p2p: Prevent block index fingerprinting by sending additional getheaders messages #24571

[rajarshimaitra]

Session Details

• Date: 23-02-2023
• Time: IST 20:00 (UTC 14:30)
• PR: p2p: Prevent block index fingerprinting by sending additional getheaders messages bitcoin/bitcoin#24571
• Context: [net][net_processing]
• Difficulty: Moderate
• Language: [c++][python]
• Notes and Questions: https://bitcoincore.reviews/24571

Summary

This PR adds extra logic in the net processing module to increase resistance against a particular network fingerprinting attack.

Learnings

• P2P Networks.
• Fingerprinting attacks.
• Various forms of defense against fingerprinting.
• Network messaging protocol between nodes.
• Testing P2P behaviors in functional test.

[rajarshimaitra]

Summary

bitcoin/bitcoin#24571

A node will send getheaders message in response to cmpctblock or header messages if the header doesn't directly connect
to the node's block index. If the the new header chain is from a stale blockchain, and the node has the connecting ancestor, it will
not send the getheaders. This will allow the connecting to peer to identify the same node across various network.

This PR allows node to send additional getheaders messages to remove this potential fingerprinting.

What is the block index and what is it used for? (Hint: look at the usage of m_block_index)

Block index is an indexing system of the blockchain which contains in memory data for a block to quickly
find them in the disk.

This index is defined in CBlockIndex.

src/chain.h

/** The block chain is a tree shaped structure starting with the
 * genesis block at the root, with each block potentially having multiple
 * candidates to be the next block. A blockindex may have multiple pprev pointing
 * to it, but at most one of them can be part of the currently active branch.
 */
class CBlockIndex
{
public:
    //! pointer to the hash of the block, if any. Memory is owned by this CBlockIndex
    const uint256* phashBlock{nullptr};

    //! pointer to the index of the predecessor of this block
    CBlockIndex* pprev{nullptr};

    //! pointer to the index of some further predecessor of this block
    CBlockIndex* pskip{nullptr};

    //! height of the entry in the chain. The genesis block has height 0
    int nHeight{0};

    //! Which # file this block is stored in (blk?????.dat)
    int nFile GUARDED_BY(::cs_main){0};

    //! Byte offset within blk?????.dat where this block's data is stored
    unsigned int nDataPos GUARDED_BY(::cs_main){0};

    ...

It is used for all seek-and-find operations on the block, as well as getting various metadata like
Block Header, Block Hash, Ancestor, Block time etc.

Why and how can the block index be used for fingerprinting? (Hint: it has to do with stale blocks/headers)

When a peer sends us a chain of block on top of a stale chain (a chain not part of the global active) and depending on wether
the node has the block index of the ancestor of that stale chain, it will either send or not send a getheader message to the peer.
This information leaks the internal state of the node's block indexes, which can be used to identify the node across various networks.

Why do we keep stale blocks in the block index?

Stale blocks are kept for security reasons and are required in case of a large reorg. But it is also conceivable to remove
stale blocks after they have been stale for a long enough time. As mentioned by John Newbery in this comment bitcoin/bitcoin#24571 (review).

In your own words, how does the fingerprinting technique outlined in the PR work?

A malicious peer crafts a fake chain on top of a known stale blockchain. If the receiving node contains the stale blocks in it's block index
it will not send any further getheaders. But in case it doesn't, it will send the corresponding getheaders to the peer. Using this information, the peer can identify a particular node across various networks, namely IPV4 and TOR. This will de-anonymize the node to the peer
in privacy networks like TOR and the peer will be able to identify the TOR node as same as its IPV4 address.

Does the fingerprinting technique outlined in the PR work across restarts of the target node?

Yes because restarting the node keeps it's block indexes intact.

This commit introduces a new parameter to PeerManagerImpl::BlockRequestAllowed. Why is that necessary?

This is used to check whether to send a requested block to a peer which is not older than 1 month of equivalent time.
src/net_processing.cpp

/**
     * To prevent fingerprinting attacks, only send blocks/headers outside of
     * the active chain if they are no more than a month older (both in time,
     * and in best equivalent proof of work) than the best header chain we know
     * about and we fully-validated them at some point.
     */
    bool BlockRequestAllowed(const CBlockIndex* pindex) EXCLUSIVE_LOCKS_REQUIRED(cs_main);

[stratospher]

nice! here's a pictorial description of what the PR does. also posted a review.

[stratospher]

review posted bitcoin/bitcoin#24571 (review)