Globe Internet traffic

Despite being a highly decentralized peer-to-peer network, the Bitcoin ecosystem is vulnerable to one of the most basic and widespread Internet attacks today — BGP hijacks, which is the act of falsely advertising to nearby ISPs/routers that an IP is found on your network, or it can be reached faster through your servers.

This type of attacks have caused immense problems to many Internet Service Providers during the past decades, but BGP, or the Border Gateway Protocol, remains one of the cornerstones of Internet routing.

BGP hijacks  — an ancient Internet problem

Most ISPs today are well aware of the problems with BGP,  already being highlighted and discussed in 2012, after the Department of Homeland Security issued a report on the topic, and in 2014 and 2015, through a series of reports by Dyn. Despite this, little progress has been made to find or develop a better solution.

A BGP hijack attack has serious consequences, as a rogue ISP could tell other ISPs that it’s the home of sensitive services, sniffing or altering traffic it wouldn’t normally handle.

For example, just last week, Rostelecom, a state-operated Russian ISP had hijacked the BGP routes for several financial services. The purpose? Currently unknown, as the company declined to comment the incident.

Similarly, in 2008, Pakistani ISPs hijacked YouTube’s BGP routes, redirecting the entire YouTube traffic through local servers, before Google intervened 9 hours later and resolved the problem.

In late 2015, Doug Madory, Director of Internet Analysis at Dyn Inc. revealed that some threat actors were using BGP hijacks as DDoS cannons, rerouting Internet traffic from larger networks to small ISPs, crashing their servers.

Topology of Bitcoin network helps BGP hijackers

In a study released last week, three researchers from universities in Israel and the Switzerland presented two scenarios where BGP hijacks could be leveraged to damage the Bitcoin network. The end result is that these attacks could reduce mining revenue, render the Bitcoin network susceptible to “double spending,” or prevent users from performing Bitcoin transactions.

They say this is possible because the Bitcoin network, despite counting thousands of nodes, is largely hosted on a small number of ISPs (networks, Autonomous Systems — AS). For example, 13 ISPs host 30% of the entire Bitcoin network, while 39 ISPs host 50% of the whole Bitcoin mining power.

Furthermore, most of the traffic exchanged between Bitcoin nodes passes through a small number of ISPs. In exact numbers, just three ISPs handle 60% of all Bitcoin traffic, right now.

“Together, these two characteristics make it relatively easy for a malicious ISP to intercept a lot of Bitcoin traffic,” researchers say.

Partition attack

The first attack the team described is called a “partition attack.” This type of attack involves a rogue ISP advertising fake routes for half the Bitcoin network while dropping the rest. This allows the attacker to split the network into two sections and carry out malicious operations in his sector.

These attacks can be used to sneakily siphon off some of the mining proceeds into an attacker’s account.

As we mentioned before, because just 39 ISPs handle 50% of the entire Bitcoin mining power, such an attack would be extremely effective if ever carried out, even if some Bitcoin nodes support multihoming.

Partition attack

Delay attack

The second attack isn’t as intrusive or dangerous as the first. Called a “delay attack,” its purpose is to delay the delivery of a Bitcoin mining block up to 20 minutes.

“The impact of this attack varies depending on the victim. If the victim is a merchant, it is susceptible to double spending attacks. If it is a miner, the attack wastes its computational power,” researchers explain.

Delay attack

Bitcoin network is already seeing BGP hijacks

With its highly precious cargo, the Bitcoin network is handling content as sensitive and important as the one handled by the world’s largest financial institutions. For its part, the Bitcoin network sees its fair share of BGP hijack attacks.

Based on statistical data, researchers say they’ve found that around 100 Bitcoin nodes are the victims of BGP hijacks each month, with the largest number of BGP hijacks happening in November 2015, when 8% of the entire Bitcoin nodes (447 at the time) were the victims of such incidents.

Albeit they are not the first to do so, researchers have taken the time to propose both short-term and long-term countermeasures to address the issue of BGP hijacking, some of which are easily deployable today. It’s now up to Internet backbone operators to move forward with any of their suggestions.

The research team’s paper, titled Hijacking Bitcoin: Routing Attacks on Cryptocurrencies, will be presented at the 38th IEEE Symposium on Security and Privacy that will be held in San Jose, USA, between May 22 and 24.