Mitigating Sybil attacks by requiring an upfront cost for farming nodes

I am currently looking at the security assumptions behind the routing nodes to prove the algorithms correct and secure with regard to a certain number of attacks. At the moment I am looking at limiting the extent of a Sybil attack, in which one node can pretend to have multiple identities which in turns defeat the purpose of quorum based validation (for example requiring approval of 28/32 nodes for an operation to be valid) because the same node can appear multiple times in the same group. One way to do so is to add an economic cost to create an identity.

I am entertaining the possibility of tying the creation of a routing (EDIT: previously written farming) node identifier to the spending of a certain amount of Bitcoins. What would you guys think of having to spend, let’s say 1$US in Bitcoins to create a farming node? Moreover, what if that 1$US would have to be sent to an address controlled by the MaidSafe Foundation? Would that seem reasonable? What about a higher price, like 10$US or 100$US?

(The fact that the cost is in Bitcoin is also somewhat arbitrary and would make the bootstrap of the beta network easier, but nothing preclude having to spend Safecoins instead.)

The additional benefit is that it also introduces an upfront cost to running a malicious node, so an attack on the network would need to have an expected “return-on-investment” higher than the upfront cost of deploying a certain number of malicious nodes.

I don’t know, maybe it’s needed. But most of the vaults will create a number of identities won’t they? And if you want to join a group, the group will decide your address isn’t it? So how can the same node appear multiple times in the same group? You need to create a big number of them than?

Botnet that enslaved 770,000 PCs worldwide comes crashing down – Botnet that enslaved 770,000 PCs worldwide comes crashing down | Ars Technica

Imagine such botnet spawning zillions of farming nodes. A fee for starting a farming node could prevent that. The fee could be activated after the Beta period. BUT, if there is some other solution available then perhaps a fee can be avoided. Or if the problem of sybil attacks etc isn’t that severe, then a fee may just be an unnecessary burden for honest farmers.

I thought a minimum level of rank is required to be able to effectively vote in a consensus group? That way there is an upfront proof-of-work requirement.

That would deteriorate the neutrality of the network in my opinion.

I think it’d scare regular farmers off more than attackers, especially the state sponsored ones with virtually unlimited money to burn. A lower number of regular farmers in turn weakens the security, since there’ll be far less small nodes with no ulterior motives.

An attack may not be about direct financial profit, but simply about destroying the (reputation of) the SAFE network. In that case it’s about power, and the powers that be are willing to spend billions on retaining and/or expanding power. Especially if they can indirectly print those billions themselves anyway.

I thought there was no need for this and am surprised its an issue. Is it? If so, please can you explain why the network is vulnerable - or at least detail the sybil attack and how it is possible given the network behaviour planned.

Regarding the up-front barrier to farming this is a massive the bad thing from the network point of view and to be avoided unless absolutely necessary.

Farming as a checkbox confirmation on installing SAFE is a great feature and to be retained if at all possible!

I don’t know, maybe it’s needed. But most of the vaults will create a number of identities won’t they?

I am currently looking at the identities at the Routing layer, which are used to allow the nodes to communicate securely and as part of groups to mitigate the impact of malicious nodes. I am not familiar enough with the behaviour of Vaults yet to comment on how they manage identities.

I changed the original post to say that I was actually talking about a Routing identifier. The rest of the post still applies since farming nodes also participate in Routing so an up-front cost would show up for farmers.

And if you want to join a group, the group will decide your address isn’t it?

As far as I understand, at the moment you generate identities and try to join groups near each identity generated until one accepts you.

So how can the same node appear multiple times in the same group?

In the absence of any limitation mechanism, a malicious node could run a different version of the code that would create additional identities to join in with multiple identifiers simultaneously.

You need to create a big number of them than?

Yes, if a malicious node can generate enough identities, some of them would fall within the same group. If that happens, the assumption that a quorum of 28/32 nodes can tolerate up to 4 malicious nodes in the same group does not hold anymore because it implicitly rely on the direct correspondance between a malicious entity and a single identifier.

It is therefore necessary that something limits the creation of identities.

I thought a minimum level of rank is required to be able to effectively vote in a consensus group? That way there is an upfront proof-of-work requirement.

If that is the case, then that could potentially be a good limitation mechanism. We would need to look then at how to bootstrap such a mechanism because you need a certain number of nodes in the first place to challenge the nodes that join later. Who assess the initial nodes then?

In addition, we need to look closer at that proof-of-work mechanism because it effectively might limit the rate of growth of the network. If chosen incorrectly, that might prevent the network from accepting a sudden surge in popularity from legitimate users.

Moreover, what if that 1$US would have to be sent to an address controlled by the MaidSafe Foundation?

That would deteriorate the neutrality of the network in my opinion.

I am not quite sure about what you mean by neutrality here. I am thinking that the funds could then be allocated to community projects through a democratic vote by farmers.

I think it’d scare regular farmers off more than attackers, especially the state sponsored ones with virtually unlimited money to burn. A lower number of regular farmers in turn weakens the security, since there’ll be far less small nodes with no ulterior motives.

If the amount was chosen such that a farmer would get back the upfront cost in a few hours/days/weeks in revenues, it could still be attractive to farm. It would however add an additional step to joining in, which would add friction and certainly deter some users.

@happybeing:

I thought there was no need for this and am surprised its an issue. Is it? If so, please can you explain why the network is vulnerable - or at least detail the sybil attack and how it is possible given the network behaviour planned.

See above. I am still thinking through the actual damage such an attack could cause, I’ll come back with more details as I figure things out.

Regarding the up-front barrier to farming this is a massive the bad thing from the network point of view and to be avoided unless absolutely necessary.

Farming as a checkbox confirmation on installing SAFE is a great feature and to be retained if at all possible!

I fully agree that to ensure the widest adoption possible there needs to be as little friction as possible for new users to join in. We also need to ensure the good guys outnumber the bad ones ;-).

If I understand your problem correctly: 1 node can create multiple identities, therefore allowing it to have more than one vote in a consensus group. I propose we solve the ability to create multiple identities.

Vault Voting Solution?
If only “vaults” were allowed to vote in a consensus group, their identity can be made unique by the chunks they hold. The “data holder managers” knows which vaults contain which chunks. Therefore, a vault can prove their unique identity, using the chunks given to them by the “data holder manager”.

The premise of this idea means a vault can only have 1 identity which the Network can verify by looking at the chunks inside. It’s basically a fingerprint of chunks for the vault.

If the vault creates multiple identities, it will accumulate other chunks from those identities and alter the fingerprint, invalidating their ability to vote.

If it removes specific chunks to confirm 1 identity, then it will get down ranked for losing data.

This is a rough theory… But if it works, we don’t need to an entry barrier, while mitigating malicious farmers. What do you think?

Bootstrapping this is difficult because there are no vaults with chunks to begin with, except the ones MaidSafe starts… so that may need further testing.

Wait wait wait…

I thought that the nodes needed to earn a good reputation before they could do anything important / potentiality dangerous.

Didn’t this requirement solve the potential problems you are all talking about?

The idea of bit coin is scary as a precursor to farming. I don’t watch crypt currency enough to have an opinion or solid grasp but on a gut level I have this sense that the crypt coins have failed. Not that block chain isnt amazing, but all I ever hear is speculator stuff.

I’d also add to this; that charging someone for joining a fixed cost is not decentralized at all. It’s like in bitcoin, if it was 100,000 usd each; then a transaction fee would be 400 times what it is today: 12 dollars - that makes the network no long autonomous. even 1000 dollars per bitcoin makes the transaction fee 12 cents it’s still a lot; so now if you want to run a node; you need to pay… so now if I give someone a raspberry pi 2 to run a node; I also have to give money so that node can even get started; so now when I gave someone raspberry pi 2 and that person can’t even afford 1 dollar; how will that node go up?

how do you know what 1 dollar in bitcoins is; what’s the point in stopping people from making nodes for farming?

Seems like this would be an important thing to have down before even considering the subject of this post. I may be missing something as I’m definitely not into the code at all, but this seems to be too hypothetical.

I don’t mind paying $1 or $10 for that matter to start farming, knowing that this money goes to the MaidSafe Foundation. But this might not be the case for everyone, simply because some people can’t afford it.

Money (fiat) is never a problem for whoever would want to attack the network.

Is it possible to let people farm $1 in SAFEcoins (or whatever amount you have in mind) and let them pay it up, if they want to continue farming?

Thanks to everyone for your input. I get that you would all prefer not to have to tie the identity creation of routing nodes to spending Bitcoins. I might still use such a mechanism in a paper if it simplifies the presentation of the rest of the routing algorithm and its proofs for another reviewer that might not be familiar with how vaults work. The goal is not so much to explain the identity management but to show the key routing algorithms using properties of XOR Space. I’ll make it clear though that it does not mean the system works like that, only that such a mechanism is possible using a system that reviewers would already know.

I’ll look closer later at how the ranking mechanism works and which guarantees it provides and properly compare it with others.

Maybe I’m misunderstanding something here but why would you explain it in a way that’s not how it works? Why not take a closer look on how it does work and explain that?

With all due respect but this can’t even be considered when we want to offer the same for everyone, not depending on how much money they have. Next to creating unfairness it also creates an extremely high barrier to join.

Because when writing an academic paper it’s not necessarily about the SAFE network itself but about the required principles for a distributed autonomous network in general. There’s always some kind of proof of effort/value/work/resource required, that is the principle. What this proof will be is an implementation choice. He can use a BTC payment as an example.

Funny thing, in the case of a BTC payment the proof would indirectly be the proof of work of the Bitcoin blockchain.

Ok maybe that was the point I was missing but it still seems the ‘bitcoin solution’ get’s chosen to explain the workings instead of the solution Maidsafe offers with the ‘minimum level of rank’ solution. Why is this ?

Because you cannot expect your reviewer/reader to know everything you know before reading the paper, and you have a limited amount of space and attention to explain in-depth one aspect of the system. By relying on something they already know you can go much quicker to the part of the system you are actually focusing on. As long as the properties and assumptions are stated explicitly, you can show in another paper/document that the other real mechanism also satisfy the same and is therefore equivalent.

With regard to the ranking mechanism, since it is new and unknown to others, I would have to explain in enough details to show that the properties indeed hold. If possible, I would like to defer that to later. The Bitcoin solution is one amongst many, I will simply pick the simplest I can think of.

Ok now I got it, thanks for clearing it up!

But it doesn’t really clear up things because it was initially offered as a general solution for the actual system- also sounds convenient like the kind of thing that would tide over anxious investors.

To me the potential of the coin is in its capacity to build out a harder physical network, core software eco system and sponsor free disintermediated content system. But if it becomes a distraction it should be delayed or even dropped.

Those who bought super speculative crypto coins were in effect crowd sourcing and their money went to a vital cause. Bringing us a network that will help make corporations and states transparent is a billion times more important. Making these entites transparent on a second by second basis is the only way we will reverse extraction and move toward inclusion. It will give us a chance to realize
that slavery in all of its forms, including wage slavery, is the top attrocity above even genocide (although the two tend to coincide) and then condemn absolutely and finally all extractive economic and political systems.