Regarding a Sybil attack

Hi,

I don’t know much about coding, or the deeper technical layers of software and hardware systems - but I like to read about technology and security etc. If my ramblings seem idiotic to the technically advanced people in this group, I apologize in advance.

As of now, there are a couple of things that are supposed to protect the system from a Sybil attack:

Close Group Consensus, Node Ageing

I think Data Chains and Disjointed Sections also help, but I am less clear on those.

And I think the close group consensus and the various mechanisms that @dirvin has put in place negate the utility of gaining control over a group in the first place - I am tired after another night of reading this forum, but even to a novice like me it is clear that @dirvin and maidsafe team in general have thought out a lot of things and there are extreme nuances, they have various hints of mechanisms in different places which makes one appreciate the system and its complexity.

So to quote him:

Node Ageing (as far as I understand) helps by slicing the rank by half after a churn and enables the system to rank nodes by age - and so a node can’t jump around to join others in a malicious group - it will have to try to brute force the entire system and go for the 65% ownership of total nodes route - no short cuts.

It has also changed the Quorum of whole group to basically >50% of nodes and >50% of age.

This is on top of the fact that if an attacker has not gained complete control over a group - the group can kick the malicious nodes out.

Basically all this means (to a technologically illiterate person like me) that any person or entity interested in a Sybil attack would need to first add at least around 200% of the nodes already in existence to the network (just to be safe) - and then leave them connected (24/7) to the network for three weeks or so - so that the nodes are well aged and trusted.

Now due to XOR space, nodes cannot really decide what role or position they’ll be in the network - and the malicious entity ageing their nodes would probably be aware of that, so all the more reason for adding around 200% of the nodes that are already operating to just do some damage.

And I am assuming they will add patches to the vault code such that the ageing nodes behave accurately first and then when given a signal - attack.

And so I think the person attacking will also be aware that when they do attack, they might get quorum majority in some groups - but if @dirvin calculations are true, they will not have the statistical numbers required to change the consensus of the system - which would require much more number of malicious nodes. They are just vandalising and disrupting, unable to change the consensus of system, but vandalising nevertheless.

I think, such a capacity to disrupt SAFE - to vandalise it, so to speak, has value. To me, it gives the imagery of jamming the communication and the system. I know that the system can handle the malicious nodes going offline suddenly and some other scenarios - but if a huge majority of nodes in the SAFE system - nodes that have good age and ranking, for they behaved very well for three weeks or so and never disconnected before attacking - just suddenly go haywire surely that’s a shock to the system. So they can jam the system, create a shock in the system, distort communication, misbehave, I think that’s a powerful attack.

The attackers may not gain control over safe coins, getting access to chunks of data will be useless - but (to me at least) it’s a very uneasy thought that this type of attack can be done.

If I’m not wrong, the primary deterrence to a Sybil attack is making it prohibitively expensive:

As I said, I’m really not a technical person, don’t know much about costs of servers and hosting etc.

If the above scenario is wrong, and I am stupid for not having understood the SAFE Network properly, I humbly request some member to kindly take some time and enlighten me.

If the scenario can take place, can someone calculate just how expensive an attack like that be?

If we are to assume let’s say, a node population of 3 million being active in the SAFE Network system (not all nodes will be active at all times, so lets say total population is 5 million nodes and 3 million are normally active at one time)- just how expensive is it to add 6 million nodes into the network 24/7, have them age nicely for three weeks so that they gain rank and trust, and then those 6 million nodes just do whatever they can do vandalise - break some protocols etc.

If it’s a couple of million dollars, then surely it’s just a couple of million dollars more to do the devastating 600% or 800% attack to completely cripple the system.

Let’s say it’s 2019 and someone uses SAFE Network to leak some extremely embarrassing documents that piss off a dictator or some billionaire.

If the cost to cripple SAFE system, is a couple of million dollars, or let’s say it’s 30 million dollars - why won’t a dictator or pissed off billionaire or China or any other state entity cripple it?

Thanks for your time.

9 Likes

Just a thought. At 3 million nodes the network is still small considering it is a global network. How long from going live to get from 10’s of thousands to a few million is a good question. But one would expect that if the network is a success that at least a few percent of the world’s personal computers will be active nodes.

I think your 200% is understating the required number to cause noticeable disruptions/vandalism. Because of the mechanism that new nodes are reallocated by the network upon joining the ability to target groups is extremely hard. That means that there is only a random distribution and one needs to have, as you say, more nodes than the proper nodes. So while 2 bad to 1 good might on a random distribution get you momentary control of a group or two, it is only a minor vandalism. Since the network is dynamic those taken over groups may not survive for long and the bad nodes kicked out when in new groups.

As to data security, it should be fine since the compromised groups are minor and many copies of each chunk are spread across the network and any bad chunks will be rejected when being transferred across the network.

As to costs. I expect a network of 3 million nodes globally is under the radar of such groups as any particular government. 3 million represents less than 1 or 2% of the home computers in the USA alone and at 2% it is not even significant to demand control when the internet as a whole in the USA is either is or approaching 1 billion computers of all sorts. Remember nodes will be in SBCs, some phones (when charging), laptops, home computers, some business computers, some data centres. Just in Australia there is some 20-40 million computers that fit that category.

So in perspective for the SAFE network to come a force to reckon with or for governments to attack it would need to be a few % at least. And that is how many computers? Many times the 3 million you are working with.

2 Likes

Minor comment: I didn’t read the links but am curious as to where you get 65% from because in the past I’ve seen David talk about their calculations meaning at least 80% of nodes would need to collaborate to take over a piece of data (at least that’s my recollection - those discussions were years ago, some on reddit).

2 Likes

I think we also have to consider the cost of running a useful node. If it is being worked hard enough to be useful to the network, it should be expensive to of operate. Just because there isn’t an arbitrary proof of work, it doesnt mean that useful hasn’t be done and proved.

Senior nodes should have a strong track record of delivering value. These nodes should form the spine of the network. Lesser nodes should the given the opportunity to prove themselves useful, but only at a cost relative to services rendered.

1 Like

The difference here is taking over a piece of data versus causing vandalism by disruption or take over one group. To disrupt data you would need to take over the groups holding all the copies of the chunk (multiple random groups)

Although I think the 2:1 ratio is not correct either. My understanding would be it needs to be more like 70% 2.5:1 or even 3:1

2 Likes

Yeah just on a quick high level,

I don’t think $30 mil would be anywhere near enough to convince 80% of all the people of the world to make their nodes misbehave (which would cause them to lose / decrease their SafeCoin income)

A lot of this reasoning is from before Datachains. As it stands now, if you gain control of a section, you own the network. You can change any mutable data in the section (which would include stealing the safecoin), and you can probably expand your attack past your section.
You won’t be able to decrypt any data, which is a small victory, I guess.
Any number (65%, 80%, etc) was probably based on designs before data chains and node age. I don’t think anyone has done the analysis of the current design. And with age, that analysis is going to be exceedingly complex. I have not even seen any discussion on what the actual size of a section will be.

There may be defenses for some or all of these attacks, or it may be (hopefully will be) extremely hard to gain control of a section. There are also clever moves an attacker can do to increase their chances. For instance, if you own 30% of two adjacent sections, DDOS your neighbors to force a section merge. Complex systems have large attack surfaces.
We will see how it all shakes out.

Per the current documentation (can’t find the original source at the moment Data Chains documentation summary):

Security of the network depends on each section behaving correctly, which is ensured by the network distributing nodes throughout the network automatically, such that an attacker cannot choose where in the network any nodes he runs will join, and a brute force attack would require running a significant proportion of the nodes in the network to have any real chance of success… The broken section recovery mechanism could be used as a weapon allowing a section controlled by an attacker to take over more of the network, even up to the point of taking over the entire network if the attacker had enough resources to handle network load; this is a known limitation, but necessarily any mechanism to recover from a state where no consensus is possible must reduce security. This does not necessarily mean the system is less secure than a network using a less strong form of consensus, and is only an exploit if an attacker can control one section in the first place.

5 Likes

The way I’m thinking about this is not persuading anyone, but running enough of your own nodes for long enough.

So if the network has 1m independent nodes, you would need to fund (1m * 0.8) / (1 - 0.8) = 4m nodes for an 80% attack.

Because the total size would be 5m and you would have 80% of them (4m is 80% of 5m).

So the cost of an 80% attack on a network of 1m nodes would be 4m times the cost of running a single node for long enough to pass the aging thresholds. If that single node cost was $10 we’d have an attack cost of $40m.

I’ve used 80% for illustration only because we don’t know what the actual number is at this point, or even if this still applies.

3 Likes

@neo

Thank you for shedding some more light on the subject - I agree with you that once SAFE Network gains popularity it will be a lot of nodes, not just 3 million more like 300 million - but surely in the beginning, after release and a couple of months of that - there will be a node population of 3 to 7 million and attacking them through pure brute force will only be an issue of costs - and I guess I just wanted to ask what exactly, is the average cost of having a node in the safe network going to be. If we know the average cost, than everyone can do their own analysis as to how expensive an attack on SAFE will be - whether it is 200% of population of nodes or 2000% of the population of nodes that already exist - I agree with you, due to XOR space and random placements it will be more than 200% of total population to even cause vandalism - by which I mean gaining control over 1% or 2% or 3% of total groups just by random placement and also causing other systemic shocks to the system. If you have an idea of what the average cost of a node in the system will be, I’ll appreciate it if you’ll share that. (And of course I’m talking about a node that has been connected 24/7 for let’s say a month so it’s aged and ranked and all)

The system keeps on updating, and improving on it’s security - I think I was reading up on some tests - and some other conversations - here:

I was talking about just getting control of 1 or 2 or 3% of groups by random placements, not accessing data - or cause other system shocks like disrupting or just jamming messages etc. I agree - to take over the network it requires a much larger percentage.

As of now, I think Node Ageing serves to disrupt some Sybil attacks - and the attackers will have to stay connected to the network 24/7 if they hope to get a good rank and age - I agree with you, it’s in the interest of the system to make the average cost of a well ranked or aged node high but as @dirvin often says, every new well intentioned change brings with it its own unintended consequences - I’m sure the community has their ideas.

2 Likes

I agree with you, not every attack needs to be aiming for complete crippling of the system - random acts of vandalism can be done with less amount of nodes and I think that we’re looking at more than 200% for that - again, it comes down to the average cost of a well ranked and aged node

@happybeing is right, I am talking about the attacker bringing in extra nodes on his own, not convincing people

I confess I don’t understand Data Chains entirely, but I think the attack vector you’re talking about was in regards with Option A of Data Chains and that the Maidsafe developers are looking at Option B also - which I think allows for the existence of some statelessness in the system until all the nodes reform some agreement, at least that is what I could grasp.

But I think the calculations still are kind of the same, Node Ageing has meant some extra cost and some attack vectors are eliminated but once a person has the malicious nodes aged and ranked - they need the same percentage of nodes that were calculated by the team - I mean for just an all out Sybil attack, I may be wrong though.

1 Like

will it be accurate to assume that the average cost of a well aged and ranked node is roughly $10?

Thank you everyone for your thoughts and answers.

Now, I may be entirely wrong in suggesting this, but I think sometimes it’s good to discuss random thoughts:

Right now, nodes are supposed to join the network with all the coding and directions on how to act. In such a scenario - a malicious node can pretend to behave nicely for some time while they gain age and rank and then they can unleash an attack some time later.

Is it possible, for Vaults to join the system in a blank state - by blank state I mean they simply connect and all the code they are supposed to follow is given or fed to them later - obviously any client node is not the issue - the Vault nodes are the workers - so can the workers join the SAFE system with a blank state or let’s say after joining they are wiped and then programmed or given a basic code of behavior - this way no malicious node can join the network with patches or whatever, and act falsely in the beginning only to attack the system later.

Only a Queen Ant can lay eggs - so we should have a genesis node, that gives the code etc to the nodes that join it and then those nodes give the code to others that join them in their groups - if it’s possible for a Vault to connect with the network in its infancy form, having a blank state and then download code and software on how to function - I think it can deter malicious nodes that come preprogrammed to attack once aged and ranked - and I think disconnecting from the network should lose you everything when it comes to codes and software, kind of like death. This way Archive nodes etc are those who have stayed connected to the network the longest, and if one dies - there are always those lower in ranking to them. So this way no node can be turned against the system by editing them or patching them later.

Death, in a way becomes the great equalizer - once a node is a part of the system, it is given code and directions on how to act, if it behaves it becomes highly valued and ranked over time - earning more safe coins - as long as a node is connected with the SAFE Network, it should not be possible to add patches or add malicious code to it for that would require making the Vault go offline - and if a Vault goes offline, it dies. Losing everything and starts from the beginning when it reconnects. ( Also, this way, there is an incentive to never die: you get more safe coins).

Forking in this way would be one Node becoming the genesis node for the next system, and other nodes joining it - kind of like a queen ant moving elsewhere to start its own system.

I hope I am clear, and please excuse me if this is entirely wrong or not workable - just my thoughts on how to further improve the system.

I wish the community and the developers all the best in their mission.

4 Likes

It was a wild convenient guess. Nobody can claim accuracy with regard to something that doesn’t exist and hasn’t been done before.

My personal random gut feeling guess would be $1k+ because it’s an asset that makes income and time is money etc.

Ofc nobody can ever say with any certainty until we start to see what vaults earn in real tests or real networks

Surely the cost of a node will be below $1k - nodes are not scarce and they cannot be traded - so nobody can say here buy my node because it has an awesome ranking and age.

I think all one needs (if attempting to add malicious nodes to the network) is to rent some hosting or server from the market - and connect that to the SAFE network, 24/7, for a couple of weeks - so that will be one well aged and ranked node - of course each server may have several vaults so a person can get several malicious nodes from one server - so again, the question becomes, what will be the cost of a well aged and ranked node like this - I think it might not be more than $10

1 Like

Surely, well aged is just relative to other nodes. I am not sure how much influence on the network 2 weeks will grant.

It needs to be hard and expensive to provide core network services. If it is too easy, then this sort of attack will be commonplace. Therefore, it cannot be cheap to get a high rank.

2 Likes