What is a Sybil Attack?
Decentralized networks are susceptible to a wide range of attacks by malicious actors. Following on from our series on the various consensus algorithms, we will now examine the various vulnerabilities of decentralized networks and analyze how DLTs seek to mitigate them.
One such attack is known as the ‘Sybil attack’ where a malicious actor takes over a majority of nodes on the network and can therefore control it. This form of attack is a problem any decentralized and permissionless peer to peer network must guard against, including the likes of BitTorrent as well as DLTs.
The important nuance here is ‘permissionless’, as DLTs can be both permissioned (such as HyperLedger) and permissionless (such as Bitcoin and Ethereum). A permissioned network is a closed system in which all users are known and are approved for access to the network. As a result, they are commonly utilised for enterprise, where the ability to limit user access and rights is beneficial.
In contrast, a permissionless network allows any user to join the network with no imposition placed upon them. This causes an issue. If left unchecked, it would allow a malicious actor to generate identities on a large scale to take over the network by virtue of controlling most of the operating users/nodes.
These multiple identities might appear as different users but in reality would be under the control of a single party. Once they generate enough identities, they end up with a controlling influence over the network without the other users even realizing. This is the basis of a Sybil attack, and it opens up a host of potential attack vectors such as:
- An attacker blocking transactions from other parties, as the attacker controls the nodes that other nodes are connected to
- Breaking private transactions, as the attacker controls most of the nodes and therefore can tell how these transactions are being routed and where they are originating from)
- The dominant actor only transmitting the blocks they have created, which would put others on a separate network (and therefore vulnerable to double spend attacks)
In a permissioned environment, Sybil attacks are easy to prevent; a centralized authority can verify each user and authorize (or reject) them to join the network. They might do this by limiting the number of users per IP address or by asking users to sign in with individual profiles (requiring unique email addresses, tied to a specific domain, for instance).
A permissionless DLT does not have this luxury – no-one can stop you from joining the Bitcoin network – and must therefore put in place systems to prevent Sybil attacks.
DLTs have been able to overcome this attack vector through the consensus algorithms they employ to prevent a malicious actor from simply creating lots of multiple identities to take control of the network. PoW is one means through which this is achieved, with users only able to mine blocks proportional to their computing power. As such, an actor who created 1 million separate ‘users’ on Bitcoin would find each instance only possessing 1/1000000th their original computing power. It is not the number of users that counts in Bitcoin mining, it is the total processing power available.
PoS acts similarly, with users having to stake the token of the network in question to be able to generate new blocks. A malicious actor could not just create millions of users and take over the network as they would not have the asset backing to be able to do anything with these empty puppets.
There are other consensus algorithms, but they follow a common theme. They require participating users to spend, use, stake, vote or otherwise provide proof that the user has expended a resource deemed valuable in order to generate new blocks or transactions. This is what limits bad actors from flooding and taking over the network.
While DLTs can prevent Sybil attacks, they are not built to detect them, and vulnerabilities remain. One of the most obvious issues surrounds initial distribution, particularly with PoS and DPoS consensus algorithms. A project could set up multiple pretend buyers, enough to outnumber all other buyers, and purchase the majority of the token supply under numerous different accounts. Once the network launches, said team would possess most of the identities on the network without the wider user base knowing. The network would therefore be vulnerable to various majority attacks.
Additionally, being able to prevent Sybil attacks does not mean the network is immune to other forms of assault. For example, while preventing against them protects the network as a whole, it does not prevent individual nodes on the network from being isolated from the ‘real’ network without their knowledge. This can cause a multitude of issues for the victim as they become solely connected to a malicious actor who is then able to exploit their vulnerable state in what is known as an Eclipse attack.