Eclipse attacks occur when a node is isolated from all honest peers but remains connected to at least one malicious peer.
Without any connections to honest peers, the eclipsed node won’t receive the latest blocks on the most proof-of-work block chain. This gives the attacker an unlimited amount of time to generate blocks containing double spends, so even an attacker with a small minority of hash rate can trick the victim into accepting confirmed double spends.
The attacker will also control what transactions the victim’s node receives. This allows them to tell the node about transactions not generally available on the network in order to prompt the victim’s node into taking an action (e.g. the attacker sends a transaction closing an LN channel only to the eclipsed node).
Finally, the attacker can control what transactions the victim can send. This allows the attacker to prevent the victim from sending time-critical transactions such as LN penalty transactions. It also means that any transactions generated by the victim can be definitively identified as originating from the victim—a loss of privacy.
To prevent eclipse attacks, node operators are encouraged to run their nodes on multiple network interfaces and, when possible, to maintain connections to at least a few other nodes over secure networks (e.g. VPNs). Within the limits possible for nodes with only a single interface, Bitcoin Core developers work to ensure the node connects to a large and diverse set of peers to reduce the chance that every one of a node’s peers is the same sybil attacker.
Primary code and documentation
Optech newsletter and website mentions
- 2019-12-28 2019 year-in-review: erlay and other P2P improvements
- 2019-12-18 Discussion of eclipse attacks on LN nodes