Definition
An eclipse attack lets an adversary who controls enough IP addresses monopolize every connection to and from a victim Bitcoin node — both inbound and outbound — so that the victim sees only the attacker's filtered view of the network. The victim is effectively cut off from honest peers and "eclipsed." The attack was formalized by Ethan Heilman, Alison Kendler, Aviv Zohar, and Sharon Goldberg in their 2015 USENIX paper Eclipse Attacks on Bitcoin's Peer-to-Peer Network, and it remains one of the clearest illustrations of why a node's peer selection logic is a security boundary, not a networking detail.
How it works
Bitcoin nodes maintain a limited set of peer connections chosen from an internal address database (the "addrman"), which is populated by addresses gossiped from other peers. An attacker who controls a large, diverse pool of IP addresses repeatedly floods the victim with attacker-owned addresses until the victim's address tables are saturated with them. The attacker then waits for — or forces, via a crash or a DoS — a restart. When the node comes back up and dials new outbound connections, it draws from a poisoned address book and connects only to attacker-controlled peers. From that moment the attacker sits between the victim and the real network, deciding which blocks and transactions the victim ever learns about, and reading everything the victim broadcasts.
What an eclipsed node enables
An eclipsed node is rarely the end goal; it is a launchpad. Against a merchant, the attacker can show a payment that the real network never saw, enabling N-confirmation double-spends backed by a private chain of attacker-mined blocks. Against a miner, the attacker can feed a stale chain tip so the victim burns real hashrate extending blocks the honest network has already left behind — wasted electricity for the victim, and vote-splitting that measurably aids selfish mining strategies. An eclipsed mining pool node is an especially rich target, because one poisoned view misleads every miner pointed at it. Eclipse attacks also degrade Lightning security, since a node that cannot see the honest chain cannot react to an old channel state being broadcast.
Defenses in Bitcoin Core and at home
Heilman's team proposed countermeasures — randomized peer eviction, more buckets in the address manager, feeler connections that test stored addresses, and anchor connections that persist across restarts — and Bitcoin Core adopted many of them, later adding dedicated block-relay-only connections that carry no address gossip and are much harder to enumerate. The economic cost of the attack has risen substantially as a result. A node runner can push it higher still: add one or two manual peers you trust (a friend's node, a second box you control at another location), diversify connectivity across clearnet, Tor, and other transports so no single vantage point sees everything, and avoid predictable restart patterns on an exposed node. If you mine, having your own node's view cross-checked against an independent source turns an eclipse from silent theft into a visible discrepancy.
Signals that you might be eclipsed
An eclipse is designed to be quiet, but it leaves symptoms. Your chain tip lags what public explorers show, or blocks arrive in suspicious bursts. Your peer list loses diversity — many connections sharing a few subnets or one hosting provider is a red flag. Transactions you broadcast never appear in outside services. The cheap countermeasure is an out-of-band cross-check: compare your node's tip hash against a second source over a different network path — a friend's node, an explorer reached via Tor, even a block height read over a mesh radio link. Two independent views that agree are exponentially harder to fake than one.
Eclipse attacks often build on a Sybil attack — cheap fake identities at the network layer — and they overlap with routing-level man-in-the-middle interception by ISPs or BGP hijackers. The common thread is the same sovereignty lesson: your node's independence is only as strong as the diversity of its connections. A full node behind one hosting provider, one ISP, and one network transport is a single conversation away from being alone with its attacker.
In Simple Terms
An eclipse attack lets an adversary who controls enough IP addresses monopolize every connection to and from a victim Bitcoin node — both inbound and…
