Ethereum logo

Ethereum

Security

We approach security from the point of view of the DHT's Keyspace Density.

The following plots examine the peer distribution within the keyspace, aiding in the identification of potential Sybil and eclipse attacks.

Keyspace Density

Every object indexed by discv5 requires a binary identifier. In the discv5 implementation, peers are identified by their NodeID (extracted from their ENR) which is the `keccak256` hash of its uncompressed `secp256k1` public key. This identifier determines the location of an object within the XOR keyspace.

Keyspace Regions Population

Keyspace Regions Population

  • Description: The plot illustrates the number of peers whose Kademlia identifier matches each prefix for all prefixes of a given size, for a given network crawl. Since the density of keyspace regions follows a Poisson distribution, it is expected to observe some regions that are significantly more populated than others.

  • How to read the plot: The selected depth indicates the prefix size. There are 2^i distinct prefixes at depth i. The dropdown menu allows to navigate to previous versions of this plot.

  • What to look out for: The green dashed line represents the expected density per region, corresponding to the number of peers matching a prefix. A bar significantly exceeding the expected density suggests that a region of the keyspace might be under an eclipse attack, especially if the value is above the risk threshold (red dashed line).

The plot shows how many peers are included in a particular region of the keyspace. Too many peers within one region indicate a potential issue.

Keyspace Density Distribution

Keyspace Density Distribution

  • Description: As previously mentioned, the keyspace population follows a Poisson distribution, which can make identifying outliers challenging. The plot below counts the number of regions for each population size and facilitates the identification and analysis of outliers. While it is normal for some regions to have populations above the average, the plot enables us to quantify these deviations.

  • How to read the plot: The green line represents the expected number of regions for each population size. Note that the Poisson distribution is more evident at greater depths (longer prefix size), while analyzing data at lower depths provides limited insights. It is recommended to read the plot for depths between 9 and 13. The date dropdown menu allows to navigate to previous versions of this plot.

  • What to look out for: If an isolated bar appears on the far right beyond the risk threshold (red dashed) line, it may indicate a potential eclipse attack, warranting further investigation.

The plot shows the distribution of the PeerIDs across the Poisson curve. Too many PeerIDs outside the curve indicate a potential issue.

Stale Node Records

These plots depict the count of node records stored within each node’s routing table and made accessible through the discv5 DHT. These node records serve as a mechanism through which nodes discover new remote nodes in the network.

Stale Records - Mainnet

Stale Records - Mainnet

Ensuring reachability of referenced nodes shared within the network is critical. This plot delineates the occurrences of reachable and non-reachable (stale) node records. Note that nodes running behind a NAT are counted as unreachable even though they may be online. For instance, if a node’s record is present in the routing tables of 100 other nodes and the node is reachable, the plot will reflect an increase of 100 in the online category.

On 2026-01-12, we have changed the deduplication logic when queuing peers to crawl. We crawl the discv5 DHT which indexes Ethereum Node Records. Each record contains a NodeID among other things. Before that date we skipped crawling records whose NodeID we had already seen and crawled before. However, the newly discovered ENR for the same NodeID could in theory contain more up-to-date information about the node's network addresses. Therefore, after that date we started to probe every ENR that we can find even if the we had probed the NodeID before during that same network crawl.

Reachable vs Unreachable DHT Records Over Time

Stale Records - all discv5

Stale Records - all discv5

Ensuring reachability of referenced nodes shared within the network is critical. This plot delineates the occurrences of reachable and non-reachable (stale) node records. Note that nodes running behind a NAT are counted as unreachable even though they may be online. For instance, if a node’s record is present in the routing tables of 100 other nodes and the node is reachable, the plot will reflect an increase of 100 in the online category.

On 2026-01-12, we have changed the deduplication logic when queuing peers to crawl. We crawl the discv5 DHT which indexes Ethereum Node Records. Each record contains a NodeID among other things. Before that date we skipped crawling records whose NodeID we had already seen and crawled before. However, the newly discovered ENR for the same NodeID could in theory contain more up-to-date information about the node's network addresses. Therefore, after that date we started to probe every ENR that we can find even if the we had probed the NodeID before during that same network crawl.

Reachable vs Unreachable DHT Records Over Time

Measurement Tools

Our network monitoring employs advanced crawling and probing tools and techniques to gather comprehensive data about network health, topology, and performance

Our Tools

tool-abstract-8

DAS Guardian

A Data Availability Sampling tool to asses Ethereum Node's real custody
tool-abstract-7

Bitswap Sniffer

A CID sniffer for content in IPFS over Bitswap and DHT requests
Freepik

Tiros

A performance measurement tool for Kubo and IPFS-hosted websites.
AI Freepik

Parsec

A DHT and IPNI lookup performance measurement tool.
GarryKillian / Freepik

Ants

A DHT monitoring tool for NAT'd peers.
From GarryKillian / Freepik

Hermes

A lightweight GossipSub tracer.
Abstract Image 6

Nebula

A network agnostic DHT crawler and monitoring tool