Identity Flooding

Sybil Attack

A Sybil attack is the foundational attack against decentralized systems. The attacker generates many fake identities to gain disproportionate influence over the Kademlia DHT.

Recent research (2024-2025) demonstrated that a single computer can create enough Sybil nodes to control any DHT entry in IPFS/libp2p, denying content access in ~80% of lookup attempts.

Controls

14 nodes
Honest
Malicious
Victim
Isolated

Network Metrics

LIVE
Health100%
Delivery100%
Attack0%
14
Honest
0
Malicious
Simulation Steps1 / 5

Healthy DHT

A Kademlia DHT where honest peers are distributed across the XOR keyspace. Each node maintains k-buckets (k=20 in py-libp2p) with peers at various distances. Lookups route through O(log n) hops to find the closest peers to a target key.

Identity Generation

The attacker generates Ed25519 keypairs to create Sybil identities. Since Peer IDs are derived from public key hashes, generating an identity takes <1ms. A single computer can create thousands of identities. Research (ARES 2024) showed a single machine can "take control of any DHT entry."

Sybil Ratio
0%
Lookup Success
100%

DHT Infiltration

Sybil nodes join the DHT and start filling honest nodes' k-buckets. They respond to FIND_NODE queries with other Sybil peers, gradually increasing attacker density in the routing tables. The disjoint path lookup (S/Kademlia) helps but cannot fully prevent this at high Sybil ratios.

Sybil Ratio
0%
Lookup Success
100%

Lookup Hijacking

With enough Sybils, the attacker can intercept DHT lookups. When a peer asks FIND_VALUE for a content key, the Sybil nodes closest in XOR distance respond first — returning false or empty results. Content resolution fails ~80% of the time at high Sybil ratios (2025 research).

Sybil Ratio
0%
Lookup Success
100%

Defense: S/Kademlia & Disjoint Paths

py-libp2p's DHT uses S/Kademlia improvements: disjoint path lookups send parallel queries through separate node lists, so a single malicious node cannot misdirect all queries. Combined with provider record validation and proposed SR-DHT-Store (region-based queries), Sybil influence is significantly reduced.

disjoint_paths = 3
provider_record.validate = true
kbucket.max_replacements = 20

Technical Details

Kademlia Routing Logic

bucket_index = floor(log₂ (distance(self, peer)))
distance(a, b) = H(a.pub_key) ⊕ H(b.pub_key)

XOR distance determines routing table placement. In a Sybil attack, the attacker generates keys to target specific buckets.

Kademlia DHT

The routing table uses k-buckets (k=20) indexed by XOR distance. S/Kademlia extensions include disjoint path lookups where parallel queries use separate node lists to bypass malicious regions.

Identity Generation

Generating an Ed25519 identity takes ~0.05ms. An attacker can create 20,000 nodes per second, allowing them to flood the DHT with identities strategically positioned in the address space.