Monero Observer – CT-008: Mitigating dusting attacks in Monero CLI
5 Dec 2022
This is the 8th report in the Cypherpunk Transmission series.
Monero addresses are not publicly recorded on the blockchain and ring signatures do provide plausible deniability, but they aren’t perfect.
Although Monero is less vulnerable than public chains, rings can still be targeted and weakened by dusting attacks, which could lead to indirect linkage of outputs and user deanonymization.
This guide suggests a few simple ways to deal with poisoned outputs from dusting/EAE attacks.
- Monero CLI installed (CT-002)’
- ~5 mins free time (+sync time)
1. Identifying dusting attacks
To determine if you are under attack, simply check for suspicious incoming transactions that are small (usually under 0.01 XMR) and which are being periodically transferred to your addresses.
show_transfers incoming command in your Monero CLI lists all incoming transactions.
unspent_outputs index=1 to confirm which addresses are being targeted by the dusting attack.
Note: replace index number to see unspent outputs in other addresses; type in
address all to list all addresses and associated index numbers.
You should be able to identify something similar to this, with a high number of keys:
Amount: 0.001, number of keys: 24 2683490
Let’s assume we spot 24 x 0.001 XMR transactions hitting index 1. Now we are fully aware of the attack.
You might want to consider your own theat model (CT-001) when deciding on the best course of action.
We could try combining only the poisoned outputs (not churning the entire balance with
Let’s grab all unlocked poisoned outputs with
sweep_below and send them to a new subaddress:
sweep_below 0.002 index=1 <address>
Note: replace amount, index number and address accordingly; repeat the process as needed; generate a new subaddress with
Alternatively, we could simply choose not to touch/spend those poisoned outputs.
Let’s ignore outputs below a certain threshold with:
set ignore-outputs-below 0.002
Note: replace amount accordingly; if there are other ‘safe’ outputs on that index, they could be linked with the poisoned ones.
- if you need help with any command, use
- not all dusting attack victims are directly targeted
- churning can increase user privacy, but it is not easy to provide an optimal churn frequency recommendation
- successful EAE attacks require colluding adversaries on both sides with access to external correlating metadata (ie. IP addresses, KYC data, timing)
- Seraphis should bring an increase in the ring size, which could reduce dusting attacks efficiency
- watch Breaking Monero’s Poisoned Outputs (EAE Attack) video to learn more about these types of attacks
That’s it. Nothing is perfect, not even Monero, but I do believe we are moving in the right direction. If you are under attack, don’t panic: sweep / ignore and take that as a compliment instead.
Let me know if you find this helpful and, depending on interest, I will do my best to post a new Cypherpunk Transmission report every (other?) Monday.
Questions, edits and suggestions are always appreciated @ /about/.
Credit goes to gnuteardrops from monero.graphics for the amazing xkcd graphic. Work and xkcd Script font licensed under CC BY-NC 3.0.