Eclipsing Ethereum Peers with False Friends

TL;DR

This paper identifies a vulnerability in Geth's peer discovery mechanism that allows eclipse attacks with minimal resources, leading to potential manipulation of the Ethereum network view.

Contribution

The paper uncovers a new eclipse attack exploiting Geth's peer discovery, and details the implementation and integration of effective countermeasures into Geth v1.9.0.

Findings

Geth's peer discovery logic is vulnerable to eclipse attacks.

A low-resource attack can eclipse long-running Ethereum nodes.

Countermeasures were successfully implemented in Geth v1.9.0.

Abstract

Ethereum is a decentralized Blockchain system that supports the execution of Turing-complete smart contracts. Although the security of the Ethereum ecosystem has been studied in the past, the network layer has been mostly neglected. We show that Go Ethereum (Geth), the most widely used Ethereum implementation, is vulnerable to eclipse attacks, effectively circumventing recently introduced (Geth v1.8.0) security enhancements. We responsibly disclosed the vulnerability to core Ethereum developers; the corresponding countermeasures to our attack where incorporated into the v1.9.0 release of Geth. Our false friends attack exploits the Kademlia-inspired peer discovery logic used by Geth and enables a low-resource eclipsing of long-running, remote victim nodes. An adversary only needs two hosts in distinct /24 subnets to launch the eclipse, which can then be leveraged to filter the victim's view of the Blockchain. We discuss fundamental properties of Geth's node discovery logic that enable the false friends attack, as well as proposed and implemented countermeasures.