Table of Contents
Fetching ...

Eclipse Attacks on Ethereum's Peer-to-Peer Network

Ruisheng Shi, Yuxuan Liang, Zijun Guo, Qin Wang, Lina Lan, Chenfeng Wang, Zhuoyi Zheng

TL;DR

This paper addresses the vulnerability of Ethereum's post-Merge P2P network to eclipse attacks by presenting the first end-to-end eclipse attack on Ethereum's execution-layer nodes. The authors implement a practical multi-stage approach combining Discovery Table Poisoning, DNS List Poisoning, and network-wide slot occupation to fully isolate a target, validating the technique on Sepolia and mainnet with concrete metrics such as a DNS-list poisoning requirement of $28$ IPs over $100$ days and outgoing-connection hijack success rising from $45\%$ to $\mathbf{95\%}$ under favorable conditions. They demonstrate that over $80\%$ of public nodes have insufficient idle capacity for isolation, estimate IP-resource requirements (e.g., Sepolia $304$ IPs, mainnet $720$ IPs), and provide concrete mitigations including blacklist-based and DNS-level defenses. The work highlights significant practical risks in Ethereum's P2P layer, particularly given the high client update cadence and the centralization risk in DNS discovery, and it advocates active defense and responsible disclosure to strengthen network resilience.

Abstract

Eclipse attacks isolate blockchain nodes by monopolizing their peer-to-peer connections. The attacks were extensively studied in Bitcoin (SP'15, SP'20, CCS'21, SP'23) and Monero (NDSS'25), but their practicality against Ethereum nodes remains underexplored, particularly in the post-Merge settings. We present the first end-to-end implementation of an eclipse attack targeting Ethereum (2.0 version) execution-layer nodes. Our attack exploits the bootstrapping and peer management logic of Ethereum to fully isolate a node upon restart. We introduce a multi-stage strategy that majorly includes (i) poisoning the node's discovery table via unsolicited messages, (ii) infiltrating Ethereum's DNS-based peerlist by identifying and manipulating the official DNS crawler, and (iii) hijacking idle incoming connection slots across the network to block benign connections. Our DNS list poisoning is the first in the cryptocurrency context and requires only 28 IP addresses over 100 days. Slots hijacking raises outgoing redirection success from 45\% to 95\%. We validate our approach through controlled experiments on Ethereum's Sepolia testnet and broad measurements on the mainnet. Our findings demonstrate that over 80\% of public nodes do not leave sufficient idle capacity for effective slots occupation, highlighting the feasibility and severity of the threat. We further propose concrete countermeasures and responsibly disclosed all findings to Ethereum's security team.

Eclipse Attacks on Ethereum's Peer-to-Peer Network

TL;DR

This paper addresses the vulnerability of Ethereum's post-Merge P2P network to eclipse attacks by presenting the first end-to-end eclipse attack on Ethereum's execution-layer nodes. The authors implement a practical multi-stage approach combining Discovery Table Poisoning, DNS List Poisoning, and network-wide slot occupation to fully isolate a target, validating the technique on Sepolia and mainnet with concrete metrics such as a DNS-list poisoning requirement of IPs over days and outgoing-connection hijack success rising from to under favorable conditions. They demonstrate that over of public nodes have insufficient idle capacity for isolation, estimate IP-resource requirements (e.g., Sepolia IPs, mainnet IPs), and provide concrete mitigations including blacklist-based and DNS-level defenses. The work highlights significant practical risks in Ethereum's P2P layer, particularly given the high client update cadence and the centralization risk in DNS discovery, and it advocates active defense and responsible disclosure to strengthen network resilience.

Abstract

Eclipse attacks isolate blockchain nodes by monopolizing their peer-to-peer connections. The attacks were extensively studied in Bitcoin (SP'15, SP'20, CCS'21, SP'23) and Monero (NDSS'25), but their practicality against Ethereum nodes remains underexplored, particularly in the post-Merge settings. We present the first end-to-end implementation of an eclipse attack targeting Ethereum (2.0 version) execution-layer nodes. Our attack exploits the bootstrapping and peer management logic of Ethereum to fully isolate a node upon restart. We introduce a multi-stage strategy that majorly includes (i) poisoning the node's discovery table via unsolicited messages, (ii) infiltrating Ethereum's DNS-based peerlist by identifying and manipulating the official DNS crawler, and (iii) hijacking idle incoming connection slots across the network to block benign connections. Our DNS list poisoning is the first in the cryptocurrency context and requires only 28 IP addresses over 100 days. Slots hijacking raises outgoing redirection success from 45\% to 95\%. We validate our approach through controlled experiments on Ethereum's Sepolia testnet and broad measurements on the mainnet. Our findings demonstrate that over 80\% of public nodes do not leave sufficient idle capacity for effective slots occupation, highlighting the feasibility and severity of the threat. We further propose concrete countermeasures and responsibly disclosed all findings to Ethereum's security team.
Paper Structure (33 sections, 4 figures, 7 tables, 1 algorithm)

This paper contains 33 sections, 4 figures, 7 tables, 1 algorithm.

Figures (4)

  • Figure 1: Our Eclipse Attack Workflow ( Steps ①–③ operate in parallel in practice, we illustrate them sequentially for clarity.)
  • Figure 2: Evaluations on Sepolia Testnet
  • Figure 3: Node Statistics in Ethereum P2P Network
  • Figure 4: Available Slots Count in Ethereum P2P Network