-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DHT Request hardening human doc. #244
Comments
Good. But in the first iteration we will receive these packets and drop them. |
It seems hardening is going to be removed from
Actually hardening can't provide good protection against sybil attack: it assumes that the attacker will send difference responses to different nodes but he doesn't have to do so to achieve the desired result. The attacker can just stop sending specific node to everyone with the same result, as he doesn't know it. |
Still we have to parse them to avoid that many error messages in the log. |
Bittorrent had the same problem, and they solved it by issuing BEP 42 which basically requires that certain bits of your DHT address exactly match the hash certain bits of your public IP address. Here's a summary:
Implementing this defense against Sybil attacks requires DHT nodes to opt-in to the defense. One way of rolling it out in a backwards-compatible manner is for clients to decide with some small probability (say 5%) whether or not to only use DHT nodes that have opted in to the Sybil defense. In other words for each DHT query, with 5% probability, the client would ignore all DHT nodes whose DHT address doesn't match its IPv4 address. This means that an attacker with lots of machines but few IP addresses could slow down the network by a factor of 20x but could not completely shut it down. The probability can be user-configurable so that users can manually increase it in the event of an attack, and the default setting can be gradually increased over time as more and more DHT nodes opt-in to the defense. |
DHT Hardening
DhtRequest hardening is used for avoiding DoS attack.
A Tox node can be enter into Tox Network if the node can respond with valid PingResponse.
So, inserting many fake nodes can attack Tox Network to prevent two valid tox nodes can not connect to each other.
Hardening is used for defeating this attack.
CRYPTO_PACKET_HARDENING
which of value is48
.RequestQueue
struct to generic struct which isFrom:
To:
Here
T
may be one of theseOr
The text was updated successfully, but these errors were encountered: