[Lightning-dev] Mitigations for loop attacks

ZmnSCPxj ZmnSCPxj at protonmail.com
Wed May 9 07:31:56 UTC 2018


Good morning Rusty, Jim, and list,

> I can destroy your node's reputation by routing crap through you; even
> 
> if it costs me marginaly more reputation than it does you, that just
> 
> means that the largest players can force failure upon smaller players,
> 
> centralizing the network.

My understanding of the proposal was that reputation loss would occur only if the reply (`update_htlc_fail` or `update_htlc_success`) is delayed; this means that for you to force me to lose reputation, you need to somehow make me delay my reply.  In particular if you do simple things like give me an invalid onion, or make me forward to a payee who does not know the preimage, I do not lose reputation by replying very quickly with an `update_htlc_fail`.

Of course, a large player could force reputation loss by delaying reply when they receive, and having patsy nodes route to them.  So for instance if it is Jim -> ZmnSCPxj -> Rusty, and Rusty activates the Blockstream-takes-over-the-world Apocalypse program, the Rusty node would then delay for a long time before replying, which makes my reputation suffer.  But it also makes Rusty reputation suffer even more and my reaction would be that, the next time Jim hands me an HTLC that forwards to Rusty, I would instead quickly `update_htlc_fail` back to Jim (which does not lose me significant reputation due to my quick response) than risk forwarding it to you, since you have a reputation for being slow and unresponsive.

Indeed, another aspect of Jim proposal is that it is extremely local: if Jim has no channel to Rusty, then Jim has no opinion about Rusty, only about ZmnSCPxj.  However, ZmnSCPxj does have an opinion about Rusty, as ZmnSCPxj has channel with Rusty.  If I suffer too much reputation loss due to Rusty, my opinion of Rusty drops even faster, and I decide to `update_htlc_fail` in order to prevent Jim opinion of me from dropping too much that Jim decides not to forward to me (if I have other channels with more reasonable nodes).

But it also looks more and more like a policy of "just `update_htlc_fail`" keeps our reputation high: indeed never accepting a forwarding attempt would ensure reputation.

However, earning via fees should help provide incentive against "Just `update_htlc_fail`" always.  If the goal is "how do I earn money fastest" then there is some optimal threshhold of risk-of-reputation-loss vs. fee-earnings-if-I-forward that is unlikely to be near the "Just fail it" spectrum, but somewhere in between.  We hope.

> And I think trying to ensure that it costs me
> 
> more reputation than the sum of downstream reputation loss leaks too
> 
> much information

Yes, this is a major drawback of the proposal.  The rate at which the sender of the HTLC threatens me with reputation loss lets me estimate my distance from the ultimate sender of the funds.

Regards,
ZmnSCPxj


More information about the Lightning-dev mailing list