Abstract
Smart contract-enabled blockchains allow building decentralized applications in which mutually-distrusted parties can work together. Recently, oracle services emerged to provide these applications with real-world data feeds. Unfortunately, these capabilities have been used for malicious purposes under what is called criminal smart contracts. A few works explored this dark side and showed a variety of such attacks. However, none of them considered collaborative attacks against targets that reside outside the blockchain ecosystem.
In this paper, we bridge this gap and introduce a smart contract-based framework that allows a sponsor to orchestrate a collaborative attack among (pseudo)anonymous attackers and reward them for that. While all previous works required a technique to quantify an attacker’s individual contribution, which could be infeasible with respect to real-world targets, our framework avoids that. This is done by developing a novel scheme for trustless collaboration through betting. That is, attackers bet on an event (i.e., the attack takes place) and then work on making that event happen (i.e., perform the attack). By taking DDoS as a usecase, we formulate attackers’ interaction as a game, and formally prove that these attackers will collaborate in proportion to the amount of their bets in the game’s unique equilibrium. We also model our framework and its reward function as an incentive mechanism and prove that it is a strategy-proof and budget-balanced one. Finally, we conduct numerical simulations to demonstrate the equilibrium behavior of our framework.
Z. Motaqy—Most work done while at University of Tehran.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We note that [22] dealt with smart contract-based DDoS, but the work is very high level and lacks many important details, making it hard to assess its feasibility.
- 2.
It is the responsibility of the attack sponsor to pick metrics for which there is a secure oracle service that cam measure and report them.
- 3.
While it is true that attackers are not always risk-neutral, we assume that is the case here for simplicity. For an analysis of non-risk neutral attackers, see [21].
- 4.
While it is common that the target defends itself by identifying and filtering the attack traffic, for simplicity we assume that attackers generate effective attack traffic (traffic that passes the defense walls and gets to the target server).
- 5.
We assume dealing with homogeneous agents in terms of the cost of contributing to the attack (all have same \(\alpha \) in Eq. 3). Also, we show later that an attacker’s bet value represents his actual contribution in the attack, and hence, his cost.
- 6.
Note that in reality we cannot compute \(e_i\). Hence, \(e_{tot}\) is computed by using a suitable function to convert the delay reported by the oracle into the proper total traffic relative value. For example, if the measured delay meets the desired value, i.e., fully successful attack, then \(e_{tot} = 1\). If it is 50% the value of the desired attack result, then \(e_{tot} = 0.5\), and so on.
- 7.
Note that the utility function is increasing at \(e_i=0\) and decreasing at \(e_i=1\), so the maximum can not occur at end points.
- 8.
This mechanism suits our model since we have the space of possible actions is equal to the space of possible types, so an attacker type (which is defined when he bets) is the same as his act (the amount of attack contribution).
- 9.
Note that the theoretical (game and mechanism) analysis conducted for R holds for \(R'\), too.
References
Aeternity oracles. https://aeternity.com/documentation-hub/protocol/oracles/oracles/
Botnet economy runs wild. https://www.networkworld.com. Accessed 18 Sept 2020
Chainlink. https://chain.link/
Cyber criminal collaboration intensifies. https://www.computerweekly.com. Accessed 18 Sept 2020
Cybercriminals are increasing efficiency with coordinated attacks. https://www.enisa.europa.eu. Accessed 18 Sept 2020
Evidence found of malware families collaborating. http://www.darkreading.com. Accessed 18 Sept 2020
Filecoin. https://filecoin.io/
Noia. https://noia.network/
Provable. https://provable.xyz/
Abad, C.: The economy of phishing: a survey of the operations of the phishing market. First Monday 10(9), 1–11 (2005)
Brunoni, L., Beaudet-Labrecque, O.: Smart contracts and cybercrime: a game changer. Math. Struct. Model. 4, 136–142 (2017)
Chen, L., et al.: The game among bribers in a smart contract system. In: Zohar, A. (ed.) FC 2018. LNCS, vol. 10958, pp. 294–307. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8_20
Da, B., Ko, C.C.: Resource allocation in downlink MIMO-OFDMA with proportional fairness. J. Commun. 4(1), 8–13 (2009)
Delgado-Mohatar, O., Sierra-Cámara, J.M., Anguiano, E.: Blockchain-based semi-autonomous ransomware. Future Gener. Comput. Syst. 112, 589–603 (2020)
Judmayer, A., et al.: Pay to win: cheap, crowdfundable, cross-chain algorithmic incentive manipulation attacks on pow cryptocurrencies. In: Workshop on Trusted Smart Contracts (2021)
Judmayer, A., et al.: SoK: algorithmic incentive manipulation attacks on permissionless pow cryptocurrencies. In: Workshop on Trusted Smart Contracts (2021)
Juels, A., Kosba, A., Shi, E.: The ring of gyges: investigating the future of criminal smart contracts. In: ACM CCS, pp. 283–295 (2016)
McCorry, P., Hicks, A., Meiklejohn, S., et al.: Smart contracts for bribing miners. In: Zohar, A. (ed.) FC 2018. LNCS, vol. 10958, pp. 3–18. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8_1
Nazario, J.: Politically motivated denial of service attacks. In: The Virtual Battlefield: Perspectives on Cyber Warfare, pp. 163–181 (2009)
O’hara, K.: Smart contracts - dumb idea. Internet Comput. 21(2), 97–101 (2017)
Qian, Y., Haskell, W.B., Tambe, M.: Robust strategy against unknown risk-averse attackers in security games. In: AAMAS (2015)
Rodrigues, B., Trendafilov, S., Scheid, E., Stiller, B.: SC-FLARE: Cooperative DDoS signaling based on smart contracts. In: IEEE ICBC, pp. 1–3 (2020)
Zargar, S.T., Joshi, J.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. EEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)
Trichakis, N.K.: Fairness in operations: from theory to practice. Ph.D. thesis, Massachusetts Institute of Technology (2011)
Velner, Y., Teutsch, J., Luu, L., et al.: Smart contracts make bitcoin mining pools vulnerable. In: Brenner, M. (ed.) FC 2017. LNCS, vol. 10323, pp. 298–316. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_19
Vogt, R., Aycock, J.: Attack of the 50 foot botnet. Technical report, Department of Computer Science, University of Calgary (2006)
Vogt, R., Aycock, J., Jacobson Jr., M.J.: Army of botnets. In: NDSS (2007)
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger (2014)
Xu, S.: Collaborative attack vs. collaborative defense. In: Bertino, E., Joshi, J.B.D. (eds.) CollaborateCom 2008. LNICST, vol. 10, pp. 217–228. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03354-4_17
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Motaqy, Z., Almashaqbeh, G., Bahrak, B., Yazdani, N. (2021). Bet and Attack: Incentive Compatible Collaborative Attacks Using Smart Contracts. In: Bošanský, B., Gonzalez, C., Rass, S., Sinha, A. (eds) Decision and Game Theory for Security. GameSec 2021. Lecture Notes in Computer Science(), vol 13061. Springer, Cham. https://doi.org/10.1007/978-3-030-90370-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-90370-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90369-5
Online ISBN: 978-3-030-90370-1
eBook Packages: Computer ScienceComputer Science (R0)