Eclipse Attacks: Ethereum Finally Fixes The Simplest of Flaws

eclipse attacks
New Eclipse attacks are simple enough even for a kid to launch, according to researchers.

The serious Eclipse flaw represented a hole which made it possible for anyone with enough skills to trick online users into frauds such as double spending.

Hackers could also use the same flaw to exploit smart contracts.

As far as market capitalization goes Ethereum currently holds the most of it after Bitcoin.

That is why Developers behind Ethereum have managed to close down a serious online security hole.

As mentioned at the top, this security hole allowed hackers and possibly anyone smart enough to have an internet connection and a computer machine to manipulate people on the internet.

The security flaw allowed them to exploit individual users and their access to Ethereum, the publicly accessible online ledger.

Researchers are calling the flaw as Eclipse.

The so-called Eclipse hacks work in a very interesting way.

Basically, they work by blocking a given cryptocurrency user from forming a connection to other honest peers.

Hackers then control some of the peers in the system.

These hacker-controlled peers then move ahead to feed their target use a manipulated edition and/or version of a given blockchain.

Blockchain is the technology that the entire cryptocurrency community relies on in order to enforce various contractual obligations as well as reconcile online transactions.

Hackers can also make use of Eclipse attacks in order to trick individual targets into paying up a given service and/or good twice.

Or more than once, to be precise.

Moreover, hackers can also co-opt the target user’s computing power.

Then they can easily manipulate the algorithms that work over time in order to establish that very crucial user consensus.

Ethereum is a cryptocurrency that supports smart contracts.

And because of that, it has to automatically execute certain transactions that manage to satisfy certain conditions.

These conditions must be present in the blockchain at the time of the transaction.

Hackers can exploit the Eclipse attack in order to interfere with all kinds of self-enforcing agreements.

Ethereum isn’t a totally unique cryptocurrency though.

Eclipse attacks have put Ethereum users at risk.

In fact, it has a lot in common with many other cryptocurrencies.

Just like hundreds of other cryptocurrencies, Ethereum also makes use of the peer-to-peer online mechanism.

This mechanism can then compile input from various individual users directly into a specific but authoritative blockchain.

Back in the year 2016, and in 2015 as well, separate and different research teams devised specific eclipse attacks to launch against Bitcoin.

Those eclipse attacks found a lot of success in exploiting the P2P weaknesses in cryptocurrencies.

Perhaps this is also a good time to mention that those attacks were harder to carry out.

The attack that took place in 2015, required hackers to make use of a botnet.

Sometimes hackers could also get things done with the help of a small internet service provider.

They then used these to control thousands and sometimes hundreds of thousands of devices.

The attacks that took place in 2016, relied on something else.

Mainly, the relied on controlling large chunks of online internet addresses.

Those attacks made that possible through a relatively new technique which researchers called the border gateway protocol hijacking.

Now, even though both of these attacks had a high success rate, they both required a lot of resources.

And demands.

Those demands and resources more or less ensured that only hackers who had the sophisticated knowledge and large resources could carry them out with success.

Script Kiddies And Their Attention Spans

Researchers had already done their work and had come to a conclusion.

The conclusion led them to believe that Ethereum offered more security than Bitcoin against online attacks.


Because, according to the researchers, hackers required considerably more resources to carry out the eclipse attack against a cryptocurrency such as Ethereum when compared to other cryptocurrencies such as Bitcoin.

And perhaps they had a good reason for believing so.

Ethereum, after all, has a P2P network that utilizes a robust mechanism in order to cryptographically authenticate networks messages.

As far as default settings go, peers have to establish 13 outgoing connections.

While for Bitcoin, peers only establish eight outgoing connections.

Things have changed now.

eclipse_attacks_ethereum (2)
Eclipse attacks now can effect just one individual target machine.

Or at least researchers are starting to change their positions.

Some researchers, who thought Ethereum had more protection against Eclipse, and actually helped to devise the 2015 and 2016 Bitcoin attacks, are saying something else.

And are eager to, once and for all, set the record straight.

These researchers recently published a paper in which they wrote, in detail, about what they think about cryptocurrencies such as Ethereum and Bitcoin.

The Paper

Researchers wrote that they demonstrated the false nature of conventional wisdom with regards to Eclipse.

The paper also said that presently researchers had come across new eclipse attacks.

These new attacks showed that prior to the disclosure of the Eclipse work back in January of 2018, the peer-to-peer network belonging to Ethereum had significantly less security against such attacks.

In fact, researchers also wrote that Ethereum’s security measures against attacks such as Eclipse lagged behind even that of Bitcoin.

Researchers then mentioned that their eclipse attackers only needed to control two machines.

These machines came with a single IP address each.

Moreover, these new eclipse attacks were basically off-path attacks.

What does that mean?

It means that the attacker only controls the end hosts.

Moreover, the attacker has no need of occupying any privileged position between the attacker’s victim and Ethereum’s remaining network.

That is in stark contrast with Bitcoin.

Researchers wrote that the best-known eclipse attacks that made use of off-path techniques on cryptocurrencies such as Bitcoin actually required the hacker to control not only more than one but hundreds of host machines.

Each of these host machines had to have distinct IP addresses.

Needless to say, that is beyond what most internet users can deal with.

Researchers believe that it is actually far from trivial for an average internet user to control hundreds and in some cases thousands of IP addresses.

The paper also explained the reason why the Bitcoin eclipse hackers in the 2015 research attempt had envisioned the use of a full-fledged Internet Service Provider or a botnet.

Compare that with the Border Gateway Protocol Hijacker attack and one can easily see the difference.

The Border Gateway Protocol Hijacker Bitcoin eclipse hacker envisioned an attack that needed to have access to a Border Gateway Protocol speaking core router (more specifically an internet router).

That was that researchers said in the 2016 paper.

But in stark contrast to both these attacks, researchers now had come up with an attack that any kid could run with any machine and a simple script.

Raise The Bar

Thankfully, researchers that did work on the study reported their valued findings to developers at Ethereum.

That happened in January of this year.

Ethereum developers responded quickly and made some meaningful changes to Geth.

What is Geth?

It is just a simple application that supports the official Ethereum protocol.

And it is one of the most popular ones at that.

That is why researchers are now advising users to take action.

What action can the users take?

Well, first Ethereum users have to know that they are relying on geth.

If they are then they have to make sure that they have installed geth version 1.8 or later.

Readers should also know that researchers did not carry out any attempts of the same eclipse attacks on other lesser known Ethereum clients.

Felix, Lange, an Ethereum developer, recently wrote a rather long email explaining the situation.

In the email, Lange said that the company had done their best to mitigate these eclipse attacks.

And they had done so by remaining within the limits of the Ethereum Geth protocol.

He also mentioned that the paper the media cited only corned those eclipse attacks that required low resources.

According to Lange, they did know that hackers would have to meet the raised bar which was high enough that any new eclipse attacks would not be feasible without plenty of substantial resources.

Lange also said that Ethereum developers had come out with new patches.

And they had implemented these patches in geth version 1.8.0 and higher.

Furthermore, Lange also added that he did not believe that Parity, another very popular Ethereum app, had a vulnerability to these eclipse attacks.

Researchers had titled their paper as Low-Resource Eclipse Attacks on Ethereum P2P (Peer to Peer) network.

As mentioned before, the paper described two different eclipse attacks.

Researchers revealed that even the simplest eclipse attack relied on just two IP addresses.

Each of these IP addresses had the ability to generate a huge number of cryptographic keys.

These are the same cryptographic keys that the previously-mentioned Ethereum protocol makes use of.

The protocol does that in order to designate different P2P (peer-to-peer) nodes.

After generating the required IP address, attackers simply have to wait for any of the target machines to reboot.

That can happen in many ways.

The user can reboot the machine in the normal course of things or the hackers can force things if things are not moving forward.

How can they push the reboot point?

Well, hackers can just send the target computer various malicious packets.

These packets have the capacity to eventually crash the system.

And when the system crashes, the victim doesn’t really have any choice but to reboot the computer machine.

That’s what hackers want when they intend to launch eclipse attacks with a minimum number of IP addresses.

But let’s get more specific.

What happens after the target computer reboots?

Well, after the reboot, the target computer has to rejoin the Ethereum network.

That is the time when hackers make use of a pool of nodes.

They then use the pool to establish several incoming connections.

All of this happens before the target computer machine has a chance to establish any of those outgoing connections.

Of course, not all hackers work the same way.

Some use a different technique.

This second technique manages to work by creating a huge number of nodes.

These nodes aren’t your average normal nodes.

These nodes are attacker-controlled nodes.

Hackers then send a special packet to the target computer.

These packets essentially poison the target machine’s computer database with the help of nothing but fraudulent nodes.

Once the target machine has rebooted, all of the target machine’s peers that it had connected to before would belong to the hacker.

The common thing in both techniques is that once the target machine reboots it basically isolates itself from all legitimate nodes.

Once that happens, the hacker can just move in and present the target machine a false edition or version of the Ethereum blockchain.

Will Someone Do Something About it?

Ethereum developers have already come up with a fix for eclipse attacks.

As it turns out, researchers have also presented a third method which makes it easier for hackers to carry out eclipse attacks.

Without going into too many details, this third method also starts by targeting the victim’s computer directly.

First, thie technique moves the victim’s computer clock time ahead by 20 (and sometimes more) seconds in relation to other nodes that are present in the Ethereum network.

But Ethereum does have a security measure to block such attacks.

In order to block these so-called replay online attacks, Ethereum does something interesting.

Normally during replay attacks, hackers try to resend an older but authenticated message.

Hackers do this in an attempt to get the authenticated messages executed more than just one time.

Ethereum protects users against such attacks by implementing a protocol which rejects messages that have crossed the 20-second mark in terms of time.

Messages which are older than the standard 20 seconds go to the bin.

Now when a hacker targets the victim’s machine and sets the block ahead by 20 seconds, the victim’s machine actually loses touch with all other legitimate Ethereum users.

This is what hackers want to happen.

Then all that hackers have to do is utilize malicious nodes that have the same block time.

When that happens, these nodes that can connect to the victim’s machine.

A few of the same blockchain researchers that worked behind the Ethereum eclipse technique wrote another paper.

This paper came out in 2015.

In this paper, researchers described a number of other timing attacks that hackers use to exploit Ethereum users.

What Have Ethereum Developers Done To Protect Against Such Eclipse Attacks?

As of now, Ethereum developers have actually managed to put a countermeasure in place.

This countermeasure works to thwart the first type of attack that we mentioned before.

Basically, this countermeasure ensures that each Ethereum network node will almost always make the outgoing connection to various other peers on the same network.

Developers also did a little bit about the second method of attack.

The fix that they came up with involved developers limiting the actual number of outgoing connections.

How did they do that?

Well, these basically limited the target machine’s ability to make outgoing connections to the same /24 chunks of Internet Protocol address (IP address) to just 10.

Ethereum developers designed these changes to hurt hackers.


By making it hard for them to carry out eclipse attacks.

More specifically, they raised the difficulty level for hackers to comprehensively isolate individual users from other Ethereum users.

That is, legitimate Ethereum users.

Now, if the system detects that even a single node on the network presents an Ethereum user with some other version of the Ethereum network blockchain, it will warn the user.

The system will warn the user of an error.

That error, according to researchers will effectively defeat eclipse attacks.

The only problem now is the time-based attack.

In other words, Ethereum developers haven’t managed to come up with a solution for that.

They may have come up with a fix, but as of now, they haven’t implemented that fix.

That is also quite understandable.

Hackers generally have to manipulate the present traffic over the target machine’s internet connection.

If they don’t find that method feasible they take the other route.

That other route is to exploit the target computer via non-Ethereum security vulnerabilities.

And that is what makes these time-based attacks less of a threat to users when we compare it to the other two techniques.

Nevertheless, researchers from University of Pittsburgh and Boston University have warned users.

They have advised that users should protect themselves against all types of eclipse attacks.

Recently they wrote that Ethereum’s important to the global blockchain network and ecosystem had increased in the recent past.

And that why, according to researchers, Ethereum developers should consider it imperative to develop countermeasures.

Countermeasures that can prevent hackers from launching eclipse attacks.

Moreover, Ethereum developers should make sure that these countermeasures go to the implementation stage ASAP.

As a final recommendation, these researchers wrote that all Ethereum node operators must upgrade to geth version 1.8.


Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.

2 thoughts on “Eclipse Attacks: Ethereum Finally Fixes The Simplest of Flaws”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.