Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security/p2p: prevent peers who errored being added to the peer_set #75

Merged
merged 2 commits into from
Apr 5, 2023

Conversation

Olshansk
Copy link
Member

@Olshansk Olshansk commented Apr 5, 2023

tl;dr DOS mitigation migrated from tendermint/tendermint/pull/9500

Validated use LocalNet instructions at doc/guides/localnet.md

Original PR description:

This work is a fix for a bug in the P2P layer.

A node can be attacked via the p2p layer by saturating its incoming connection slots and not allowing the node to accept new conditions. This happens when an attacker continuously submits requests to connect with an erroneous message causing the incoming request to error before it has been accepted. The attacked node, tries to remove the peer from its peer set which silently fails (due to the peer not yet being in the peer set). The routine adding a peer into the peer set happens in parallel in the background and will add the peer after the error has been reported.

This fix resolves the issue in the following way:

We add a field removalAttemptFailed to the Peer datastructure.
If removal of this peer fails, we set it to true.
When adding a peer into the peer set, the Add function will return an ErrPeerRemoval error if this field was true and not add the peer.
Note. This attack does not work if the config flag allow_duplicate_ips is set to false.

@Olshansk Olshansk added the enhancement New feature or request label Apr 5, 2023
@Olshansk Olshansk added this to the guard-rails milestone Apr 5, 2023
@Olshansk Olshansk self-assigned this Apr 5, 2023
@Olshansk Olshansk merged commit 96c095f into main Apr 5, 2023
@Olshansk Olshansk deleted the tendermint_9500 branch April 5, 2023 22:06
Olshansk added a commit to pokt-network/pocket-core that referenced this pull request May 25, 2023
Update the tendermint fork version.

## Testing

Validated use LocalNet instructions at [doc/guides/localnet.md](https://github.com/pokt-network/pocket-core/blob/staging/doc/guides/localnet.md)

## Changes

- Update Tendermint to Go 1.18 + minor fixes: [tendermint/pull/74](pokt-network/tendermint#74)
- Prevent peers who errored being added to the peer_set: [tendermint/pull/75](pokt-network/tendermint#75)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

1 participant