DDoS attacks are a significant threat to online services. The main objective of the attacks is to make a service unavailable. Cardano can be seen as an online service. It provides a platform for executing smart contracts, transferring funds, and other functionalities over the Internet. Like any online service, it could theoretically be targeted by a DDoS attack. However, due to its decentralized nature and the security measures in place, it is much more resilient to such attacks than traditional centralized online services. Read about how resistant Cardano is to DDoS attacks.
What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, or server by overwhelming it with a flood of internet traffic. This is also called spamming the network. Attackers (or also spammers) try to create similar traffic (eg transactions) that look similar to normal traffic from users. This means that spam transactions are mixed with user transactions.
In the context of the article, the term spam is used for the attacker's transactions. This is not a spam email.
These attacks work by utilizing multiple compromised computer systems (botnets) as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. When a victim's server is targeted by the botnets, each bot sends a huge amount of requests to the target's IP address, potentially causing the server to become overwhelmed, and resulting in a denial of service to normal traffic.
Servers are usually sized for a certain amount of traffic. Spam traffic will dramatically and suddenly increase traffic.
So, the main objective of DDoS attacks is to make a service (temporarily) unavailable. This is typically achieved by exhausting the targeted server resources, forcing it to restart, or overloading the communication channel to isolate the server.
Spam traffic consumes resources just like regular traffic. However, the server may not have resources available.
DDoS attacks can cause serious disruptions to online services. During an ongoing attack, users are unable to use the service in a normal way. The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. This can result in significant financial and reputational damage for businesses.
The need to protect against DDoS attacks is paramount in today's digital age.
The main mechanisms for protecting against DDoS attacks include:
- Rate Limiting: This involves limiting the number of requests a server will accept within a certain timeframe from a single IP address.
- Anomaly Detection: By monitoring network traffic and analyzing it for patterns that deviate from the norm, it’s possible to identify potential DDoS attacks.
- Firewalls and Routers: These can be configured to reject traffic that comes from suspicious IP addresses or contains malicious content.
- DDoS Mitigation Services: These services can help absorb the flood of requests during a DDoS attack, protecting the target and keeping it online.
- Intrusion Prevention Systems (IPS): These systems can detect DDoS attacks and other security threats, and then take action to mitigate the threat.
If a successful DDoS attack occurs, it can usually be averted in a few hours (days) to get the service available again.
How is Cardano protected against DDoS attacks?
The goal of a DDoS attack on the blockchain can be to slow down or completely stop the processing of transactions and the execution of smart contracts. From the users' point of view, the network (ie the service) would be congested or unavailable.
Similar to a normal DDoS attack targeting a server, in the case of Cardano, an attacker can try to flood the network with transactions (spam transactions). The attacker wants to reach a state where the network will primarily process only spam transactions (which will be valid and a fee will be paid) at the expense of normal user transactions.
Note that the attacker is willing to pay for the transactions (i.e. invest money in the attack). A node would immediately discard and not diffuse invalid transactions. An attempt to flood a node with invalid transactions would have only a minor impact on the network. However, an attacker might be able to crash the node.
Cardano has implemented several measures to mitigate the risks of DDoS attacks. These include transaction fees to prevent spamming the network with a large number of transactions, demand-driven protocols to control the rate of data arriving at each node, and validated forwarding to check transactions before relaying them. The decentralization of the network (mainly the number of nodes) is also a significant factor.
Put it simply, Cardano is resistant to DDoS attacks for the following reasons:
- Validation of transactions before their diffusion
- Every block-producer node has a few relay nodes (higher number of nodes and protection of block-producer node)
- Ability to detect spam node and disconnect from it
Let's explain some basic defense mechanisms.
In a DDoS attack, the attacker typically overwhelms a single target with a flood of internet traffic.
Cardano is a distributed network composed of a large number of nodes. Cardano does not have a single point of failure. An attacker would need to flood a significant portion of nodes with spam transactions to disrupt the network.
So, the best prevention against DDoS attacks is decentralization. Cardano has roughly 3K pools and each of them has 2-3 relay nodes. Pools are block-producer nodes that are hidden behind relay nodes. Attacking Cardano is a challenge as it is necessary to attack around 10K nodes.
Staking pool operators (SPO) can configure their nodes for direct interaction with each other. This means that block-producing nodes can connect both to their own (trusted) relay nodes and to other relay nodes operated by other SPOs. In other words, SPOs decide which peer nodes to communicate with. The network configuration can be changed at any time.
If a node was connected to a spam node with an abnormal number of spam transactions in the mem-pool, the operator can decide to disconnect its own node from the spam node. This can be done by a script with pre-programmed logic.
Attacking one block-producer node basically means attacking several relay nodes. In other words, the block-producer node is not a publicly (that is, even for the attacker) visible node.
If a block-producer node is disconnected from one relay node, it will still remain connected to at least one other relay node. In addition, it is possible to connect to another (honest) relay node. This makes it difficult for an attacker to cripple a node's block production function.
In Cardano, blocks and transactions are diffused in a P2P manner. New transactions are inserted into the mem-pool, which is a kind of waiting room where they wait to be inserted into one of the next blocks.
Each node manages its own mem-pool. The contents of mem-pools in the network vary as transactions propagate from one node in a specific location to other nodes in the network.
Now imagine nodes in a distributed network that can have similar transactions in their mem-pools (the order in which the transactions entered the mem-pools may differ). If an attack is launched, the contents of the mem-pools on some nodes may start to vary significantly. In some mem-pools, there will be mainly spam transactions.
Slot leaders are elected randomly according to stake size. Slot leaders take transactions from their mem-pool and mint a new block. An attacker does not know in advance where in the network the next new block will be minted.
Another new block may contain either primarily spam transactions or user transactions. It depends on which place the elected slot leader will be.
If the attack took place only in Europe, European nodes would mint blocks with spam transactions, but blocks with more user transactions would be mined in the rest of the world.
The attack on the server and on the Cardano node has certain specifics.
An attacker cannot simply broadcast many transactions towards a chosen node (as in a normal DDoS attack). Transactions cannot be pushed to nodes. Nodes pull transactions from their peer nodes. This fact, combined with the fact that pool operators decide which peer nodes are connected, represents a strong defense mechanism.
Let us recall that only valid transactions are diffused in the network.
When a user sends a transaction from their wallet, that transaction is always processed by a node. This is not necessarily a block producer node (pool). It will most likely only be a relay node. Valid transactions are inserted into the mem-pool by the node. Invalid transactions are immediately discarded by the node and they are no longer diffused.
If a node sends invalid transactions or repeatedly sends the same transaction, the connection to that (relay) node will be closed. Before a node relays transactions, the header/content is checked against rules. This mechanism helps prevent a node from flooding the network with a large number of transactions.
If an attacker wants to spam the network, he must first fill the mem-pool on his own node. Alternatively, it can fill the mem-pool of the node to which the wallet is connected. From this node, transactions can potentially be diffused to other nodes. If they are valid, the nodes put them in the mem-pools.
Nodes can detect a spam node and disconnect from it. It can be said that nodes use a strategy similar to servers, i.e. rate limit. In the Cardano network, nodes are responsible for the rate of transactions.
Cardano’s protocols are designed in a demand-driven style. Protocol parameters restrict the amount of network resources that the node can consume. For each node and each peer connected to that node, the node controls the rate of data arriving, the maximum concurrency, and the amount of outstanding data.
If a node operator changes a protocol parameter to allow a higher transaction rate than that defined by the protocol parameters, the network will consider it a spammer. This prevents an adversarial peer from mounting a resource consumption attack. If a peer obeys the protocols, its ability to consume resources at the node is bounded. If it violates them it will be disconnected. In other words, peer nodes drop connection with this spam node.
So, if an attacker wanted to spam the network from one location, peers would stop pulling transactions from it. It is obvious that a decentralized network cannot be attacked from a single location.
The next point I will describe is crucial.
It is necessary to attack multiple nodes simultaneously. If an attacker wants to dramatically slow down the network or cause more serious problems, it is necessary to attack almost all nodes at the same time.
Nodes pull transactions from all connected peers, so they insert regular user transactions as well as (valid) spam transactions into the mem-pools. User transactions and spam transactions will start fighting each other for a place in the mem-pool (which is 2x larger than the block size). The mem-pools of attacked nodes will contain spam transactions, but the non-attacked nodes will contain user transactions.
Depending on who becomes the next slot leader, there will be more spam transactions or user transactions in the block.
If the attacker did not attack all nodes at the same time, he has no chance to prevent user transactions from getting into any of the many mem-pools in the network.
The memory (mem-pools) that the attacker has to spam with transactions is not the size of one mem-pool, but essentially the size of the memory of all mem-pools in the network combined.
Mem-pool can be filled with approximately 11 transactions, each with a size of 16K bytes. It would cost at least 0.86 ADA to send one such transaction. It would cost at least 10 ADA to fill the mem-pool.
Cardano consists of 10K nodes and each has a mem-pool of size 2 blocks. Filling all mem-pools with unique transactions at one time would require creating 110K transactions. An attacker would pay 95K ADA.
If an attacker managed to have spam nodes connected to all (honest) nodes in the network and fill the mem-pools with spam transactions, user transactions would have a hard time getting into the mem-pool. I dare say that in practice it is unrealistic.
I repeat that 110K of transactions is the maximum number. In practice, users could observe a network slowdown if an attacker filled some of the mem-pools with spam transactions. The more mem-pools under attack, the slower the network would be.
It may be easier for an attacker to spam only a part of the nodes and hope that the spam transactions are diffused to several mem-pools. He can gradually send another batch of spam transactions over and over again.
The network (all nodes) clears the mem-pool every time a new block is created. As already mentioned, each mem-pool can contain different transactions. Importantly, the number of transactions in the mem-pool will tend to decrease gradually if the attacker does not generate new spam transactions.
Nodes do not distinguish between spam transactions and user transactions. As long as they are valid (including the paid fee), they should be processed.
So, transactions that are included in the new block are removed from the mem-pools by the nodes. If the transactions were not unique, the new block would essentially trigger the cleanup of transactions in mem-pools on many nodes (only half the size of the mem-pools will be freed by a single full block).
So, non-unique spam transactions make the attack less effective. It is necessary to refill the mem-pools with additional spam transactions more often.
In order for the attacker to increase the impact of the attack, he would have to somehow arrange for his transactions to be included in the mem-pool before user transactions (that is, for them to be prioritized). However, this is not an easy task at all. For example, the attacker would have to be geographically as close as possible to the nodes he is attacking (due to network delay).
Operators have the ability to respond to an attack.
Pool operators can easily detect the attack and it is easy for them to simply empty the mem-pools. In that case, they would increase the chance of user transactions getting into the mem-pool. The attacker would have to resend the spam transactions. However, this would only cause the network to drop connection with spam nodes. Pool operators can autonomously decide to disconnect from a spam node or spam wallets.
It is relatively simple for a network to get rid of spam nodes and to consist of only trusted nodes.
In order for a spam attack to be successful, the attacker would need to have access to all mem-pools of the network equally and instantly. This is difficult to achieve in practice. I can imagine that an attacker might be able to slow down the network. Alternatively, it may attempt to shut down specific nodes that users frequently use.
A network slowdown can be annoying if users need their transactions to be finalized quickly because they are at risk of, for example, liquidating their positions.
In the past, the Cardano network has been under a lot of pressure several times, either due to the minting of NFTs, or testing its resistance to DDoS attacks. The biggest load I heard about was 44 times higher than the network capacity (the load was about 250K new transactions in an hour). Most users didn't even notice the slowdown.
If it were easy to commit a DDoS attack on Cardano or another blockchain, we would see these attacks on a daily basis. It's not happening. Believe me, it is not at all easy to prepare and carry out such an attack.