On Saturday 19 July 2008 23:59, Matthew Toseland wrote: > On Saturday 19 July 2008 11:45, Michael Rogers wrote: > > Matthew Toseland wrote: > > >> Atm the only limit is the size of the field in the DMT message. We allow > > >> a ShortBuffer which is 32kB... A double is 8 bytes meaning that the bad > > >> guy can advertise 4000 locations. > > > > > > This leaves two possible attacks: > > > 1) Use swapping to work out our peers' peers, and do the 1-at-each-side > > > attack. > > > 2) Just advertise tons of locations. > > > > > > /me notes that if the advertisement packet is over 1kB we may run into > severe > > > MTU problems on many connections ... so we could limit it to 128 for > > > practical reasons. But that would certainly be enough for attack 1 and > > > probably enough for attack 2. > > > > Opennet peers are currently limited to 20 and total peers are limited to > > 100, right? So we shouldn't accept more than 19 locations from an > > opennet peer or 99 from a darknet peer (who we hopefully trust not to > > attack us anyway). > > Hmmm... currently, we decrement the opennet peers limit for every connected > darknet peer. So if we are connected to a peer via opennet, it should only > have 20 peers including us, full stop. Of course, on darknet, it can have as > many peers as its owner can obtain. > > Would this solve the problem, at least on opennet? > > > > Cheers, > > Michael > So, in summary:
An attacker can spoof the FOAF mechanism to advertise bogus locations and draw more than his fair share of requests. If he is a normal part of the network topologically, many of his peers will also be the target's peers, so he can take over their locations (advertise to either side of each). But some won't. So he can simply advertise lots of locations, or maybe do something cleverer. His objective in any case is to capture a large share of the node's outgoing traffic. We can calculate what proportion of the keyspace a node is occupying ... but it may be better to simply limit the proportion of outgoing requests a single node can have over some period. This would help with a range of similar attacks, not only with FOAF-based attacks. Also, on opennet, we can limit him to advertising 20 peers; on darknet, we can impose a higher limit. Another thing we could do on darknet is try to detect when a node is changing its peer set excessively rapidly (have them declare each peer's location and backoff time if it's backed off e.g.), although swapping might cause this sometimes... Probably the best solution then is to: - Implement FOAF routing. - Limit opennet peers to advertising 20 locations. - Limit darknet peers to advertising say 100 (50?) locations. - Limit any single node to no more than 20% of our outgoing requests, show this figure on the connections page; for darknet only nodes with <10 peers, a higher limit may be necessary, we may want to not send requests and warn the user with an option to override if we have too few functional peers for basic anonymity. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20080721/0ea35185/attachment.pgp>
