Regarding a Sybil attack

Just a thought. At 3 million nodes the network is still small considering it is a global network. How long from going live to get from 10’s of thousands to a few million is a good question. But one would expect that if the network is a success that at least a few percent of the world’s personal computers will be active nodes.

I think your 200% is understating the required number to cause noticeable disruptions/vandalism. Because of the mechanism that new nodes are reallocated by the network upon joining the ability to target groups is extremely hard. That means that there is only a random distribution and one needs to have, as you say, more nodes than the proper nodes. So while 2 bad to 1 good might on a random distribution get you momentary control of a group or two, it is only a minor vandalism. Since the network is dynamic those taken over groups may not survive for long and the bad nodes kicked out when in new groups.

As to data security, it should be fine since the compromised groups are minor and many copies of each chunk are spread across the network and any bad chunks will be rejected when being transferred across the network.

As to costs. I expect a network of 3 million nodes globally is under the radar of such groups as any particular government. 3 million represents less than 1 or 2% of the home computers in the USA alone and at 2% it is not even significant to demand control when the internet as a whole in the USA is either is or approaching 1 billion computers of all sorts. Remember nodes will be in SBCs, some phones (when charging), laptops, home computers, some business computers, some data centres. Just in Australia there is some 20-40 million computers that fit that category.

So in perspective for the SAFE network to come a force to reckon with or for governments to attack it would need to be a few % at least. And that is how many computers? Many times the 3 million you are working with.

2 Likes

Minor comment: I didn’t read the links but am curious as to where you get 65% from because in the past I’ve seen David talk about their calculations meaning at least 80% of nodes would need to collaborate to take over a piece of data (at least that’s my recollection - those discussions were years ago, some on reddit).

2 Likes

I think we also have to consider the cost of running a useful node. If it is being worked hard enough to be useful to the network, it should be expensive to of operate. Just because there isn’t an arbitrary proof of work, it doesnt mean that useful hasn’t be done and proved.

Senior nodes should have a strong track record of delivering value. These nodes should form the spine of the network. Lesser nodes should the given the opportunity to prove themselves useful, but only at a cost relative to services rendered.

1 Like

The difference here is taking over a piece of data versus causing vandalism by disruption or take over one group. To disrupt data you would need to take over the groups holding all the copies of the chunk (multiple random groups)

Although I think the 2:1 ratio is not correct either. My understanding would be it needs to be more like 70% 2.5:1 or even 3:1

2 Likes

Yeah just on a quick high level,

I don’t think $30 mil would be anywhere near enough to convince 80% of all the people of the world to make their nodes misbehave (which would cause them to lose / decrease their SafeCoin income)

A lot of this reasoning is from before Datachains. As it stands now, if you gain control of a section, you own the network. You can change any mutable data in the section (which would include stealing the safecoin), and you can probably expand your attack past your section.
You won’t be able to decrypt any data, which is a small victory, I guess.
Any number (65%, 80%, etc) was probably based on designs before data chains and node age. I don’t think anyone has done the analysis of the current design. And with age, that analysis is going to be exceedingly complex. I have not even seen any discussion on what the actual size of a section will be.

There may be defenses for some or all of these attacks, or it may be (hopefully will be) extremely hard to gain control of a section. There are also clever moves an attacker can do to increase their chances. For instance, if you own 30% of two adjacent sections, DDOS your neighbors to force a section merge. Complex systems have large attack surfaces.
We will see how it all shakes out.

Per the current documentation (can’t find the original source at the moment Data Chains documentation summary):

Security of the network depends on each section behaving correctly, which is ensured by the network distributing nodes throughout the network automatically, such that an attacker cannot choose where in the network any nodes he runs will join, and a brute force attack would require running a significant proportion of the nodes in the network to have any real chance of success… The broken section recovery mechanism could be used as a weapon allowing a section controlled by an attacker to take over more of the network, even up to the point of taking over the entire network if the attacker had enough resources to handle network load; this is a known limitation, but necessarily any mechanism to recover from a state where no consensus is possible must reduce security. This does not necessarily mean the system is less secure than a network using a less strong form of consensus, and is only an exploit if an attacker can control one section in the first place.

5 Likes

The way I’m thinking about this is not persuading anyone, but running enough of your own nodes for long enough.

So if the network has 1m independent nodes, you would need to fund (1m * 0.8) / (1 - 0.8) = 4m nodes for an 80% attack.

Because the total size would be 5m and you would have 80% of them (4m is 80% of 5m).

So the cost of an 80% attack on a network of 1m nodes would be 4m times the cost of running a single node for long enough to pass the aging thresholds. If that single node cost was $10 we’d have an attack cost of $40m.

I’ve used 80% for illustration only because we don’t know what the actual number is at this point, or even if this still applies.

3 Likes

@neo

Thank you for shedding some more light on the subject - I agree with you that once SAFE Network gains popularity it will be a lot of nodes, not just 3 million more like 300 million - but surely in the beginning, after release and a couple of months of that - there will be a node population of 3 to 7 million and attacking them through pure brute force will only be an issue of costs - and I guess I just wanted to ask what exactly, is the average cost of having a node in the safe network going to be. If we know the average cost, than everyone can do their own analysis as to how expensive an attack on SAFE will be - whether it is 200% of population of nodes or 2000% of the population of nodes that already exist - I agree with you, due to XOR space and random placements it will be more than 200% of total population to even cause vandalism - by which I mean gaining control over 1% or 2% or 3% of total groups just by random placement and also causing other systemic shocks to the system. If you have an idea of what the average cost of a node in the system will be, I’ll appreciate it if you’ll share that. (And of course I’m talking about a node that has been connected 24/7 for let’s say a month so it’s aged and ranked and all)

The system keeps on updating, and improving on it’s security - I think I was reading up on some tests - and some other conversations - here:

I was talking about just getting control of 1 or 2 or 3% of groups by random placements, not accessing data - or cause other system shocks like disrupting or just jamming messages etc. I agree - to take over the network it requires a much larger percentage.

As of now, I think Node Ageing serves to disrupt some Sybil attacks - and the attackers will have to stay connected to the network 24/7 if they hope to get a good rank and age - I agree with you, it’s in the interest of the system to make the average cost of a well ranked or aged node high but as @dirvin often says, every new well intentioned change brings with it its own unintended consequences - I’m sure the community has their ideas.

2 Likes

I agree with you, not every attack needs to be aiming for complete crippling of the system - random acts of vandalism can be done with less amount of nodes and I think that we’re looking at more than 200% for that - again, it comes down to the average cost of a well ranked and aged node

@happybeing is right, I am talking about the attacker bringing in extra nodes on his own, not convincing people

I confess I don’t understand Data Chains entirely, but I think the attack vector you’re talking about was in regards with Option A of Data Chains and that the Maidsafe developers are looking at Option B also - which I think allows for the existence of some statelessness in the system until all the nodes reform some agreement, at least that is what I could grasp.

But I think the calculations still are kind of the same, Node Ageing has meant some extra cost and some attack vectors are eliminated but once a person has the malicious nodes aged and ranked - they need the same percentage of nodes that were calculated by the team - I mean for just an all out Sybil attack, I may be wrong though.

1 Like

will it be accurate to assume that the average cost of a well aged and ranked node is roughly $10?

Thank you everyone for your thoughts and answers.

Now, I may be entirely wrong in suggesting this, but I think sometimes it’s good to discuss random thoughts:

Right now, nodes are supposed to join the network with all the coding and directions on how to act. In such a scenario - a malicious node can pretend to behave nicely for some time while they gain age and rank and then they can unleash an attack some time later.

Is it possible, for Vaults to join the system in a blank state - by blank state I mean they simply connect and all the code they are supposed to follow is given or fed to them later - obviously any client node is not the issue - the Vault nodes are the workers - so can the workers join the SAFE system with a blank state or let’s say after joining they are wiped and then programmed or given a basic code of behavior - this way no malicious node can join the network with patches or whatever, and act falsely in the beginning only to attack the system later.

Only a Queen Ant can lay eggs - so we should have a genesis node, that gives the code etc to the nodes that join it and then those nodes give the code to others that join them in their groups - if it’s possible for a Vault to connect with the network in its infancy form, having a blank state and then download code and software on how to function - I think it can deter malicious nodes that come preprogrammed to attack once aged and ranked - and I think disconnecting from the network should lose you everything when it comes to codes and software, kind of like death. This way Archive nodes etc are those who have stayed connected to the network the longest, and if one dies - there are always those lower in ranking to them. So this way no node can be turned against the system by editing them or patching them later.

Death, in a way becomes the great equalizer - once a node is a part of the system, it is given code and directions on how to act, if it behaves it becomes highly valued and ranked over time - earning more safe coins - as long as a node is connected with the SAFE Network, it should not be possible to add patches or add malicious code to it for that would require making the Vault go offline - and if a Vault goes offline, it dies. Losing everything and starts from the beginning when it reconnects. ( Also, this way, there is an incentive to never die: you get more safe coins).

Forking in this way would be one Node becoming the genesis node for the next system, and other nodes joining it - kind of like a queen ant moving elsewhere to start its own system.

I hope I am clear, and please excuse me if this is entirely wrong or not workable - just my thoughts on how to further improve the system.

I wish the community and the developers all the best in their mission.

4 Likes

It was a wild convenient guess. Nobody can claim accuracy with regard to something that doesn’t exist and hasn’t been done before.

My personal random gut feeling guess would be $1k+ because it’s an asset that makes income and time is money etc.

Ofc nobody can ever say with any certainty until we start to see what vaults earn in real tests or real networks

Surely the cost of a node will be below $1k - nodes are not scarce and they cannot be traded - so nobody can say here buy my node because it has an awesome ranking and age.

I think all one needs (if attempting to add malicious nodes to the network) is to rent some hosting or server from the market - and connect that to the SAFE network, 24/7, for a couple of weeks - so that will be one well aged and ranked node - of course each server may have several vaults so a person can get several malicious nodes from one server - so again, the question becomes, what will be the cost of a well aged and ranked node like this - I think it might not be more than $10

1 Like

Surely, well aged is just relative to other nodes. I am not sure how much influence on the network 2 weeks will grant.

It needs to be hard and expensive to provide core network services. If it is too easy, then this sort of attack will be commonplace. Therefore, it cannot be cheap to get a high rank.

2 Likes

Yes that is why my thoughts were not about that size but what a government would be concerned about and that is a network more than 10 times your selected figure of 3 million.

For the small network one has to wonder the benefit of putting in $30+ million to attack a baby network of 3 million. For the QDOS? very expensive way to do that. For the coins, well those coins will be worthless by the time they could sell any quantity and people know of the attack.

Motivation to spend big $$$ will come when the network has grown and hopefully by then things work as they should and datachains etc are securely implemented. Governments as I said will not be interested until SAFE is in use by more than the magical 14-20% figure. Government sppoks have said in the past that once you have >80-86% surveillance then you effectively have full surveillance. (the same for control, vaccinations and many other things)

But yes some analysis is needed and will be welcomed by many (@oillio thanks for your input)

4 Likes