POSTER: As Strong As Its Weakest Link: How to Break Blockchain DApps at RPC Service

conduct a systematic measurement study on nine real-world RPC services which control most DApp clients’ connection to the Ethereum main net.

进行系统测量研究，在九个RPC服务上，RPC服务控制了绝大部分的分布式app的对主网连接

propose a novel measurement technique

提出了一种新型测量技术

based on orphan transactions

基于 orphan transaction // 区块链术语

to discover the previously unknown behaviors inside the BlackBox RPC services

来发现黑匣子RPC服务中以前未知的行为

all the nine services tested (as of Apr. 2020) are vulnerable to DoERS attacks

所有九种服务对DoERS攻击都很脆弱

result in the service latency increased by 2.1X ∼ 50X

可能导致服务延迟2.1到50倍

Some of these attacks require only a single request.

有些这样的攻击仅需要一次请求

propose mitigation techniques against DoERS without dropping service usability,

提出了缓解DoERS攻击而不损伤服务可用性的技术

DApp clients running inside web browsers send requests to a Remote Procedure Call (RPC) service that translates the clients’ requests to cryptocurrency transactions or queries to a blockchain P2P network.
运行在web浏览器中的DApp客户端向远程过程调用(Remote Procedure Call, RPC)服务发送请求，该服务将客户端的请求转换为加密货币交易或查询到区块链P2P网络。

at least 63% of Ethereum based DApps use one RPC service [5].
It is important to note that DoS is known to pose a significant threat to the blockchain ecosystem
DoS攻击是对区块链生态的巨大威胁， RPC服务的去中心化程度没有区块链网络高，如果发生DoS攻击它可能成为一个单点故障，可能导致DApp系统崩溃

DoERS is different from other DoS attacks

First, it aims at disrupting the communication channel between a blockchain and its DApps by blocking third-party RPC services, not taking down the blockchain itself as the other attacks do. Second, our attack exploits a unique weakness – Gas-free contract execution on RPC-enabled Ethereum nodes, while existing DoS attacks seek under- priced instructions for attacking replicated smart-contract ex- ecution [24], [15], [9] or misusing mining mechanisms [23]
DoERS只扰乱区块链和DApp之间的信道，通过阻塞RPC服务达到，而不是关闭区块本身
攻击利用了一个独特的弱点——在启用rpc的以太坊节点上执行无气体合约，而现有的DoS攻击寻求低价指令来攻击复制的智能合约执行或滥用挖掘机制

New Attack, New Understanding, Metigation

·发现了一个新的拒绝服务弱点，这表明广泛存在的免费查询调用使对RPC服务(DApp生态系统中最薄弱的一环)的潜在资源耗尽攻击成为可能。实现了对以太坊的攻击，导致以太坊成本为零，并演示了该威胁对领先的RPC服务的现实影响。
·对领先的RPC服务的负载均衡器进行了测量，使用了一种新颖的基于孤立事务的探针，揭示了它们所采取的隐藏策略，这些策略支持对它们所服务的dapp和客户端进行有针对性的攻击。
·还研究了对新威胁的潜在缓解措施，确定了一些有希望的解决方案，包括选择性地惩罚消耗节点上大量资源的dapp或客户机的方案。

anthonyche / TechFantasy.Github.io

POSTER: As Strong As Its Weakest Link: How to Break Blockchain DApps at RPC Service #6

POSTER: As Strong As Its Weakest Link: How to Break Blockchain DApps at RPC Service

conduct a systematic measurement study on nine real-world RPC services which control most DApp clients’ connection to the Ethereum main net.

propose a novel measurement technique

based on orphan transactions

to discover the previously unknown behaviors inside the BlackBox RPC services

all the nine services tested (as of Apr. 2020) are vulnerable to DoERS attacks

result in the service latency increased by 2.1X ∼ 50X

Some of these attacks require only a single request.

propose mitigation techniques against DoERS without dropping service usability,

DoERS is different from other DoS attacks

New Attack, New Understanding, Metigation