9

I've heard that a bitcoin node with only Tor connections is "trivial" to eclipse attack and that such nodes should maintain at least one (or more?) clearnet connections in addition. What is it about Tor that makes eclipse attacks trivial?

pinhead
  • 4,932
  • 2
  • 23
  • 38

3 Answers3

9

There is a good summary of this problem on the BIP324 website:

Proxy networks like Tor or I2P introduce a separate address space, independent from network topology, with a very low cost per address making eclipse attacks cheaper. In comparison, clearnet IPv4 and IPv6 networks make obtaining multiple network identities in distinct, well-known network partitions carry a non-trivial cost.

There is also a paper titled Bitcoin Over Tor Isn’t a Good Idea that goes into much more detail.

Vojtěch Strnad
  • 5,623
  • 1
  • 8
  • 31
  • Sorry, this answer reminds me of some Q and A that posted with only links. These points are irrelevant but I know how this site works. –  Nov 28 '22 at 18:02
  • @1440000bytes I am not sure I understand your comment, can you elaborate? – Vojtěch Strnad Nov 28 '22 at 18:19
  • Moderators and their colleagues would understand and nothing against you :) –  Nov 28 '22 at 18:28
  • 1
    I assume that @1440000bytes means to say this post qualifies as a link-only answer. It does not, though, because Vojtěch included the relevant parts of the linked source and thus the post answers the question by itself even if the link stopped working eventually.—Have an upvote. – Murch Nov 28 '22 at 18:42
  • @Murch I am not surprised and keep this in mind for future :) –  Nov 28 '22 at 18:48
  • 1
    I'm not sure whether this is a request to elaborate, but a post that concisely answers the question and links to further pertinent resources is supremely helpful. Less useful posts would e.g. only consist of a link without answering the question, provide a copious medley of tangentially related information widely circling the question without addressing it specifically, or link to a ragbag of peripherally related information that the interested reader first has to sift through to learn anything about the topic at hand.—Sometimes, less is more. Hope that helped. – Murch Nov 28 '22 at 19:33
  • Less is more (did not work) : https://bitcoin.stackexchange.com/revisions/114795/1, More info (did not work) : https://bitcoin.stackexchange.com/revisions/113070/2 Its the bias and you are human even if involved in bitcoin from long and know more than me. Moderation is a different ball game and I have done better on darknet forums. –  Nov 28 '22 at 19:41
  • I don't think those situations are particularly alike, and I have already explained above some of the key differences. Given the results of the respective posts, I do not think my assessment for either are outliers. – Murch Nov 28 '22 at 19:59
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/140915/discussion-between-murch-and-1440000bytes). – Murch Nov 28 '22 at 20:43
9

Connecting to the bitcoin network over TOR to make transactions as an user is a good practice (this is important to mention in case casual users misunderstand your question).

Running a full bitcoin node exclusively over TOR can lead to an eclipse attack performed by an adversary that controls enough TOR nodes.

This problem is not exclusive to TOR, and occurs in any scenario where an adversary controls a significant portion of the network (such as in countries where internet access is tightly controlled by the government).

What is it about Tor that makes eclipse attacks trivial?

It's not exactly trivial. The Bitcoin Over Tor Isn’t a Good Idea paper estimated that to get a 7% chance to perform an attack, it would cost 2500 USD per month. The cost is possibly higher today.

This type of attack can only be performed (at high probability) by entities with large financial resources, such as governments.

Avoiding eclipse attacks is not hard. Make sure that you:

  • Connect to a diverse / trusted list of nodes or
  • Connect over multiple different networks (for example, you can also use I2P or the clearnet)
bitcoiner2680
  • 91
  • 2
3
  • It is easier to get lots of onion addresses compared to IP
  • An attacker with lot of Tor nodes could result in all outgoing connections with the attacker for some nodes using onlynet=onion
  • Tor nodes might not be able to see some transactions and blocks if too many nodes use onlynet=onion, making it difficult for onion nodes to connect with clearnet nodes.

Note: Trusted onion peers added with addnode could help and eclipse attacks are difficult as long as some nodes in the network connect to onion and ipv4 peers.