DDoS attacks are one of the most frequently mentioned in the virtual space. And how much can technologically advanced blockchains resist them? Is Free TON vulnerable? Or Free TON is the Superman of the crypto world.
One of the classic methods of attacking computer networks is DDoS (Distributed Denial of Service) — an attack carried out simultaneously by a large number of computers to cause a denial of service to a service or network.
During a DDoS attack, the attacker sends a huge number of requests to the victim (computer network or resource) aimed at exhausting its data processing capabilities by disrupting its correct functioning. The success of an attack depends on the network bandwidth, the computing power of the victim, and the load that the attacker can organize.
If the number of requests during a DDoS attack exceeds the capabilities of infrastructure components, then responses are generated much slower than usual, or some requests from users remain unanswered at all.
DDoS Attack: Aspects for Cryptocurrencies
Besides the primitive “throwing packets” (overloading the network and nodes with garbage packets), an attacker can take advantage of the implementation features of the blockchain technology by attacking specific of its mechanisms.
For example, you can divide transactions into smaller ones (to increase competition in the block), load the blockchain with the calculation of complex smart contracts, attack network nodes (similar to the Sybil attack) and validators, or attack the consensus mechanism.
Without going into details, it can be noted that each blockchain has several built-in protection mechanisms.
So Bitcoin has built-in protection against denial of service attacks. For example, the block size is limited to 1 MB to make it harder to clog up full node memory pools, and each script does not exceed 10,000 bytes. Both the number of signature checks that a block can require (20k) and the number of multisignatures (20 keys maximum) are limited.
Bitcoin clients block all suspicious nodes and transactions. In the latest version of the Bitcoin Satoshi client, they have added a function to register non-standard transactions (over 100 kilobytes). Also, when processing transactions, the client verifies all outputs to be unspent.
To motivate nodes to perform calculations on the Ethereum network, there is a concept of a calculations fee: each operation performed has its own specific cost, expressed in the so-called amount of gas. The concept of payment for code execution, first, guarantees a reward to the node executing the transaction and protects the network from DDoS attacks, and, second, it solves the problem in which the execution of the smart contract code can be infinite.
DDoS Attack Cases
Such protection does not always help, which leads not only to losses but also undermines confidence in the technology.
So in May 2018, the Verge platform was subjected to DDoS attack. During the attack, using a glitch in Verge’s technology when mining several blocks in a short time, the attackers stole the equivalent of $1.7 million.
Not only blockchain platforms themselves, but also crypto exchanges are subject to DDoS attacks. So in November-December 2017, DDoS attacks for quite a long time significantly slowed down and suspended the work of the Bitfinex crypto exchange.
It is also interesting that according to research by Atlas VPV analysts in 2020, despite five-year growth, the number of attacks on blockchains decreased for the first time, compared to the same period of the previous year.
DDoS Attacks on Blockchain Mechanisms, Including Free TON
To find out about the vulnerabilities of Free TON to such attacks, we turned to Sergei Prilutsky, an expert on the security of decentralized solutions, head of software research at MixBytes.
- How reliable and immune to DDoS attacks is the Free TON platform design?
Absolutely any distributed service is vulnerable to DDoS attacks, and Free TON is no exception. But the Free TON network has one important feature. When creating the blockchain, the TON team, which has extensive experience in resisting the blocking of its services (Telegram), paid a lot of attention to the network stack. It was originally written to allow the network to change its configuration flexibly and painlessly. This allows the nodes of the network to change addresses very quickly, “escaping” from the attack, and all interactions do not require the establishment of permanent connections, depriving the attacker of the opportunity to “keep busy” the network resources of the nodes.
- Are the implementation features of the algorithms sufficient to protect against DDoS attacks? How “expensive” can they be for an attacker?
Public blockchains are not attractive targets for DDoS because nodes are initially designed to work openly on the Internet without external security means, without user authorization, i.e. in the most aggressive environment.
Any operation that consumes the resources of the blockchain node is paid for, and in TON the payment for resources is extremely strict: for example, storage space is not just paid, but rented, and when performing a transaction, everything is paid for, including the smallest operations. A DDoS attack on the internal logic of the blockchain is possible only with the help of huge financial investments, which, in the case of such an attack, will go to the network validators.
- In your opinion, what changes can be made to the Free TON operation principles to improve fault tolerance?
First of all, this is the analysis and penetration testing of the Free TON network subsystem, since it is the only attractive target for a DDoS attack. To do this, it makes sense to use a bug bounty program, deploying a test network that specialists can attack to detect bugs. By the way, in Free TON, any specialist can submit a bounty to the community discussion and most likely receive a reward for fixing critical bugs. In addition, the Free TON community ran a validator game, in which validators competed in the stability of their nodes by testing the network under load.
Such contests have no analogs in the centralized world — they are full-fledged combat exercises for a public network resisting DDoS attacks. Such contests can be re-run at any time under the harshest conditions, implementing the “survival of the fittest” principle and encouraging hackers with a deep understanding of the anatomy of DDoS attacks to take part in such contests on the side of validators.