Eclipsing Bitcoin Nodes with BGP Interception Attacks

Detecting attacks through monitoring involves tracking specific metrics that could indicate unusual activity. One key metric to observe is the number of connection path changes. Normally, paths to a destination remain stable, involving the same Autonomous Systems (ASes) and routers. A significant shift in these paths, especially if connections consolidate through a common AS, could signal an attack. This change happens because attackers manipulate traceroute traffic within their AS, making it possible to detect when multiple connections are rerouted unusually.

Another important metric is the connection churn rate for non-reachable nodes. In efforts to minimize detection, attackers aim to reduce the number of prefix hijacks they execute. They achieve this by resetting inbound connections to their target and replacing them with their own connections. A high churn rate of non-reachable nodes serves as an indicator of such malicious activities. While there may be additional metrics worth considering, these two provide a strong foundation for detecting potential attacks.

In terms of countermeasures, authentication emerges as a critical tool. Although currently hypothetical, the implementation of countersign technology would allow for the easy detection of attacks, even from a minimal number of nodes, by utilizing authentication. Authentication prevents attackers from impersonating or intercepting unauthenticated connections during the handshake phase. For existing authenticated connections, while attackers might intercept, they cannot inspect the traffic, thereby reducing the efficacy of the attack.

Moreover, maintaining an alternative internet connection can serve as a valuable safeguard against routing-based attacks. Despite the associated costs, alternatives like satellite feed receivers offer a different perspective and can enhance security. Multi-homing, or having multiple internet connections, stands out as one of the best defenses against these types of attacks, providing redundancy and limiting the impact of any single path being compromised.