IPLD Resolver: Eclipse attack protection #454

aakoshh · 2023-03-04T20:49:45Z

#64 added the mechanism of adding the addresses from Identify events to the k-table, otherwise incoming connections (presumably from ephemeral addresses) to Kademlia were treated as unroutable.

The problem with that solution is that a group of malicious nodes can quickly identify themselves to the node to stuff its k-table full of working but adversarial addresses, and crowd out legitimate peers, eclipsing the node.

The solution is to make sure we bootstrap first and add peers which we discovered on our own, before we accept self-identified records. The identify only runs once every 5 minutes by default, so we should cache a limited number of them until the bootstrapping is over.

See https://eprint.iacr.org/2018/236

The text was updated successfully, but these errors were encountered:

aakoshh · 2023-03-07T10:24:06Z

Similar to input-output-hk/scalanet#108

This was referenced Mar 4, 2023

IPC-38: IPLD Resolver smoke test consensus-shipyard/ipc-libs#64

Merged

IPC-70: Bootstrap Eclipse attack protection consensus-shipyard/ipc-libs#74

Merged

aakoshh closed this as completed in consensus-shipyard/ipc-libs#74 Mar 7, 2023

jsoares transferred this issue from consensus-shipyard/ipc-libs Dec 19, 2023

jsoares added the s:ipc label Dec 19, 2023

jsoares closed this as not planned Won't fix, can't repro, duplicate, stale Mar 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IPLD Resolver: Eclipse attack protection #454

IPLD Resolver: Eclipse attack protection #454

aakoshh commented Mar 4, 2023

aakoshh commented Mar 7, 2023

IPLD Resolver: Eclipse attack protection #454

IPLD Resolver: Eclipse attack protection #454

Comments

aakoshh commented Mar 4, 2023

aakoshh commented Mar 7, 2023