Hacker News new | past | comments | ask | show | jobs | submit login
DDoSCoin: Cryptocurrency with malicious proof of work (usenix.org)
153 points by kwantam on Aug 11, 2016 | hide | past | favorite | 37 comments

Despite this malicious use-case, it's entirely possible that the underlying proof-of-work technique (using the target server's TLS signatures for validation) can inspire some noble applications or smart contracts :)

As a somewhat contrived example, instead of blindly trusting that a certain monitoring system like "Uptime Robot" is checking your servers (or going through an expensive access_log based verification), you could verify their proof-of-connection.

That's a nice idea. I think you'd want the opposite though, mostly, proof that the site is down. That's a bit harder.

I guess you could ask someone to provide a TLS-notarized response from a TLS-compatible uptime checker.

You could include the hash of the last block in the network as part of your handshake, along with a nonce, and pay out tiny amounts of currency to whoever produces a signed handshake containing that hash (as long as the signed handshake is below a certain number? Not sure if that's useful or not in this situation). But if you want proof of uptime, having a TLS-notarized response with a handshake containing a previous block hash is pretty solid proof.

I haven't done a deep dive, but I think this same proof of work could be instrumented in a smart contract to create a DDOS market, without publishing a new blockchain.

Oraclize has already built TLS verification into their solidity contracts for instance. So you could outsource most of the work there, I think.

EDIT: Yes, this would definitely work, and be a lot less effort than the paper.

I think you are right. The same techniques could be applied in ethereum to reward ddos attackers.

It's beautiful and terrible at the same time. <3

We may have found a deeper horror than assignation markets.

Did you mean assassination markets, or does "assignation" have another meaning I'm not aware of?

I meant the former...

Assignation markets would probably be an overall societal good, especially if combined with decriminalization.

As the authors write in the paper.

Quite related: https://tlsnotary.org/ https://github.com/tlsnotary/tlsnotary TLS notarization is a genius idea, but the UX is what is holding it back. However, I'm sure there's room for innovation in this part, just like DDoSCoin shows.

Intriguing concept, but malicious is orthogonal to illegal, although they are often correlated.

Namely, in several jurisdictions, including the one that the paper is presented in, (D)DOS is illegal -- a different point to debate -- making this particular proof-of-work both malicious and illegal.

A more intriguing one would be one that's merely (debatably) malicious but not per se illegal, like, say, password hash cracking, which is similar enough to existing PoW schemes to make feasible.

In jurisdictions where it's illegal, would possession of this currency constitute evidence that a person committed a crime?

It wouldn't proove that you committed the crime, since you could have gotten the currency through other means. It's also not certain proof that somebody committed a crime, since the currency could have been mined by someone for whoom this was legal.

On the other hand, if the DDoS target is located in a country where DDoS is illegal, then in that jurisdiction possession of the currency is certainly evidence that some unknown party participated in the DDoS. That might give police certain priviledges around confiscating any coins, depending on jurisdiction.

There is something fascinating about making Proudhon's "property is theft!" Real.

> malicious is orthogonal to illegal, although they are often correlated

Interesting choice of words. Orthogonal variables are by definition uncorrelated.

My bad about the incorrect usage. Please disregard the original phrasing, as my point is that all four combinations of [malicious, illegal] are possible, with an attempted-but-botched observation that sometimes malicious things are made illegal.

Can't the website owner make quite easily as much TLS proofs as he wants?

Yes, that's addressed in the paper. If a website owner notices a bounty on their own site, they can very quickly generate the proof needed to collect the bounty without suffering any downtime.

As mentioned it's addressed. But also there's an easy defence of just updating the certificate key if under such attack. With Let's encrypt around, getting a new certificate is not a huge deal anymore. And rekeying is possible with some other services as well.

> With Let's encrypt around, getting a new certificate is not a huge deal anymore.

You'd hit the rate limit pretty quickly, though, if you had to keep doing this repeatedly on the same day!

I looked through the paper and couldn't find it, so I'll ask here: what is the motivation behind this? I don't understand the purpose of this system. I understand that some people are paid to perform DDoS attacks against specific targets. I don't understand how a special crypto currency changes this.

    > Miners are incentivized to send and receive 
    > large amounts of network traffic to and from the 
    > target in order to produce a valid proof-of-work.
No they are not. Just because you create a "crypto currency", which rewards some activity, does not mean people will start performing this activity. Unless they mistakenly believe the tokens they earn somehow have value. A mined crypto currency needs to have value before miners are incentivized to do what it takes to mine coins.

It seems like any paper with the word "Blockchain" in it gets votes to the top regardless of whether or not the system actually provides any additional value. Designing useless systems is not hard.

    > In order to allow victims to be (temporarily) selected for
    > DoS, DDoSCoin allows “bounties” for targeting specific servers. To accomplish this, DDoSCoin 
    > introduces a new payment opcode, PAY_TO_DDOS, 
    > that can be used in transactions subject to 
    > certain constraints. 
So miners perform DDoS attacks to earn coins, and then send these coins in a transaction which incentivizes others to perform DDoS attacks? This makes no sense. A group of supposed DDoS attackers "incentivizing" each other to perform attacks to earn tokens they themselves have created.

> Just because you create a "crypto currency", which rewards some activity, does not mean people will start performing this activity.

Context matters. When they say "Miners" they describe a model with miners who are people whose objective is to gain this cryptocurrency. Providing a way to do it is the same as providing incentive. If you're a random uninterested Jo Blogs, you're not a miner in this scenario.

> So miners perform DDoS attacks to earn coins, and then send these coins in a transaction which incentivizes others to perform DDoS attacks? This makes no sense.

It doesn't mean that this is the only way to earn them. The currency could start pre-mined for example so it could be a private network of someone organising a one-time attack. Or the coins could be traded for another currency,

what you are missing is that with this system the miner can prove he performed the attack.

The ability to perform DDoS attacks is already valuable in itself, as you said yourself, but you can't prove who performed the attack or that the attack was performed at all, this system allows miners to create the proof by performing the very act of DDoS.

Yes, but that could also be used in just a marketplace, for example, and still does not merit a crypto currency. The neat thing here is that it's programmable and freely accessible to anyone. As others have mentioned, that allows this to be used in smart contracts, etc.

The DDoS market is already pretty active, so these coins would immediately have value. This is also a significantly safer way to get paid than advertising services for bitcoin or something.

You don't send actual transactions with the PAY_TO_DDOS opcode. Transactions are just how messages are passed around on blockchains. This transaction sets a bounty. Day to day, miners mine by hitting on a preselected whitelist, and can also monitor bounties looking for higher paying targets.

It's a research paper. The point is explore ideas and communicate them. It doesn't need to somehow magically materialize from a whitepaper into a fully formed network with an initial user base all in one step.

You are forgetting about an important bit: it isn't an isolated system.

The reasoning you have used could be applied to bitcoins, after all it has no sense it is just people sending bits to each other and wasting computational resources.

Instead look at it this way. There is some people in the economy which want to pay for some services(DDOS) with currency, $. It just happens that those activities are illegal which the new crypto-currency helps to conceal(with respect to those who will punish you) and verify(regarding the contract parties), which is also important because the government won't enforce the contract if you are scammed. Or it brings some value added in other ways such as enhanced privacy, easier transactions... Even if the marginal improvement over existing options is small it serves as a way to bootstrap the value of the new currency.

After a value is reached the market will exchange $ for the new currency until it reaches a settlement price.

You focus was on the supply side, thinking that people won't perform DDOS for some bits in exchange. But there will be a market in which the people on the demand side will be willing to buy those bits which at the same time will give DDOSers a way to convert bits to $. After all nobody would hoard those bits and take them to the grave.

And I know that I still haven't explained how that value can be bootstraped. I will propose you a theory about the bootstrap value. For the first transaction I only need to assume that people are heterogeneous regarding risk aversion and that people can act according to expectations. The person that initially holds those tokens isn't necessarily the person that will use them first in exchange for a DDOS, those tokens can be sold.

A risk-taker client could, based on the total number of tokens and the aggregated value added of the currency(maybe only partially) over the rest of previous currencies, calculate a ratio of tokens to $ as an expectation of its future exchange rate. The estimation of the current value for the current exchange rate would take other factors into account such as liquidity, risk... that will tend to undervalue the new currency until there is more liquidity, certainty... The degree of undervaluation will be equivalent to a discount rate of other assets of similar risk and liquidity. This client would be willing to pay the amount of dollars equivalent to the value a standard service(SER) at the current exchange rate.

Then a risk-taker DDOSer estimating a similar current eschange rate will ask for for the amounts of tokens convertible to the amounts of dollars of a standard service(SER). In order to match those buyers and sellers it isn't necessary to have an exact price. The length bargaining range would be composed by the sum of the value added to the buyer(VA_b) and the value added to the seller(VA_s), and any price on that range will reach settlement.

This creates an interval of settlement prices [SER - VA_s, SER + VA_d] for which the transaction is profitable to both parties. This happens as long as the new currency helps to create value for these parties "VA_d + VA_s > 0"

The only remaining attack is arbitrage. What prevents anyone from forking the currency and creating/attributing bits for/to himself? Once anyone betrays the consensus ledger, the rest of the players will only accept the change and assume the new risk if the reward is greater than the current value of their share in the old branch plus some amount to compensate for the risk. This is clearly unprofitable for the usurper. And if he could make any profit, deceive some them or steal from a minority, what prevents a second round of usurpers from seizing again some value? This could be played to infinity, then the uncertainty would bring down the value of the currency until it crashes to 0.

With respect to other currencies like bitcoin this arbitrage argument could be solved if the new currency creates enough value to offset the risk and costs of switching.

They'll have value because buyers will need to buy them

Every day we seem to inch our way towads Accelerando...

Thank you, this seems like an interesting lecture!

A primary feature of OTR-style communication protocols is deniable authentication. If Alice and Bob communicate via OTR, Alice can't can prove (cryptographically) to anyone else that the messages she received were actually from Bob.

Would an OTR-style protocol be immune any type of DOS proof-of-work? Are there disadvantages to having deniable authentication for the kinds of communication that TLS is used for today?

Edit: according to the paper, the attack only works on TLS 1.2+, and only works on the setup phase. Apparently, TLS allows you to forge the contents of the communication. Does OTR allow you to forge the setup phase as well?

I had an idea for a cryptocurrency whose PoW would incentivise stealing and erasing files from other computers. I even wrote some code for it, but it seems to have gone missing...

I don't see how it is any different than hedging against any real commodity or stock in a traditional banking sense...

I would love to see Anonymous flock to an implementation of this. Hacktivism with a reward.

Crawlcoin instead? SE's prove due diligence.

I think the issue there is getting a scheme that has the asymmetric validation. And you want the results of a crawl.

You could merkle up the different pages you've crawled, and combine with a part of your public key to get a unique hash. But, the question is why would someone pay for it?

Finally we can have a fair market for DDoS! This is what will liberate the system from the evil overlords of DDoS corporations!!!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact