Denial-of-service prevention #517
Conversation
|
The only other thing to worry about is that someone working on client development might inadvertently run a buggy version of the client and wind up locked out of parts of the network for a few hours. I would add one other change to help prevent this. When you 'punish' an IP, check to see if you made the connection to them or they connected to you. If they connected to you, punish them for a few hours. If you connected to them, just don't connect to them for a few hours, still let them connect to you. That way, unless you're actually malicious or make large numbers of outbound connections accidentally, you'll only get locked out for hours of a small number of peers. Someone trying to launch a DoS attack by waiting for people to connect to them will find it slow going. |
|
Also see my post DoS countermeasures may facilitate network fragmentation attacks |
|
Rebased into fewer commits, and removed banning due to getting too many free transactions and getting blocks with bad timestamps, because they might have opened up a possible split-the-network attack. |
Denial-of-service prevention
Denial-of-service prevention
Correct constant to HIGH_MAX_TX_FEE
… data" a657da0 Validation: stop logging fake pow data (Sjors Provoost) Pull request description: Based on bitcoin#515. Backport of Blockstream/liquid#8 Tree-SHA512: 0f81430ca9905c4aa9b9e50ee3cd5a856132cc641dbc3346f982c2d5a023ab83cf68b64a3008f1adbda52d277d4357ed2d89e8ed6335c6288294fe5275743ba0
WIP: Rename story actors: Fixes bitcoin#464 bitcoin#517 bitcoin#590
5 participants
The big idea: if a peer is sending you obviously wrong information, punish it by maybe dropping your connection to it, and ban it's IP address so it cannot immediately re-connect.
The probability of dropping the connection, and the length of the ban, depend on how wrong, and how potentially wasteful/damaging, the peer is. So sending an extra 'version' message is a minor transgression that is usually tolerated, sending an more than MAX_BLOCK_SIZE block is a major transgression.
Detailed how-it-works, using "I got a version message I wasn't expecting" as the specific example:
Getting a version message from a peer increases that peer's 'misbehaving' score by 10, and (assuming that is the peer's first bad behavior) gives it a 10% of being disconnected. If it is disconnected, then that peer's IP address is banned from connecting for a couple of hours. If it is not disconnected, then nothing happens unless the peer misbehaves again; if it does, then its chances of being disconnected go up, and the length of time it will be banned increases.
Misbehavior/ban information is stored only in memory, and information about misbehaving peers is never broadcast. Also, peers that are disconnected/banned are just dropped, there is no warning or reason sent.
I think this will eliminate a lot of potential denial-of-service attacks, and could be a good framework for responding to other potential attacks. "We" should still look through the code and limit the potential size of any data structures that an attacker might target (transaction pool, orphan block pool); the DoSprevention changes are meant to make it harder for an attacker to stay connected long enough to pull off an attack.
The danger is that I got something wrong; what if an attacker can leverage the DoSprevention code to split or shatter the network? Here's my thinking on that, please help check my work:
So: please let me know if or how I'm being an idiot.
I'm still thinking about the best way of testing this; at the very least, running a node for several days with this patch applied should result in a minimal number of "disconnected %s for misbheavior" messages in debug.log.