Add new command line option ‘-maxoutbound’ #4687

pull ivanpustogarov wants to merge 1 commits into bitcoin:master from ivanpustogarov:options-maxoutboundconnections changing 3 files +18 −4
  1. ivanpustogarov commented at 4:32 pm on August 12, 2014: contributor

    While there is a command line option to limit the total number of connections (’-maxconnections’), the number of outbound connections is controlled by a hard-coded constant ‘MAX_OUTBOUND_CONNECTIONS=8’. This number (8) of connections has a bad impact on user’s privacy. Let’s keep the default number of outbound connections (of 8) but allow a user to have more privacy by reducing this number (to 3 or 4) using ‘-maxoutbound’.

    Explanation: transactions that are first relayed by these 8 entry nodes most probably belong to the same user. In fact, even a subset of these 8 entry nodes can uniquely identify a user. There is a cheap way for an attacker to learn this set of entry nodes and the user’s public IP and use it to deanonymize the user (note that users by default advertise their public IP addresses even when behind NAT). If the user has 3-4 outbound connection the success rate of the attack becomes quite low. Some details are here: https://www.cryptolux.org/index.php/Bitcoin

  2. laanwj commented at 4:49 pm on August 12, 2014: member
    I’m OK with allowing this to be configured, but it should at least be limited to 8. It should not be possible to specify more outbound connections than that.
  3. ivanpustogarov commented at 6:21 pm on August 12, 2014: contributor
    I agree, I added checks for upper (8) and lower (0) limits for the number of outbound connections.
  4. laanwj added the label Improvement on Aug 13, 2014
  5. TheBlueMatt commented at 11:55 am on August 13, 2014: member
    While you’re at it, can you add a big fat comment around the max test that says something to the effect of “This is often changed in the hopes of creating a “hub” node (or similar terminology), for various reasons. However, these reasons are usually misguided and, more often than not, increasing this value has negative effects that were not originally considered. Simply put, if you really think you need to increase this value, please come to #bitcoin-dev on freenode so someone can explain why you’re wrong”
  6. laanwj commented at 12:03 pm on August 13, 2014: member
    Does this work with N=0? that would be useful functionality for some tests. As we’re just discussing on IRC there is no way at the moment to not have outbound connections at all (except for -connect with a wrong ip/port, but that’s ugly and it will keep trying to connect).
  7. ivanpustogarov commented at 12:08 pm on August 13, 2014: contributor
    @TheBlueMatt : the proposed option is intended to reduce the number of outgoing connection and as mentioned above this parameter is between 0 and 8 (default is 8). The reason is not to create a “hub” node, but to protect a user from a deanonymisation attack. @laanwj : Yes, this will work for the case -maxoutbound=0, in which case no outbound connections will be established.
  8. sipa commented at 12:09 pm on August 13, 2014: member
    @ivanpustogarov I’m sure @TheBlueMatt understands that. He just asks to put a comment about it, so that others reading the code know it.
  9. TheBlueMatt commented at 12:12 pm on August 13, 2014: member

    (and mostly so that others who are going about modifying the code are at least faced with a “thick about what you’re doing” note before they do)

    On August 13, 2014 5:10:16 AM PDT, Pieter Wuille notifications@github.com wrote:

    @ivanpustogarov I’m sure @TheBlueMatt understands that. He just asks to put a comment about it, so that others reading the code know it.

    Reply to this email directly or view it on GitHub: #4687 (comment)

  10. ivanpustogarov commented at 12:40 pm on August 13, 2014: contributor
    I agree, a comment is needed
  11. ivanpustogarov commented at 3:03 pm on August 13, 2014: contributor
    I added the comment
  12. TheBlueMatt commented at 10:02 pm on August 13, 2014: member

    I don’t see a comment describing why setting it to more than 8 is very bad idea? The comment you added is more user documentation than developer.

    On August 13, 2014 8:04:11 AM PDT, ivanpustogarov notifications@github.com wrote:

    I added the comment

    Reply to this email directly or view it on GitHub: #4687 (comment)

  13. ivanpustogarov commented at 0:01 am on August 14, 2014: contributor
    Ok, I did not understand you correctly
  14. gmaxwell commented at 12:21 pm on August 14, 2014: contributor

    I don’t understand why the privacy concern is not more completely addressed by using the existing maxconnections: Both inbound and outbound peers see the transactions we transmit, once connected the protocol is symmetric— and worse, inbound peers are self-selecting. Longer term we’d want to have some better logic about this at relay time instead of changing our connectivity.

    Having a command to separately reduce outbound connections is perfectly reasonable to me, however.

  15. ivanpustogarov commented at 12:25 pm on August 14, 2014: contributor
    True, -maxconnections will work. The motivation of the pull request should be changed.
  16. BitcoinPullTester commented at 6:16 pm on August 18, 2014: none
    Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/p4687_59360b7bfd9ca622aece09755c8f358b96f02312/ for binaries and test log. This test script verifies pulls every time they are updated. It, however, dies sometimes and fails to test properly. If you are waiting on a test, please check timestamps to verify that the test.log is moving at http://jenkins.bluematt.me/pull-tester/current/ Contact BlueMatt on freenode if something looks broken.
  17. rebroad commented at 0:41 am on September 6, 2014: contributor
    I don’t see how reducing outbound connections will have any impact on privacy - surely it’s the inbound connections that reduce privacy more than the outbound connections.
  18. in src/init.cpp: in 59360b7bfd outdated 
    582@@ -581,6 +583,17 @@ bool AppInit2(boost::thread_group& threadGroup)
583     if (nFD - MIN_CORE_FILEDESCRIPTORS < nMaxConnections)
584         nMaxConnections = nFD - MIN_CORE_FILEDESCRIPTORS;
585 
586+    // Change the default number of outbound connections.  Setting it to more
587+    // than 8 is a bad idea. The number of peers that are able to accept
588+    // incoming connections is about 8,000 ('servers'). The number of peers that
589+    // are behind NAT is about 100,000. If every NATed peer has 8 outgoing
590+    // connections then each server will have 100+8 connections in average.
591+    // This is close to maximum of 125. Increasing '-maxoutbound' to e.g. 10 at
    rebroad commented at 1:24 am on September 6, 2014:
    Ok, so why not increase this from 125 to 250?
    laanwj commented at 2:16 am on September 6, 2014:

    That’s entirely out of scope here. But 125 is a sensible default

    • Lots of consumer routers croak at many TCP connections
    • It’s easy to run out of file descriptors on some OSes
    • There is quite some memory usage per CNode (send buffers, internal administration)
    • There’s nothing preventing you from already passing -maxconnections=250, if the above problems don’t apply (as much) to you
  19. in src/init.cpp: in 59360b7bfd outdated 
    244@@ -244,6 +245,7 @@ std::string HelpMessage(HelpMessageMode mode)
245     strUsage += "  -forcednsseed          " + _("Always query for peer addresses via DNS lookup (default: 0)") + "\n";
246     strUsage += "  -listen                " + _("Accept connections from outside (default: 1 if no -proxy or -connect)") + "\n";
247     strUsage += "  -maxconnections=<n>    " + _("Maintain at most <n> connections to peers (default: 125)") + "\n";
248+    strUsage += "  -maxoutbound=<n>       " + strprintf(_("Establish at most <n> _outbound_ connections to peers (0 to %d, default: 8)"),OUTBOUND_CONNECTIONS_UPPER_LIMIT) + "\n";
    sipa commented at 1:37 pm on September 8, 2014:
    I wouldn’t use the _-based underlining in help text output.
    Diapolo commented at 8:25 am on October 1, 2014:
    Agreed, that should be removed.
    Diapolo commented at 8:27 am on October 1, 2014:
    I’d also suggest to name the constant MAX_OUTBOUND and add a DEFAULT_OUTBOUND and use that here, too!
  20. TheBlueMatt commented at 5:23 pm on September 30, 2014: member
    Should the GUI signal bar also get updated to match the different max outbound (ie keep the logic of “if not accepting outbound, you get up to the last bar, but not the last one”)
  21. in src/net.cpp: in 59360b7bfd outdated 
    75@@ -77,6 +76,7 @@ uint64_t nLocalHostNonce = 0;
76 static std::vector<ListenSocket> vhListenSocket;
77 CAddrMan addrman;
78 int nMaxConnections = 125;
79+int nMaxOutboundConnections = 8;
    Diapolo commented at 8:28 am on October 1, 2014:
    All the 8s should be replaced with DEFAULT_OUTBOUND then.
    laanwj commented at 8:48 am on October 2, 2014:
    @Diapolo No. 8 is the absolute maximum for outbound, not just the default!
    Diapolo commented at 8:51 am on October 2, 2014:
    Correct, then MAX_OUTBOUND :).
  22. sipa commented at 2:14 pm on November 18, 2014: member
    Rebase please?
  23. ivanpustogarov force-pushed on Nov 20, 2014
  24. Add new command line option '-maxoutbound' 
    While there is a command line option to limit the total number of
connections ('-maxconnections'), the number of outbound connections is
controlled by a hard-coded constant 'MAX_OUTBOUND_CONNECTIONS=8'.
This number (8) of connections has a bad impact on user's privacy. Let's
keep the default number of outbound connections (of 8) but allow a user
to have more privacy by reducing this number (to 3 or 4) using
'-maxoutbound'.

Explanation: transactions that are first relayed by these 8 entry nodes
most probably belong to the same user. In fact, even a subset of these 8
entry nodes can uniquely identify a user. There is a cheap way for an
attacker to learn this set of entry nodes and the user's public IP and
use it to deanonymize the user (note that users by default advertise
their public IP addresses even when behind NAT).  If the user has 3-4
outbound connection the success rate of the attack becomes quite low.
    54abb7b1a0
  25. ivanpustogarov force-pushed on Nov 20, 2014
  26. Krellan commented at 9:05 am on March 15, 2015: contributor

    This feature would fit in rather nicely with the -whiteconnections option I added: #5288

    Is this pull request still being worked on now? If not, would like to take it over, since it seems rather useful to have (and would help me better throttle Bitcoin to cope with my slow connection).

  27. ivanpustogarov commented at 12:20 pm on March 15, 2015: contributor
    It’s not. Sure.
  28. laanwj commented at 1:44 pm on March 18, 2015: member
    @krellan Feel free to take it over. Closing this one (inactivity).
  29. laanwj closed this on Mar 18, 2015
  30. DrahtBot locked this on Sep 8, 2021


ivanpustogarov laanwj TheBlueMatt sipa gmaxwell BitcoinPullTester rebroad Diapolo Krellan

Labels
Refactoring

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-07-05 22:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me