DDoS Attack

Individual validator, full, or archival nodes are targeted to degrade the peer-to-peer (P2P) network layer. Attackers flood nodes with:

• Invalid transactions or blocks to consume processing power.
• Connection spam to exhaust network sockets and bandwidth.
• Memory-intensive requests (e.g., for large historical data) to trigger crashes.

This can lead to network partitioning, reduced block propagation speed, and, in Proof-of-Stake systems, cause validators to go offline and be slashed.

The memory pool (MemPool) is where pending transactions wait to be included in a block. Attackers flood it with:

• High-fee, low-complexity transactions to create bidding wars and fee inflation, pricing out legitimate users.
• Dust transactions (tiny transfers) to bloat the MemPool size, increasing node memory usage.
• Contract deployment spam to exploit gas estimation mechanisms.

This directly increases transaction costs and confirmation times for all network participants.

Specific, computationally expensive functions within a popular smart contract can be targeted. Attackers repeatedly call these functions to:

• Exhaust the block gas limit, preventing other transactions from being processed.
• Drain resources from oracles or keepers that rely on contract calls.
• Trigger expensive on-chain computations that maximize gas consumption per block.

Example: Targeting a decentralized exchange's complex swap function or a lending protocol's liquidate function.

In Proof-of-Stake and hybrid networks, the mechanisms for achieving consensus and finality are prime targets. Attacks focus on:

• Attestation/投票 spam in networks like Ethereum to delay or prevent finality.
• Targeting relayers in bridge architectures that transmit consensus messages.
• Overwhelming timeout mechanisms or view-change protocols in BFT-style consensus.

Successful attacks here can halt block production or cause the chain to split, representing a critical network failure.

Cross-chain bridges and layer-2 gateways, which often have centralized relayer networks or limited validator sets, are high-value targets. DDoS attacks aim to:

• Disrupt the watchdog services or relayers that monitor and transmit messages between chains.
• Prevent users from depositing or withdrawing funds, locking value.
• Create arbitrage opportunities by disabling one side of the bridge's operation.

These attacks exploit the centralized chokepoints common in interoperability solutions.

Attackers use a botnet—a network of compromised devices—to send a massive volume of requests to a target. Common vectors include:

• SYN Floods: Exploiting the TCP handshake to exhaust connection tables.
• HTTP/HTTPS Floods: Overwhelming web servers with seemingly legitimate requests.
• Amplification Attacks: Using protocols like DNS or NTP to reflect and magnify traffic volume towards the victim.

DDoS attacks in Web3 exploit unique architectural points:

• Public RPC Endpoints: Free services like Infura or public node providers are common targets, which can disrupt dApp access.
• Consensus Participation: Targeting validator nodes to prevent block production, potentially stalling the chain.
• Smart Contract Functions: Spamming a specific, gas-intensive function to make it economically unfeasible for legitimate users to transact.

Defense involves multiple layers:

• Rate Limiting: Restricting request frequency per IP address or wallet.
• Web Application Firewalls (WAF): Filtering malicious traffic before it reaches the server.
• Node Redundancy & Load Balancing: Distributing traffic across multiple nodes to absorb attacks.
• Gas Fees: As a native deterrent, transaction fees can make spam attacks prohibitively expensive, though layer-2 solutions reduce this cost.

Blockchains use economic costs to deter spam. Key concepts include:

• Gas: Every computation and storage operation has a cost, forcing attackers to spend real capital.
• Staking Mechanisms: Proof-of-Stake networks can slash a validator's stake for malicious behavior, including participation in an attack.
• Sybil Attacks: A related threat where an attacker creates many fake identities; mitigated by requiring stake or proof-of-work for network participation.

Proactive detection is critical for minimizing downtime.

• Anomaly Detection: Monitor traffic spikes, failed request rates, and peer connections.
• Tracing Tools: Use tools to trace transaction origins and identify malicious smart contract call patterns.
• Incident Response Plan: Have a plan to switch to backup providers, increase rate limits, or temporarily disable non-critical services under attack.

In August 2020, Ethereum Classic suffered a series of 51% attacks that were accompanied by a sophisticated DDoS campaign. The attackers targeted the network's hashrate and then launched DDoS attacks against mining pools and node operators to prevent them from reorganizing the chain, successfully executing multiple double-spends.

• Impact: Over $5.6 million in cryptocurrency was double-spent across three separate attacks.
• Method: Combined computational attack on consensus with infrastructure-level DDoS to suppress the honest network's response.

The Solana mainnet-beta was offline for approximately 17 hours due to a resource exhaustion attack. While not a traditional volumetric DDoS, it shared the same goal: denying service. A flood of transactions from automated arbitrage bots during an IDO overwhelmed the network's mempool, consuming all available RAM on validator nodes and causing a consensus failure.

• Volume: The transaction load peaked at 400,000 transactions per second, far exceeding the network's capacity at the time.
• Result: Validators were forced to coordinate a network restart and install a patch to prioritize critical consensus messages.

In the mid-2010s, the Bitcoin network faced several peer-to-peer (P2P) layer floods. Attackers would spin up thousands of malicious nodes to connect to honest nodes, consuming their connection slots and flooding them with invalid data or requests for non-existent transactions/blocks.

• Goal: To isolate honest nodes from each other, potentially enabling eclipse attacks or simply degrading network performance.
• Mitigation: Core developers responded by implementing connection limits, improving peer discovery logic, and introducing feeler connections to probe for reachability without consuming full slots.

In November 2020, the XRP Ledger experienced a low-cost spam attack targeting its transaction cost mechanism. An attacker submitted a massive number of microtransactions with the minimum fee (0.00001 XRP), aiming to fill the ledger and delay legitimate transactions.

• Mechanism: The ledger's fee escalation algorithm automatically raised transaction costs in response to the load, temporarily pricing out normal users.
• Outcome: While the network remained online, user experience suffered. The incident led to discussions about adjusting the fee model and improving transaction queuing logic to be more spam-resistant.

In December 2023, the Arbitrum One rollup experienced a partial outage for about 90 minutes. The sequencer was halted due to an inbox surge—a massive, sudden influx of transactions that overwhelmed its capacity to ingest and order transactions from Layer 1.

• Nature: This was a resource exhaustion DDoS targeting a critical, centralized component (the sequencer) of a decentralized rollup.
• Response: The sequencer was paused, the surge was cleared, and operations resumed. It highlighted the security trade-offs of having a single sequencer for speed and the need for decentralized sequencing solutions.

A common attack vector is not the blockchain itself, but its critical infrastructure. Exchanges, wallet providers, and node RPC endpoints often rely on Domain Name System (DNS) providers.

• Example: In 2022, a major DDoS attack on a global DNS provider caused outages for Coinbase Wallet, MetaMask's Infura RPC, and other services, blocking user access despite the underlying blockchains operating normally.
• Vulnerability: This exposes the centralized chokepoints in the decentralized ecosystem. Mitigations include using decentralized alternatives like ENS (Ethereum Name Service) for resolution or maintaining fallback RPC endpoints.

An amplification attack is a specific DDoS technique where an attacker sends small, forged requests to public servers (like DNS, NTP, or memcached servers) that generate much larger responses sent to the victim's IP address. This dramatically amplifies the volume of attack traffic.

• Key Mechanism: The attacker spoofs the source IP address in the request packet to be the victim's address. The server's large reply is then sent to the victim.

A SYN flood is a common DDoS attack that targets the TCP handshake process. The attacker sends a rapid succession of SYN (synchronize) packets to initiate connections but never completes the handshake by sending the final ACK (acknowledge), leaving the target server with a backlog of half-open connections that consumes resources.

• Impact: Exhausts available ports and memory on the target, preventing legitimate connection attempts.

Rate limiting is a fundamental defensive technique that restricts the number of requests a user, IP address, or API key can make to a server within a given time window. It is a first line of defense against DDoS attacks by capping the traffic any single source can generate.

• Implementation: Often deployed at the network edge (e.g., firewalls, web application firewalls, or CDNs) to filter out excessive request bursts.

Anycast is a network addressing and routing method where the same IP address is assigned to multiple servers in different geographic locations. Incoming traffic is automatically routed to the nearest or least congested server. This is a core DDoS mitigation strategy for large providers.

• DDoS Defense: It distributes attack traffic across a global network of scrubbing centers, absorbing and filtering malicious packets before they reach the origin server.

An Application Layer Attack (Layer 7 DDoS) targets the top layer of the OSI model, where web pages are generated and HTTP requests are processed. Unlike volumetric attacks, these are low-and-slow, aiming to exhaust application resources (e.g., CPU, memory) by making seemingly legitimate but costly requests.

• Examples: HTTP flood attacks, Slowloris (which holds connections open as long as possible), and attacks targeting specific API endpoints or login pages.