5 Dec 2022 [CT] [guides]

CT-008: Mitigating dusting attacks in Monero CLI

This is the 8th report in the Cypherpunk Transmission series.

Motivation

Monero addresses are not publicly recorded on the blockchain and ring signatures do provide plausible deniability, but they aren’t perfect.

Although Monero is less vulnerable than public chains, rings can still be targeted and weakened by dusting attacks, which could lead to indirect linkage of outputs and user deanonymization.

This guide suggests a few simple ways to deal with poisoned outputs from dusting/EAE attacks.

Assumptions

Monero CLI installed (CT-002¹)’²
~5 mins free time (+sync time)

1. Identifying dusting attacks

To determine if you are under attack, simply check for suspicious incoming transactions that are small (usually under 0.01 XMR) and which are being periodically transferred to your addresses.

The show_transfers incoming command in your Monero CLI lists all incoming transactions.

Use unspent_outputs and unspent_outputs index=1 to confirm which addresses are being targeted by the dusting attack.

Note: replace index number to see unspent outputs in other addresses; type in address all to list all addresses and associated index numbers.

You should be able to identify something similar to this, with a high number of keys:

Amount: 0.001, number of keys: 24
2683490

Let’s assume we spot 24 x 0.001 XMR transactions hitting index 1. Now we are fully aware of the attack.

2. Mitigations

You might want to consider your own theat model (CT-001³) when deciding on the best course of action.

2.1 Manage

We could try combining only the poisoned outputs (not churning the entire balance with sweep_all).

Let’s grab all unlocked poisoned outputs with sweep_below and send them to a new subaddress:

sweep_below 0.002 index=1 <address>

Note: replace amount, index number and address accordingly; repeat the process as needed; generate a new subaddress with address new.

2.2 Ignore

Alternatively, we could simply choose not to touch/spend those poisoned outputs.

Let’s ignore outputs below a certain threshold with:

set ignore-outputs-below 0.002

Note: replace amount accordingly; if there are other ‘safe’ outputs on that index, they could be linked with the poisoned ones.

Observations

if you need help with any command, use help <command> and help all
not all dusting attack victims are directly targeted
churning can increase user privacy, but it is not easy to provide an optimal churn frequency recommendation
successful EAE attacks require colluding adversaries on both sides with access to external correlating metadata (ie. IP addresses, KYC data, timing)
Seraphis should bring an increase in the ring size, which could reduce dusting attacks efficiency
watch Breaking Monero’s Poisoned Outputs (EAE Attack) video⁴ to learn more about these types of attacks

That’s it. Nothing is perfect, not even Monero, but I do believe we are moving in the right direction. If you are under attack, don’t panic: sweep / ignore and take that as a compliment instead.

Feedback

Let me know if you find this helpful and, depending on interest, I will do my best to post a new Cypherpunk Transmission report every (other?) Monday.

Questions, edits and suggestions are always appreciated @ /about/.

-3RA

Credit goes to gnuteardrops from monero.graphics for the amazing xkcd graphic. Work and xkcd Script font licensed under CC BY-NC 3.0.

/cypherpunk-transmission-002-building-from-source-monero-cli/ ↩
/verify-install-update-monero-cli-wallet-linux-guide/ ↩
/cypherpunk-transmission-001-threat-modeling-demystified/ ↩
https://redirect.invidious.io/watch?v=iABIcsDJKyM ↩