Apparently today we had the second attack against twister.
But this time we are seeing the long anticipated “reversal attack”, which is when a new branch is quickly produced in order to overtake the original block chain sequence. Since this branch may start in a certain time in in the past, all registrations past the forking point are reverted and discarded. It seems the attacker has used our last checkpoint as a fork point (01/16/14 @ 8:41:39am) as he couldn’t have gone farther in the past (otherwise twister nodes would have rejected his blocks).
While this is a very unfortunately thing (except for him, who might find it very funny), I don’t think it is reason for much concern. I’m sure that we will be able to secure against this kind of attack using some ideas that are currently being discussed in twister-dev:
If you want to join the discussion, this is a good time.
For people who registered past 01/16/14, my apologies. Please try to resend your the registration to the network with the following command:
./twisterd sendnewusertransaction “username”
Then let us know if it works or not. I’m listening @twister or @mfreitas.
PS: One reason it is currently easy for digital coin miners to attack twister is the currently small hashrate of our network. So if you want to help making this attack harder for them, start generating blocks yourself!
Comment by buhtig314 in github issue #111: “Then why the author susggested us to register previous usernames again? After all ,he knows the system best.I supposed,he can roallback the whole database to previous state by some way.(now i know ,maybe i misunderstand the author’s suggestion, he suggested us resend registration but not use previous usernames). If you’r conjecture is true,after twice’s attack ,attackers may posses almost all usernames registered by all of us by simply replacing the public keys with his own public keys. If so, it is ridiculous. By the way, if it’s due to twister’s weak computing power,why not make the “generating blocks” as a default option in twister client?”
At the time I posted about the reversal attack i didn’t knew the attacker had re-registered the same usernames to himself. I just saw the blocks being reversed and replaced by new ones, not what the new blocks contained within. If the attacker had just discarded the old blocks, then resending the registrations would work.
We can’t just rollback the database because this would invalidate all users that registered AFTER the attack.
Yes, this is due to our low computing power. And no, i’m not fond of the idea of using the user’s CPU without their consent. If someone builds a list of the blocks generated by the attacker we might think of an alternative to recover those usernames. This would not be simple or risk-free though.