Generally, cyber-attacks usually bank on loopholes or vulnerabilities in the security architecture of an ecosystem. Attackers sometimes aim to prove the vulnerabilities in the security of the victims or steal vital information to blackmail victims. What is prominent to most cyber-attacks is that they are usually mounted for financial gains.
Blockchain technology is a novel technology that is used to record on-chain transactions in blocks that are concatenated after being verified by miners. Due to its DLT–Decentralized/Distributed ledger Technology—feature, the technology has been widely adopted and utilized by several industries, including finance, healthcare, and logistics. The financial use case of the blockchain brought it to the limelight, which in turn makes it a subject of numerous attacks theoretically.
The blockchain is undoubtedly a highly secure network that's almost impossible to attack successfully. This is due to the organic security framework of the technology that secures the network with mining activities. As miners validate transactions on blockchain networks using their hash rate—computing power—the security framework keeps getting robust, making it harder to be susceptible to attacks.
The more miners participate in a blockchain, the more secure it becomes because blockchain security is proportionate to the amount of hash rate expended on it. This is why the security of blockchains grows organically.
Before diving into the Eclipse attack, let's briefly examine a few terms
A Sybil attack emanates from catfishing. In the blockchain, it involves an attacker operating various nodes to overpower and centralize a blockchain network. The attacker utilizes the various nodes in his control to alter data sent or received on the network
A botnet is a network of internet-connected devices that have been infected with malware which allows an attacker to control the collection of the devices in the network remotely. Also termed "Robot network," it is usually employed by a single attacker to create multiple blockchain nodes to disrupt a blockchain network. A botnet may include servers, PCs, and mobile devices.
A DoS—Denial of Service—attack is a scheme that prevents authorized users from accessing a particular network. It is accomplished by sending malicious requests that cause the victim's resource to malfunction or crash altogether. It can also be carried out by flooding the victim's resources with a tremendous traffic volume.
DDoS—Distributed Denial of Service—attack is when a single source faces a DoS attack from multiple malicious machines. It is more harmful than DoS because attacks come from several sources to a single resource.
The endemic attack of the blockchain technology is the 51% attack which occurs when a single node controls a 51% hash rate of a particular blockchain. This 51% attack is liable to disrupt the mining activities of such blockchain, which can also facilitate double-spending directly or indirectly. Like many other attacks, the 51% attack is almost impossible due to the financial commitment involved. Due to this impossibility, attackers have sought to employ other lesser attacks to achieve or launch a 51% attack. One of these attacks is the "Eclipse Attack."
An eclipse attack can be regarded as a subjective and lesser blockchain attack where a particular node is isolated within the P2P network for such an attack. The attacker obfuscates the isolated node from viewing the legitimate P2P network and starts interacting with the target's node. Inbound connections from other nodes and outbound connections of the target are hindered and redirected to the attacker's nodes. It is called an eclipse attack because the attacker overshadows the target's connection with faux data about the blockchain.
All nodes in a blockchain network are not directly connected; instead, they are interconnected, leaving them to connect with limited neighboring nodes. This makes it possible for an attacker to single out a node from the entire network. Before isolating a node, the attacker would have been in control of malicious nodes that will be connected to the isolated node. These malicious nodes are usually gotten or controlled by the attacker via the Sybil attack or botnet.
The attacker then overwhelms the victim with the IP addresses of the malicious nodes waiting for the victim to connect. The need for waiting is because the victim was previously connected to legitimate network nodes; the attacker either waits for the victim to restart their software or forces the victim to do so by launching a DDoS attack.
Once the victim restarts their software, in his attempt to reconnect to the network, he falls victim by reconnecting to the malicious nodes with which the victim has been flooded. The malicious nodes are already laying ambush for the victim's node, so the victim easily falls into the web of these malicious nodes leaving the victim at the mercy of these malicious nodes. The victim is now cut off from viewing the broad network and, as such, can be fed with selective or filtered data or even wrong data by the attacker.
Effects of Eclipse Attack
Block Race In a block race, two miners find a block at the same time; only one will definitely be added to the blockchain while the other is ignored. The ignored block is termed an "orphan block," and the miner that finds it will not get any block reward.
An attacker that overshadows multiple miners can cause a block race by hoarding the blocks found by victims and releasing blocks to both the eclipsed and non-eclipsed nodes when a competing block has been discovered. So the eclipsed nodes will just be wasting their computing power.
Selfish Mining Selfish
Mining is a deceptive mining scheme where a miner or group of miners solves a cryptographic puzzle to open a new block and refuses to publish the block on the public blockchain for others. With selfish mining, the attacker can withhold blocks since the eclipsed nodes are under the attacker's control. He can do this to earn more than his share of block rewards. Two factors control selfish mining by the attacker:
-The hash rate of the attacker.
-The hash rate of honest miners that mines on the attacker's blocks during the block race.
Attackers can fool the victim into wasting their time and computing power to mine orphan blocks that are excluded from the official blockchain. This can be done by the attacker concealing that an eclipsed miner has mined a block. With this, the attacker can boost their hash rate and influence the block-mining contest in their favor.
A 51% attack is an endemic blockchain attack that happens when a node has or controls a 51% hash rate on a blockchain network. Since an eclipsed miner is effectively shut out of the legitimate chain, attackers may simultaneously conduct eclipse attacks on several miners in a network to lower the threshold necessary to achieve a successful 51% attack on the network. A 51% attack leads to double-spending attacks.
A zero-confirmation transaction is a transaction that has been initiated but hasn't been confirmed or recorded on the blockchain. Such transaction is not part of the blockchain until miners confirm it on the blockchain though it might be broadcasted. Double spending due to this is termed 0-confirmation double-spending.
Imagine an NFT broker whose node has been eclipsed by an attacker if the attacker bought NFT from this broker and initiated a transaction. The transaction is broadcasted but not confirmed yet; the broker then releases the NFT hoping the payment will come through. Unfortunately, the transaction wasn't broadcasted. The attacker only publishes the transaction to the victim's node, not to the honest nodes on the network. While the transaction hangs, the attacker will now spend the same digital currency on the legitimate network, where it will be admitted into a block. So if the previous transaction is received, it will be rejected because the asset has been spent.
This is similar to the zero-confirmation double-spend, but here, the attacker eclipses the broker's node and miners' nodes. The attacker makes a payment, which is confirmed by the eclipsed nodes and added to the blockchain. Unknown to them, the miners' have been cut off from the legitimate blockchain. So, when they re-join the legitimate network, the block they've previously mined while eclipsed will be orphaned by the original network.
How to Extenuate the Possibilities of Eclipse Attack
Random selection of nodes: This will reduce the chances of connecting to nodes controlled by attackers whenever nodes want to sync to the network
Increase Number of Node connections: If the number of node-to-node connections is increased, it'll also reduce the chances of an eclipse attack. Although, this may have a fallback on the network's efficiency.
Whitelisting of miners' nodes to restrict strange nodes.
Conclusion An Eclipse attack might be rare, but it is dangerous if not pre-empt. Ordinarily, it may seem simple since it involves just a single node amongst several nodes on the blockchain. Still, if the attack degenerates into a Sybil attack or a more sophisticated attack, it is no longer an ordinary attack. An eclipse attack can also be a stepping stone for a more deadly attack on a network; this is why it should be forestalled from happening.