On Feb 1, 2008 12:57 PM, Matthew Toseland <toad at amphibian.dyndns.org> wrote: > > Even if the requestor can't specify a target network, I think it > > works. If the model is that the request is first routed within the > > network, and if that fails it tries to find an escape route -- then > > that "escape route" is a bottleneck (by definition). > > > > The nodes using rejectoverload is insufficient, I think -- they'll > > reject the attacker's requests and real requests with similar > > probability, and so performance for real requests will degrade > > substantially. Now the attacker only needs resources comparable to > > the bottlenecks; they don't even have to know where those bottlenecks > > are in order to seriously degrade the network topology. > > > > I'm not familiar enough with the details of the proposed ULPRs and how > > USKs and Frost and the like check for new updates / messages, but it > > seems possible that simple legitimate checks for new content would > > have a similar effect. Of course, failure tables would help a lot > > with that case, but they wouldn't help against a malicious attacker. > > Could ULPRs help to resolve it? Would it be possible to estimate the demand > for a key (in a way which doesn't favour single nodes that constantly > rerequest, and is biased by links so that an attacker could only attack > proportionately to the number of connections he has), in order to decide > which requests to let through?
I think ULPRs will do a good job of preventing legitimate traffic from creating such an effect. A malicious attacker, however, would have no reason to repeat keys, so any technique that simply tries to make re-requests more efficient would have no effect. Biasing on popularity is probably a good thing, and if it can be done in a relatively attack-proof manner, might be the solution. Do we have any understanding of how well network clusters will correlate with content clusters? That is, if there are effectively two networks, especially if they result from cultural and language barriers, to what extent will the two sides be uninterested in communicating with each other? I think having a ballpark answer to that question will go a long way in determining how big a problem this really is, and also what sort of solutions might be appropriate. Of course, it sounds hard to answer :) Evan Daniel
