# #38275 \[BC-Low] Evil-client P2P headers-traversal leads to D/DoS and total peer removal **Submitted on Dec 29th 2024 at 22:38:42 UTC by \[redacted] for** [**Attackathon | Ethereum Protocol**](https://immunefi.com/audit-competition/ethereum-protocol-attackathon) * **Report ID:** #38275 * **Report Type:** Blockchain/DLT * **Report severity:** Low * **Target:** * **Impacts:** * Shutdown of greater than or equal to 10% or equal to but less than 33% of network processing nodes without brute force actions, but does not shut down the network * Unintended chain split affecting less than 25% of the network (Network partition) * Shutdown of less than 10% of network processing nodes without brute force actions, but does not shut down the network ## Description ## Intro A remote P2P vulnerability has been identified in the Besu 24.12.2 (latest) with impact that is identical to that of a sustained D/DoS attack. ## Vulnerability Details Using a multithreaded golang based evil-client that spoofs itself as a valid client and peers into a Besu node and starts spamming it with block header range protocol message requests, the remote machine running Besu's CPU runs to 97% - 100% - and all of its peers are remotely disconnected; (attached PoC screenshot) for as long as the attack is sustained. Fortunately the node does recover - but a botnet doesn't care about that. As a former prolific spammer, it's a pinky-lift for a lot of people, chiefly in Russia, to weaponize xxx,xxx zombies to launch an attack like this; and so the real-world viability is markedly there. ## Steps to reproduce (Ubuntu) ``` nano headers_traversal.go change the existing enode//hash@ip:port to your own test machine screen -S attack ulimit -n 100000 snap install go --classic go init 1 go mod tidy go build headers-traversal.go ./headers-traversal -- Experiment with thread counts, e.g. 15, 50, 100, 1000, 2500, etc. Tap enter and wait.., ``` patiently - and watch it remotely disconnect the victim node from the (Sepolia) network by removing all of its peers. This is naturally a consequence of resource exhaustion and the node being rendered unable to process peer comms. ## Impact Details Island networks. 16% of the Ethereum network being simultaneously disabled by a botnet would have significant consequences. We'd see netsplits, slower finality, transactions flying into the void and high reputational/operational damage. ## Proof of Concept For Proof of Concepts we are linking to the relevant exploit code and providing 2 screenshots - of during and after the sustained attack. Attack script (`headers_traversal.go`):\ Dropbox Password: `alienbrain` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/ethereum-protocol-or-attackathon/38275-bc-low-evil-client-p2p-headers-traversal-leads-to-d-dos-and-total-peer-removal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.