DDoS attacks and blockchain

In February 2020, a DDoS (distributed Denial of Service) attack kept the Amazon Web Services incident response team busy for days affecting customers worldwide. On February 15th this year, the cryptocurrency exchange EXMO was taken down by a DDoS attack, making it inaccessible for customers for 5 hours.

And it's not just businesses that are affected by such cyberattacks. Belgium became a victim of a DDoS attack that targeted parliament, police services, and universities. Once the critical infrastructure of vital resources such as transport networks or hospitals are affected, the consequences of such an attack can be dire.

The entities mentioned above have one thing in common: they rely on centralized networks controlled by various entities. One common argument made by blockchain enthusiasts is that a decentralized ledger (one without controlling entities) will better keep DDoS attacks at bay.

This post will explain what DDoS attacks are, how they work, and how they can even affect a blockchain. We will conclude by looking at how Minima can handle such attacks.

What are DDoS attacks?

DDoS attacks are Denial of Service attacks. During a DoS attack, an attacker will render a network unavailable by disrupting services connected to the internet. One example of a previously widespread DoS attack was the so-called "ping of death". It could crash specific network drives that contained flawed code by sending them an ICMP packet (Internet Control Message Protocol - a network layer protocol) with particular parameters.

Denial of Service attacks were historically conducted from one machine sending out packets or connection requests. However, service providers these days can quickly scale, making traditional DoS attacks less effective. Additionally, when they originate from one IP, they are easily blocked.

DDoS attacks effectively do the same by leveraging a distributed set of machines. It's important to highlight that, unlike cybersecurity threats such as viruses or Malware, DDoS attacks don't rely on actually entering the victim's system; they exploit how services normally work to their advantage.

There are various types of DDoS attacks, depending on which layer of a network they happen. Layers refer to the OSI model, conceptualizing different layers networks use to communicate. While the internet is based on a simpler TCP/IP model, OSI is still widely used to identify and troubleshoot networking problems.

Application layer attacks

During an application layer attack (also known as layer seven attack, see model above), hackers target the top layer where internet requests such as HTTP GET and HTTP Post occur. These requests will load up websites or help people log into a page during normal usage. However, attackers can exploit the disparity in resources needed for a client to send a request versus a server to answer that request. An attacker often uses botnets to send traffic to that web application using random IP addresses. If too many requests are sent to the server during an attack, it can overwhelm the server and end up denying service to legitimate traffic. Often, simply targeting an API (Application Programming Interface) with an L7 attack is sufficient to take it offline.

The difficulty for organizations is that it's complicated to distinguish between normal and attack traffic. One method of preventing such attacks are Captchas that establish that someone is not a bot before sending requests.

Protocol attacks

Protocol attacks happen on lower network layers, on the network and transport layer. They are also known as state-exhaustion attacks because they disrupt services by exhausting their resources, including load balancers and firewalls. One common protocol attack is the SYN flood.

This kind of attack exploits the TCP handshake, a process used in TCP/IP to establish connections between a server and a client. Usually, the process works as illustrated below. The Client will send "SYN" to inform the server about itself, then the server will acknowledge that message by sending SYN-ACK back, and in a third step, the Client acknowledges the response and creates a stable connection for data transfer.

During an SYN Flood, an attacker will use spoofed IP addresses to send TCP initial connection requests to the systems. The server will then wait for the final acknowledgement (which completes the handshake), but it never happens. Eventually, all resources are used up, waiting on connections rendering the target inaccessible for other traffic.

Why do attackers use DDoS attacks?

Rendering a service unavailable to users in itself doesn't always come with a direct monetary gain. That's why DDoS attacks often form part of a more multifaceted approach, for example, in combination with social engineering or ransomware, forcing a business to pay to have their services go online.

Sometimes, businesses might also use DDoS attacks to gain a competitive advantage over their competitors. Other DDoS attacks are ideologically motivated targeting, for example, oppressing governing bodies or state-sponsored, as a tactic in warfare to confuse military troops.

Now, after covering how DDoS attacks more generally work, how can they still affect blockchains, even though one promise of blockchain used to be that they are resistant to such attacks?

DDoS attacks on-chain

Anyone claiming that DDoS attacks on the blockchain are "impossible" is technically incorrect. However, in theory, having a decentralized network distributing computing power worldwide should eliminate single points of failure such as servers or apps.

Transaction Flooding

DDoS attacks on a blockchain focus on the protocol layer, with the biggest threat to blockchains being transaction flooding, mentioned earlier. Most blockchains have a fixed block size and limit how many transactions fit into a block. By sending spam transactions to the blockchain, attackers can fill the blocks and hinder legitimate transactions from being added to the chain.

When this happens, all legitimate transactions will end up in the mempool, waiting for the next block. Legitimate transactions not being added to the blockchain is already a system failure.

But transactions accumulating in the mempool can lead to another negative impact:

  • Software Crash: blockchain relies on nodes running the protocol software. Nodes receive, process and store all transactions sent to them. Usually, they have limits on how many can be stored in the mempool. This can cause issues with the software and even crash it entirely in bad cases.
  • Node failure: a direct consequence of when limits of a node are exceeded is that it might run out of memory or that the CPU gives up, taking it offline. It will require a restart to get back online.
  • Network congestion: with an extra-large amount of transactions entering the network, it can quickly get congested, which is amplified by a feature of p2p networks: nodes receive multiple copies of the same transaction.
  • Bloated ledger: Blockchains are designed to be immutable. They store all transactions from inception, including spam transactions, and there is no way (without seriously compromising the integrity of a chain) to remove transactions.

Overall, DDoS attacks can harm a blockchain's effectiveness.

Blockchains under attack

On September 14th 2021, we saw 2 DDoS attacks on two different blockchains play out.

Arbitrum

Arbitrum is a Layer-2 Scaling solution for Ethereum and works by using a sequencer that receives and reorders transactions into an inbox (basically equivalent to a mempool). During the DDoS attack, the sequencer was flooded with transactions and went offline for 45 minutes due to being overwhelmed. Without the sequencer, all other transactions were left waiting until it came back online.

Solana

The DDoS attack on Solana took the network down for hours and ended only after the devs coordinated a restart of the entire network. At peak, 400,000 transactions per second flooded the network, making the queue grow and making it harder for nodes to catch up. Eventually, validators ran out of memory and crashed, taking them offline. The block producers also noticed more resource-intense blocks and suggested forking as a resolution.

When nodes came back online, they had such a big backlog of forks to deal with that they could not catch up. Ultimately, the core team decided to go through a Hard Fork rolling back to the last stage of the network where 80% of validators agreed on the state.

What about Minima?

Unlike Solana, Minima isn't using Proof-of-Stake, and unlike Arbitrum, there is no one single sequencer putting transactions in order. Minima relies on Proof-of-Work (PoW) to secure the network. PoW was developed decades ago as a way to prevent spam by making it too expensive. Bitcoin was one of the first implementations of the algorithm, to secure a digital currency.

In Minima, every node is delivering small amounts of Proof-of-Work for each message. However, that isn't sufficient to prevent DDoS attacks, because such small amounts are effectively free. Since Minima doesn't consume more energy than a messaging app, it's unlikely that users would even notice.

To prevent DDoS attacks, one needs to create a cost to the attacker, so high, that it's illogical to even attempt. All miner-centric chains operate on the basis that having to pay a fee to miners makes DDoS economically illogical.

In Minima, there are no miners in the traditional sense. TX-Proof-of-Work helps secure the network, but it isn't sufficient to prevent attacks on its own.

Tx-PoW is Minima's implementation of a Proof-of-Work algorithm, adjusted in a way that node runners collaboratively provide small proofs, that are then added up to an entire block worth of PoW.

In theory, a botnet could provide the same Proof-of-Work as hundreds of Minima nodes. To attach a real cost to transactions, Minima implements a 'burn'. A burn is equivalent to paying a small fee. It reduces coins in circulation, making those that remain more scarce.

There is no minimum burn. It's adjusted based on network traffic. If someone decided to attack Minima, two mechanisms will deter them:

All nodes will increase the amount of PoW they do. While just an incremental change to the individual, the change will be significant across thousands or millions of nodes.

The Burn will increase when traffic increases. Therefore, attackers end up burning coins, making them more scarce.

---

This is the power of a decentralized network, where nodes work collaboratively to secure, validate, and transact.

---

The evolution will not be centralized.