What is a Sybil Attack?

In a peer-to-peer network, open-access is a fundamental requirement. Anyone with an internet connection should be able to spin up a node and participate. However, this open-door policy introduces a classic computer science vulnerability: the Sybil Attack.

---

🎭 What is a Sybil Attack?

A Sybil Attack occurs when a single attacker creates a massive number of fake, pseudonymous identities (virtual nodes) to dominate a network.

The name "Sybil" was coined in 1993 by researcher John R. Douceur, inspired by the 1973 book Sybil, which detailed the case study of a woman diagnosed with multiple personality disorder.

In a standard P2P network that relies on voting or simple peer counts: * An attacker spins up 10,000 virtual nodes on a single physical server. * To the network, these look like 10,000 independent participants. * If decisions are made by majority vote, the attacker easily wins, overriding the honest participants.

Honest Node ─── (Attacker Virtual Node 1)
        │       (Attacker Virtual Node 2)  ◄── Attacker controls 
        ├───►   (Attacker Virtual Node 3)      90% of connections
        │       (Attacker Virtual Node 4)
Honest Node ─── (Attacker Virtual Node 5)

---

🚨 The Threat: Eclipse Attacks

In Bitcoin, a Sybil attack is usually a stepping stone to a more dangerous exploit called an Eclipse Attack.

If an attacker controls thousands of fake nodes, they can try to occupy all connection slots of a targeted honest node. Once a node is "eclipsed": 1. Isolation: The victim node is completely cut off from the real Bitcoin network. 2. Information Control: The attacker decides which blocks and transactions the victim sees. 3. Double-Spend Execution: The attacker can feed the victim a fake, private fork of the blockchain containing a double-spent transaction, tricking a merchant into shipping goods for a transaction that never occurred on the real network.

---

🛡️ How Bitcoin Prevents Sybil and Eclipse Attacks

Bitcoin is uniquely engineered to resist Sybil attacks using three layers of defense:

1. Proof of Work (Thermodynamic Cost)

This is Satoshi Nakamoto’s greatest breakthrough. In Bitcoin, network voting power is not based on "one IP, one vote" or "one node, one vote." Instead, block consensus is based strictly on Proof of Work (one CPU, one vote).

An attacker can spin up 1 million fake nodes on virtual machines. However, those nodes have zero mining power. They cannot produce valid blocks because doing so requires real, expensive, physical electricity and specialized ASIC hardware. The honest chain will always have more accumulated mathematical Proof of Work, and all nodes (even those surrounded by attacker peers) will immediately recognize and switch to the honest chain because of the longest-chain rule.

2. IP Subnet Diversity Rules

To prevent an attacker from spinning up thousands of virtual nodes on a single cloud hosting provider (like AWS or DigitalOcean), Bitcoin Core employs strict IP classification filters:

• Subnet Limits: A node will only accept one outbound connection per /24 IPv4 subnet (which represents 256 adjacent IP addresses).
• Diverse Neighbors: If an attacker rents a server block and launches 500 virtual nodes with consecutive IP addresses, an honest node will only connect to one of them. The other outbound slots must go to completely different IP ranges across the globe.

3. Outbound Peer Randomization

Your node does not keep the same peer connections forever. It continuously monitors peer behavior: * Eviction: If a connected node acts slowly, stops responding, or transmits invalid blocks, your node immediately evicts it. * Anchors: Bitcoin Core maintains a list of "anchor" peers in a database that persists even if you reboot your node, preventing an attacker from trying to isolate you during a software restart.