you can do few non dust outputs (i.e above `GetDustThreshold`)
how many channels - only two are necessary for all the pinning kind of stuff, maybe one more to rebalance the liquidty accordingly
should volunteers have channels with each other? is there any aspect of topology you require? - no, for the simple scenario it's only a routing node setup
network connectivity - no Tor connections doesn't play to test the easy scenarios.
If you wish to catch-up a bit on all those attacks, see that years-old gist of mine which was
documenting a bit transaction-relay jamming: https://gist.github.com/ariard/7e509bf2c81ea8049fd0c67978c521af
After browsing it again, a lot of the stuff is still actual, the only big thing missing is
the replacement cycling attack. That one I still have remorses towards the whole bitcoin community
to not have caught it back at the time in 2020, and that it took me 2 more years to find it.
Best,
Antoine
ots hash: fbbc40b46cdf7c2877b5e2720519fd3dcaa99dbd1ac96ac5cbd0c08f0c3e94e5
Reply all
Reply to author
Forward
0 new messages