Documentation

Technical-docs - Security-mitigation

Security Mitigation Systems

This document details the security mitigation systems implemented in SuperNova, with a specific focus on protections against common attack vectors in blockchain networks.

Sybil Attack Protection

A Sybil attack occurs when a single attacker creates multiple identities (nodes) to gain a disproportionate influence over the network. SuperNova implements several layers of protection against Sybil attacks:

Identity Verification Challenges

New peers must complete a proof-of-work challenge before being fully accepted into the network. This raises the cost of creating multiple identities:

  • Challenge-Response Protocol: When a new peer connects, it is issued a cryptographic challenge that requires computational work to solve
  • Adjustable Difficulty: The difficulty of challenges can be adjusted based on network conditions
  • Verification Status Tracking: Peers' verification statuses are tracked and affect their reputation scores
  • Timeout Mechanism: Challenges expire after a configurable timeout period to prevent stale connection attempts

Implementation details:

// Generate a challenge for a peer
let challenge = peer_manager.issue_challenge(&peer_id);

// Peer must solve the challenge by finding a nonce that produces a hash with required leading zeros
// When peer responds with a solution
let verification_success = peer_manager.process_challenge_response(&peer_id, &solution);

Peer Reputation System

Peers are continuously evaluated based on their behavior, with scoring affecting their connectivity privileges:

  • Multi-dimensional Scoring: Peers are scored based on stability, behavior, latency, and diversity contribution
  • Behavior Pattern Analysis: The system tracks patterns like valid/invalid blocks announced, transaction relay quality, and protocol adherence
  • Response Time Monitoring: Latency measurements contribute to peer scoring
  • Automatic Banning: Peers with severe protocol violations are automatically banned

Example behavior scores:

Peer Score Components:
- Base score: 0-2 points (age and verification status)
- Stability score: 0-5 points (connection reliability) 
- Behavior score: 0-5 points (protocol adherence)
- Latency score: 0-5 points (response time)
- Diversity score: 0-5 points (network diversity contribution)

Connection Rate Limiting

To prevent rapid creation of multiple identities:

  • IP-based Rate Limiting: Limits the number of connection attempts from individual IP addresses
  • Subnet-based Rate Limiting: Limits connections from entire IP subnets to prevent circumvention via multiple IPs
  • Exponential Backoff: Repeated connection attempts lead to progressively longer ban periods
  • Ban Database: Persistent storage of banned IPs with expiration times

Rate limiting configuration:

- Maximum connections per minute per IP: 5
- Maximum connections per minute per subnet: 15
- Ban duration after limit exceeded: 5 minutes (first offense)
- Ban duration scaling: Exponential (doubles with each violation)

Network Diversity Enforcement

Ensures the network maintains geographic, subnet, and organizational diversity:

  • Subnet Distribution: Limits the number of peers from the same IP subnet
  • ASN Distribution: Limits the number of peers from the same Autonomous System
  • Geographic Distribution: Ensures peers are distributed across different geographic regions
  • Diversity Score Calculation: Uses entropy-based metrics to measure overall network diversity

Diversity limits:

- Maximum peers per subnet: 3
- Maximum peers per ASN: 8
- Maximum peers per geographic region: 15

Eclipse Attack Prevention

An eclipse attack occurs when an attacker isolates a node from the rest of the honest network, surrounding it with attacker-controlled nodes. SuperNova implements the following protections:

Forced Peer Rotation

  • Periodic Connection Rotation: Outbound connections are periodically rotated to prevent long-term isolation
  • Randomized Selection: Peers to disconnect/connect are selected randomly to prevent predictable rotation
  • Protected Connections: Critical peers can be marked as protected to prevent rotation
  • Minimum Diverse Connections: System maintains minimum diversity requirements during rotation

Rotation configuration:

- Forced rotation interval: 1 hour
- Percentage of peers rotated: 20-30% of eligible connections
- Minimum outbound connections: 8

Connection Diversity Monitoring

  • Outbound Connection Enforcement: Ensures outbound connections maintain high diversity
  • Inbound/Outbound Ratio Control: Limits the ratio of inbound to outbound connections
  • Connection Direction Tracking: Monitors and manages the balance of inbound vs outbound connections

Connection constraints:

- Maximum inbound:outbound ratio: 3:1
- Minimum outbound connections: 8
- Outbound connections must span at least 3 different subnets

IP Diversity

  • Active Diversity Measurement: Regularly measures and scores network diversity
  • Subnet-aware Peer Selection: Prioritizes connections to underrepresented subnets
  • Eviction Policies: When diversity thresholds are violated, peers are disconnected to improve diversity

Implementation Architecture

The security mitigation system is implemented using several key components:

SecurityManager
├── PeerDiversityManager - Manages network diversity
├── ConnectionRateLimiter - Handles connection rate limiting
├── EclipsePreventionManager - Prevents eclipse attacks
└── LongRangeAttackProtection - Protects against long-range attacks

The PeerManager integrates with these components and provides:

  • Peer discovery and connection management
  • Peer scoring and evaluation
  • Challenge issuance and verification
  • Behavior tracking and analysis

Testing and Verification

The security mitigation systems are thoroughly tested using:

  • Unit tests for individual components
  • Integration tests for component interactions
  • Simulated attack scenarios
  • Diversity measurement verification
  • Rate limiting verification
  • End-to-end tests of the complete protection system

Configuration

Security parameters can be configured through the node configuration:

[security]
# Sybil attack protection
enable_peer_challenges = true
challenge_difficulty = 16
max_connection_attempts_per_min = 5
max_peers_per_subnet = 3

# Eclipse attack prevention
enable_peer_rotation = true
rotation_interval_seconds = 3600
min_outbound_connections = 8
max_inbound_ratio = 3.0

# Network diversity settings
min_diversity_score = 0.7

Monitoring and Alerts

The system provides monitoring endpoints and alerts for:

  • Network diversity measurements
  • Rate limit violations
  • Peer ban events
  • Challenge verification statistics
  • Peer rotation events
  • Suspicious behavior patterns

Future Enhancements

Planned security enhancements include:

  1. Machine Learning-based Anomaly Detection: Using ML to detect sophisticated attack patterns
  2. Reputation Sharing Between Nodes: Enabling nodes to share reputation data about peers
  3. Enhanced Geolocation Analysis: More granular geographic diversity enforcement
  4. Traffic Pattern Analysis: Detecting unusual message patterns indicative of attacks
  5. Hardware Attestation: Optional hardware-based peer verification for critical infrastructure

Conclusion

SuperNova's multi-layered approach to security provides robust protection against Sybil and Eclipse attacks, while maintaining network performance and connectivity. The combination of identity verification challenges, peer reputation tracking, connection rate limiting, and diversity enforcement creates a secure network environment resistant to common attack vectors.

Back to DocumentationEdit this page on GitHub