Sybil attack happens when a single attacker takes control of multiple nodes on a network. Since it is a decentralized network, no one would know that the nodes are being controlled by the same attacker. Such an act would subvert the reputation system of the peer-to-peer network because it allows them to gain a disproportionately large influence.
The proof of work (PoW) used by the Bitcoin network is the Sybil resistance model. To be rewarded, each individual in the network must perform an involuntary and equal amount of computational work. In other words, each Sybil person has to do as much work as every honest person, which makes the Sybil attack too expensive.
In Proof of Stake (PoS), consensus is reached in a network of validators that have "locked" or "stake" a considerable amount of capital for a certain period of time. An attacker who wants to carry out a Sybil attack on the PoS network must block at least the same stake that is blocked by honest validators.
Although the initial cost of an attack may not be immediately obvious (lock capital -> execute attack -> get staked after a certain period), it is assumed that the PoS model works because:
-the amount of capital that the attacker can stake is limited, since the sum of the attacker's stake plus all other stakes cannot exceed the total turnover;
-by performing a Sybil attack, the attacker devalues the public trust (and value) of the underlying protocol/asset, thereby reducing or eliminating any profitability of the attack.
Sybil's attacks are often confused with Eclipse attacks. However, in the latter case, fake IDs do not attempt to completely mislead the network; instead, they drive individual nodes into the network, monopolizing all of their P2P connections. By isolating certain elements, the attack can display a false state of the network to them. Thus, Eclipse attacks affect a small part of the network, while Sybil attacks disrupt the entire network. You can read more about Eclipse attacks here:
People often think that Bitcoin is safe if at least 51 percent of the mining power is honest, but this guarantee is based on the assumption that all parties see valid blocks/transactions. However, Bitcoin relies on its own peer-to-peer network to deliver its information. Therefore, if you control the peer-to-peer network, you control the information flow and then you can control the blockchain. An attacker attacks the Bitcoin peer-to-peer network and uses Eclipse's "obscuring information" attack to undermine the security of Bitcoin.
The Eclipse attack is a means of attacking a decentralized network by which an attacker seeks to isolate and attack a specific user(s) rather than attacking the entire network (as in the Sybil attack). A successful Eclipse attack allows a potential attacker to isolate and subsequently thwart their goal of gaining a true picture of real network activity and the current state of the registry.
This attack is made possible because the decentralized network does not allow all nodes to connect to all other nodes on the network at the same time. Instead, for efficiency, the node connects to a selected group of other nodes, which in turn connect to their own selected group.
For example, Bitcoin has 117 incoming TCP connections and a maximum of 8 outgoing TCP connections by default. These connections form a gossip network for the circulation of bitcoin transactions and blocks. The attack only targets Bitcoin nodes that accept incoming connections because not all nodes accept incoming connections.
An attacker will seek to capture all of these links. The effort required to achieve this depends on the design, size, and nature of the network, but as a general rule, the attacker must control a botnet of host nodes (each with its own IP address) and develop (essentially through trial and error) neighboring nodes of the intended victims. The next time the victim node logs out and then rejoins the network (dropping their connections and forcing them to find a new set of nodes to connect to), the attacker has a good chance of gaining control of all of the victim's connections.
How do attackers profit from an Eclipse attack?
Once the attacker has quarantined the user by taking control of all outgoing connections, he can exploit them, for example, by performing a double-spend attack with zero confirmation. If user A is an attacker, user B is an isolated host, and user C is another network entity, then user A will be able to send a payment to user C and then send the same transaction to user B. User B does not know that these funds have already been spent because all of their outgoing connections go through user A, who can suppress the information user B receives. User B will accept the coins, and only later, when he connects to the "true" block chain, will he discover that they have been scammed and in fact nothing got.
An attacker can also use the eclipse attack to attack the blockchain itself by capturing the mining power of the isolated node(s). The victim, seeing only the registry that the attacker shows, will support this variant of the chain. If an attacker can attack enough users (and keeping in mind that some miners can control significant amounts of hash power), they can create their own chain as a legitimate fork to the "true" ledger. Get enough support and it becomes a ledger.
The Sybil Attack
John R. Douceur
What are Sybil Attacks|Explained For Beginners
November 13, 2018
What is a Sybil attack and how can it affect peer networks?
June 1, 2017