[Bitcoin-development] Anti DoS for tx replacement
pete at petertodd.org
Tue Apr 16 18:43:56 UTC 2013
Post tge malicious miners and other bits so we can evaluate the system as a whole.
Mike Hearn <mike at plan99.net> wrote:
>This was previously discussed on the forums a bunch of times, but in
>BTW, I don't think all this has to be solved to re-activate replacement
>testnet. It's useful for people to be able to develop apps that use
>feature, indeed, it helps build the case for re-activating it on the
>network after the necessary work is done. Otherwise there'll inevitably
>people who say "why re-activate something even though we think it's
>when there are no use cases for it". Letting people develop and deploy
>interesting prototypes in parallel solves that catch-22.
>Refresher: since the first release Bitcoin has had the ability to
>transactions that sit in the memory pool if the transaction is
>the inputs are the same and the replacement is newer than the replacee.
>Being non-final means not having reached the nLockTime threshold, and
>having at least one input with a sequence number < UINT_MAX. Around the
>time of the bugs in various opcodes being found, Satoshi disabled the
>feature because nothing was using it - it was something he'd planned
>the future, it had no utility in the Bitcoin of 2010.
>The purpose of tx replacement is to implement high frequency trading,
>according to material Satoshi sent me when I asked him what it was all
>(I wanted to know why sequence numbers were a property of inputs not
>It's very important to understand that this does *NOT* mean
>from the networks perspective. In normal operation, tx replacement is
>actually intended to be used at all. Sort of like double-spending
>protection, it's a code path that's only meant to be triggered when one
>the other party is maliciously trying to roll back a negotiated
>And when a party is trying to do that, you don't need lots of
>A single replacement is enough.
>To see why this is the case please review the micropayment channel
>This isn't the only use of contractual HFT in Bitcoin, it's a
>simplified and stripped down example (eg, that only uses two parties).
>example Satoshi gave me was more abstract and actually had N parties in
>- it left me puzzled for a while and struggling to see practical
>application. The "billing for a metered resource" use case is easier to
>Now the obvious problem is that even though the feature is only
>be used occasionally or never, nothing in the existing code stops you
>it as fast as possible and exhausting nodes CPU time and bandwidth.
>What's more, solving this is not as easy as it looks. Most proposed
>solutions will not work:
>1) Requiring higher fees for each replacement means that a
>has to be torn down and rebuilt much, much faster than before because
>otherwise the amount of money lost to fees quickly becomes the entire
>of the channel (or you can't update it very often). Remember, you'd
>increase the fee for each replacement regardless of whether it's
>to the network or not. As the whole point of the setup is to avoid
>lots of transactions on the network, anything that pushes you back
>doing that undermines the entire utility of the system.
>2) Refusing to update the transaction after certain thresholds are
>having cooldown periods, etc also won't work because the replacement
>mechanism is there to protect each counter-party in the HFT contract.
>Simply converting a DoS on the network to a DoS on the participants
>one malicious party can break the mechanism that protects all the
>broadcasting the initial set of updates all at once and deliberately
>tripping the thresholds.
>OK, let's take a step back. What is the purpose of abusing this
>It's to mount a denial of service attack - either against the entire
>Bitcoin network, or against the other participants in the contract. But
>someone, somewhere has to be denied service, otherwise the attack is
>We can exploit this fact by realising that typically anti-DoS is a
>prioritisation problem. It doesn't usually matter if you serve some
>traffic if all legitimate traffic gets served first because it removes
>denial of service from the attack, and usually there are lots of ways
>attack someone with methods that don't work - real world experience
>indicates that people don't pointlessly mount attacks over and over
>if there's nothing to be gained by doing so.
>So we can do the following - multi-thread verification of transactions
>are trying to enter the memory pool, and order them such that high
>transactions are verified first, low priority next, and then
>of transactions sorted by age of last replacement. Same thing for
>- faced with getdatas, service the new transactions first, replacements
>with whatever is left over. Drop whatever doesn't make it into the
>Handling DoS as a prioritisation problem has a number of advantages,
>obviously not introducing new hard coded magic numbers that may or may
>stay up to date with changing conditions.
>This setup means someone can force CPU/bandwidth usage to whatever the
>operators have configured as their max allowed across the network for a
>while, but doing so won't actually disrupt normal transactions. It'll
>result in the replacements getting dropped. It slightly increases the
>of a malicious counter-party in an HFT contract trying to take
>the saturation to themselves execute an attack on the contract, but I
>it'd be a problem in practice - you'd need to write your software to
>able to perform such an attack, most of the time it wouldn't work, and
>people saturate the network with low priority easily dropped
>so that it would work then nodes/apps could just warn users not to take
>advantage of the feature whilst the flood is in progress.
>I know that some people will object to such a design on principle, but
>think this is a good balance - the only attacks that exist aren't
>profitable and the worst case outcome in the face of continual
>abuse is we switch the feature off and end up no worse off than today.
>I haven't touched on the topic of cartels of malicious miners or other
>topics, just DoS. This email is long enough already and handling
>miners (if necessary) can be done at the application protocol level, it
>doesn't need any changes to the core tx replacement / locktime
>Precog is a next-generation analytics platform capable of advanced
>analytics on semi-structured data. The platform includes APIs for
>apps and a phenomenal toolset for data science. Developers can use
>our toolset for easy data analysis & visualization. Get a free account!
>Bitcoin-development mailing list
>Bitcoin-development at lists.sourceforge.net
More information about the bitcoin-dev