Step-by-step: the road to Fleming, 3: Sybil resilience simulations

So the only real danger from a Sybil attack is the possibility that over time an attacker could bring the network down? Obviously that’s quite a big one :wink: but are there any other things such an attacker could do? It strikes me that even before Malice Detection, their options would be limited by the difficulty in actually seeing what they’re doing.

1 Like

That is the main one, there are likely subtle attacks we have yet to see, but the current simplifications of the code and introduction of chains and parsec mean our toolkit is quite large and should be powerful in combating such attacks, but we cannot be complacent just yet. I would like to take a bit of time after Fleming to dive right down into vandalism attacks as well as any attack that can mutate the network or safecoin issuance etc.

11 Likes

But that would be true also in stress period, when the network needs new vaults to increase available free space. So, this isn’t an argument to accept vaults only when the network needs them.

On contrary if the network accepts vaults permanently, then the network will be bigger when an attacker decides to launch the offensive, so it will harder to control or disrupt a section.

But if the attack happens at the very beginning when the network is still small (like your figures), we can’t do anything about it, accepting nodes only when the network needs them will only delay the inevitable. The only defense is to let it grow rapidly to reduce the initial window when an attack could be successful.

I will need to revive my old rust simulations to prove it. The problem is that I don’t really have time for it right now.

5 Likes

The point is that would not be continuous and also it would not be unlimited new nodes. In fact it would make such attacks last much longer as the network will actively not allow surge joins of any player, including bad actors.

EDIT (added quote) Yes this is true, the larger the network the better, or at least the total age of the network all node ages added) is the measure of the strength of the network, so the younger the weaker for sure.

I very much appreciate your work in this area and the debates. I did push internally for the Engineers to re-read those threads as they are very important. So please do accept thanks and if you do get time, there will be plenty of opportunities to debate this prior to full launch for sure. Thanks again

9 Likes

Great work as usual Maidsafe team.

Question re:sybil attacks, how much does a combination of a 5% datacenter together with a 20% botnet attack affect these estimates? Is such a scenario even likely? I’m sure you’ve thought about it and curious as to your thoughts.

Re:how does the network accept new nodes - Accepting new nodes based on space could limit the growth of the network assuming that there’s no upper limit to a vault size and that a node that was just accepted joined with a vast storage capacity. There’s an egalitarian simplicity to TFA’s proposed [accepting nodes if there’s a slot for one] in that no matter how far above the minimum resources requirements a node has gone (i.e., means of node owner), they do not affect the subsequent chance of a node of more meager means (but that meets the requirements) to join the network. Not to mention that nodes with large vaults attached (per the previous assumptions) could limit the growth of sections size, which could be detrimental to sybil resistance per your results.

I agree that there’s a balance (to David’s point), but an attacker would likely be more persistent in waiting for space to be available (more datacenter than botnet) while casual then honest nodes are more likely to quit participation attempts faster, thus increasing the proportion of potentially malicious nodes among the pool of new nodes waiting to join.

2 Likes

This seems intuitive when thought of in comparison to proof-of-work. PoW is more sybil resistant the more work is being done by the network. If PoW were sharded in to groups, those groups would each be more vulnerable to an attack than as a whole. Bitcoin puts the decentralisation slider to max by having only one work pool.

Nice write up Pierre!

4 Likes

No its not about 5 times since each age represents twice the one before it.
2^12 = 4096 (age 12)
2^13 = 8192 (age 13)
2^14 = 16384 (age 14)
and 20K would be about age 14.25
So not 5 times but approx 1.1875 increase in age.

Not consistent in your terminology. Is age represented by twice the work than the age previous or directly proportional to the work (is age = amt_of_work/constant)

It is 16 times the work to go from age 12 to age 16. NOT 16 times older since that would be age 12 to age 28.

Here you are equating “older” and “work”. You say “16 times older” but then say it is +4 older. Which is it? It is 16 times the work and +4 older

And remember that work is not related to time since there could be x amount of work for 10 seconds then 5x for the next 10 seconds and then x/4 for the next.

I am highlighting this because it is easy to bring this inconsistency into your simulation and end up with skewed results.

Agreed. I would modify it though in that as the ability for a section to accept a node but not need it, there should be an increased rejection ratio. Actually even when a section needs a node there should be some rejection of nodes too making it more difficult and raising the cost to an attacker and only some minor inconvenience of time to a legit person adding a node

In the case where the section does not need a new node and say there are 10 free slots capable to be filled

  • at 10 available slots say a node has a 90% chance of being accepted
  • at 9 available then 80% chance
  • etc and at 1 available there is a 10% chance of being accepted.

Of course another function could be used to determine change of acceptance/rejection.

The reason I am following is to prevent an attacker flooding the network and has all their nodes accepted even though the various sections are not needing them and this prevents others from joining for a long time. So by rejecting it gives more chance over time for others to be accepted.

On another note there was the concept mentioned by the dev team/David of a queue for each section where the section may not need a node but any new ones put into a queue till needed. This means the attacker has a very high cost to keep their nodes running but gaining no age or farming. The other good people are less likely to be disadvantage since they are using spare resources and not trying to keep thousands of nodes waiting in a queue.

Absolutely they are motivated to remain on line for as long as possible.

Except maybe the botnet where the computers in the botnet will be switched off perhaps faster than any good node since the owners of those computers are not even aware of being in a bot net or the safe network. And so just turn off their computers when it suits them and not when it suits the attacker.

An attacker is likely to run up their nodes in a very short amount of time, so new nodes in that could and likely be 99-100% attacker and <1% others.

But the botnet nodes as I said above will live on average a lot less than people running up legit nodes. But for a datacentre the nodes being added will simply continue till they are accepted and during that time frame the others will be a very low percentage (maybe as bad as I suggested above). Which is why I suggested a balance between what @tfa suggested and what is being suggested here.

5 Likes

Sorry just a slightly overloaded usage of “age”, here age means linear time. That is, “age” as used colloquially, so 2^14.24/2^12, not “node age”. So effectively equivalent to work for constant work rate. This is since in this context we’re interested in wall clock time

Thanks for pointing it out, yes precision of terminology is important to convey the meaning. It’s a delicate balance depending on the target audience

Correct. There is some wiggle room how to define “work” though, and we might end up with something that is fairly uniform in time.

5 Likes

This I think is a mistake and trying to include time. My point was that there is no suitable relationship between work done and time. There is obviously going to be times (pun intended) when the relationship seems to be there but in the long term it will not exist.

This is especially important when comparing one section to another. There is no reason to consider that work versus time will be consistent between sections.

Thus no simulation can use a supposed relation between time and work, and there should be no reason for any simulation to consider real time at all. Maybe for a human comfort report it could loosely say work versus time over a long period is somewhat consistent, but in reality that is just an illusion.

Can I suggest you use work for amount of work done (# of events) and age for node age. So for the illusionary “network time” then work done or #events is used rather than time or age.

3 Likes

Just for clarity might be worth noting internally the line was getting drawn at 1/3rd itself cos once at 1/3rd members, they can stall, then they can also selectively stall certain Blocks/events and allow certain other events that benefit them such as influence membership in the section to take the ratio from 1/3rd to 2/3rd potentially.

10 Likes

Not consistent in your terminology.

Thanks for pointing this out @neo, I’ve edited the couple of places where I used “age” ambiguously to say “amount of work” instead, which is what I meant.

9 Likes

Thank you for the explanation!
To be clear (the statistic lessons I got are a long time ago and restricted):

On the y axis, we have information about the proportion of nodes in any section. The distribution varies over the entire Network, so the black curve represents the average, the blue and pink curves represent half a standard deviation and a full standard deviation away from the average (to give an idea of the spread).

That is the ‘malicious / total’-proportion of nodes of the mean section? And 1 full standard deviation is the proportion of the ‘34.1%’-th section above and below that, like here?: Standard deviation - Wikipedia

3 Likes

Some thoughts of different Sybil attack preventions, without necessary technical knowlege. :slight_smile:

The solutions below are based on the following restrictions:
No budget, time, knowlege, technical or any other restrictions, everything else equal.
The following should be seen as inspiration and not as technical advise! :joy:

Invitation only up to, example 200k nodes . Controlled growth up to when the network reaches, example 200k nodes, similar to how the alpha test networks works.

Dynamic network growth allowance , somewhat in my mind, reverse similar, to Bitcoin halving. In the beginning the network could be restrictive with adding peers as a safety measurement, when network gets older it would be getting closer to zero limit in growth rate. The negative would be that it would limit a network that might need to grow fast in the beginning.

Neighbour overwatch, example every 200 iterations. For every, example 200 work iterations, a neighbour overwatch would occur.

Lets say that when a section have made, example 200 work iterations, then they will demand to check some previous work of a neighbour section. The goal would be to give added security boost without affecting performance too much and also be able to give lower section sizes. In worst case a malice actor could disrupt a section for awhile but would eventually go bust.

Dynamic proof of stake .
Similar to dynamic network growth, when the network is young it would demand a higher stake of coins, the stake size would reduce as the network gets older.

Keep up the amazing work, you guys are amazing. :slight_smile:

6 Likes

Yes it’s the usual standard deviation as defined by the square root of the variance. The distribution is quite likely to be close to a normal distribution so the rule (empirical rule) you’re referring to probably holds.

3 Likes

Yes the relation between time and work is fuzzy indeed if for example it’s solely defined by churn, what I meant was that such a relationship could however be defined if deemed appropriate (work influenced by time).

3 Likes

Is there a computer science journal somewhere for research and development of communications systems … preferably decentralized communications systems? IMO this sort of effort deserves to be in such a publication. Of course making a more layman variant for medium.com is also a good option.

Thanks for the effort of producing this post/paper Maidsafe team!

3 Likes

I just want to add to the discussion that a malicious actor that has unlimited resources and IQ with the system of “when there is need for more storage we accept nodes” he may buy PUTS and upload junk so the available storage of safe network gets lower + if its a work thing that a node gets age then he may make a private website with the junk where he “accesses”( or downloads) the junk data from other computers and accounts, that the malicious actor uploaded, so his nodes ages + more of his nodes gets approved + those with the same tactic get aged = result one malicious actor with unlimited resources can early on get many nodes on the safe network, those will age and becaume elders

so in this senario a malicious actor may hold the 2/3rds of the elders.

My question though is what can he do if he gets that many elders? can I have an answer? i opened a thread looking for an answer about what if someone owns 2/3rd or even 99% of elders.

Then we are all doomed no matter what!

3 Likes

The probability of this happening would, IMO, be many times of me winning the lottery. Possible but improbable

the more realistic threat would be injection of “bugs” into the code base or broken crypto algorithms (as history has shown NSA (and gchq) are no strangers to those tricks). This is what we need to watch, mass takeover is expensive, obvious and possibly in due course even in contravention of international law, who knows? But it would be just a very expensive vandalism attack as the network is dead as bitcoin et al would be too.

So reproducible builds, great code reviews and more is vital and a more likely attack surface. The likely attack from major agencies will be silent where they manage some way to de-anonymize or decrypt traffic and just use such a decentrlaised network as a huge spying tool.

17 Likes