Security: Avoid reconnecting to peers that are likely unreachable #3030
Conversation
Make it simpler to construct a `Duration32` representing a certain number of days.
jvff
force-pushed
the
avoid-reconnecting-to-unreachable-peers
branch
from
d037afc to
646a6a8
Compare
A helper method to check if a peer was never seen before or if it was last seen a long time ago. This will be one of the conditions to consider a peer as unreachable.
A helper method to check if a peer should be considered unreachable. It is considered unreachable if recent connection attempts have failed and it was not recently seen. If a peer is considered unreachable, Zebra shouldn't attempt to connect to it again.
A peer is probably unreachable if it was last seen a long time ago and if it's last connection attempt failed.
jvff
force-pushed
the
avoid-reconnecting-to-unreachable-peers
branch
from
646a6a8 to
3905785
Compare
Redo the calculation on arbitrary `MetaAddr`s.
Redo the calculation on arbitrary `MetaAddr`s.
Given an `AddressBook` with a list of arbitrary `MetaAddr`s, check that none of the peers listed for a reconnection is probably unreachable.
jvff
force-pushed
the
avoid-reconnecting-to-unreachable-peers
branch
from
3905785 to
0b3fc8d
Compare
Remove the double negative from the name. Co-authored-by: teor <teor@riseup.net>
Make the purpose of the constant clearer. Co-authored-by: teor <teor@riseup.net>
Remove the double negative from the name.
Avoid having to negate the result of the method in security critical filter.
Make sure the check is used in any place that requires a peer that's ready for a connection attempt.
jvff
force-pushed
the
avoid-reconnecting-to-unreachable-peers
branch
from
52f0076 to
01d63d1
Compare
What do you mean by an integration test? Something like the acceptance tests we have? |
I was thinking of an integration test for all of Here's a similar test: zebra/zebra-network/src/peer_set/initialize/tests/vectors.rs Lines 1217 to 1229 in 62bfa15 But you'd want to stuff the active address book with outdated peers. Here's one way to generate fake peers: zebra/zebra-network/src/peer_set/initialize/tests/vectors.rs Lines 1186 to 1194 in 62bfa15 |
Thinking about this a bit more... The tricky part of this test is working out what the candidate set is doing, or if the network stack has hung. So maybe we'll need to test the crawler task separately? There are tests for the crawler task in the same module. |
Describe the goal of the test better. Co-authored-by: teor <teor@riseup.net>
List the conditions as bullet points. Co-authored-by: teor <teor@riseup.net>
This seems more complicated than anticipated. Maybe we should do this in a separate PR? I opened #3048 to do it later. |
Fair enough. I don't think these code changes are particularly risky by themselves, and we do have decent test coverage of the crawler from other tests in that same module. I added two specific scenarios that I am concerned about to ticket #3048. I'll try to be clearer about specific test scenarios next time. Even if we decide to do them in a later ticket, we need to be specific about what we're testing. Otherwise we won't know how to estimate or schedule the ticket. |
|
I tried a manual merge, let's see if it works. |
Motivation
Zebra would keep trying to connect to
Failedpeers, even if they are likely unreachable and will always fail. This is a Denial-of-Service risk and places extra load on the network.This closes #1865.
Solution
Filter the list of peers to reconnect to so that it doesn't contain peers that are likely unreachable.
A peer is considered to be probably unreachable if it was last seen (or was reported last seen) more than three days ago and if the previous connection attempt to it failed.
Review
I had discussed the implementation solution with @teor2345.
Reviewer Checklist
Follow Up Work
Peers that are likely to be unreachable should be removed from the
AddressBook. This might be part of #1873.