You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From Matrix. Please forgive the lack of verbosity, I want to keep this clean.
Problem: A malicious node can alter hop count. Altering it upwards is generally harmless. Altering it downwards can cause routing issues. There is little MitM risk, but this can cause instability, slow the network, or break pathing. While this can be mitigated with pathing failover, an active defense may be preferable.
Proposed solution:
Malicious node November reports an inappropriately low hop announce. Rules:
If November is not in path table (has not announced) reject the announce.
If announce hops <= November path hops reject the announce.
If 50% or more announces from November trigger these rules (minimum 3) then blacklist November.
Problematic rules: Reject nodes that only announce one hop:
A major hub may see many or all nodes at one hop, causing a false positive. Also easy to set to two hops to avoid.
Verify every announce with source:
Incredible overhead, and can verify a path, but not the hop count. As nodes/peers reject pings by default, would require modifications that can be abused and will reduce privacy. (May be useful for applications)
Authenticated systems:
Requires an authority to authorize the systems, making a de-facto controlled routing system with a single point of failure. Plus you need someone to authorize the authorizing systems, and around we go.
Shared blacklists:
As Authenticated systems, plus it's trivial to make a new identity. It's critical to detect and prevent the behavior, not attempt to ban the source.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
From Matrix. Please forgive the lack of verbosity, I want to keep this clean.
Problem: A malicious node can alter hop count. Altering it upwards is generally harmless. Altering it downwards can cause routing issues. There is little MitM risk, but this can cause instability, slow the network, or break pathing. While this can be mitigated with pathing failover, an active defense may be preferable.
Proposed solution:
Malicious node November reports an inappropriately low hop announce.
Rules:
Problematic rules:
Reject nodes that only announce one hop:
A major hub may see many or all nodes at one hop, causing a false positive. Also easy to set to two hops to avoid.
Verify every announce with source:
Incredible overhead, and can verify a path, but not the hop count. As nodes/peers reject pings by default, would require modifications that can be abused and will reduce privacy. (May be useful for applications)
Authenticated systems:
Requires an authority to authorize the systems, making a de-facto controlled routing system with a single point of failure. Plus you need someone to authorize the authorizing systems, and around we go.
Shared blacklists:
As Authenticated systems, plus it's trivial to make a new identity. It's critical to detect and prevent the behavior, not attempt to ban the source.
Thoughts?
Beta Was this translation helpful? Give feedback.
All reactions