Denial-of-service prevention #517

pull gavinandresen wants to merge 4 commits into bitcoin:master from gavinandresen:DoSprevention changing 9 files +215 −32
  1. gavinandresen commented at 7:54 pm on September 14, 2011: contributor

    The big idea: if a peer is sending you obviously wrong information, punish it by maybe dropping your connection to it, and ban it’s IP address so it cannot immediately re-connect.

    The probability of dropping the connection, and the length of the ban, depend on how wrong, and how potentially wasteful/damaging, the peer is. So sending an extra ‘version’ message is a minor transgression that is usually tolerated, sending an more than MAX_BLOCK_SIZE block is a major transgression.

    Detailed how-it-works, using “I got a version message I wasn’t expecting” as the specific example:

    Getting a version message from a peer increases that peer’s ‘misbehaving’ score by 10, and (assuming that is the peer’s first bad behavior) gives it a 10% of being disconnected. If it is disconnected, then that peer’s IP address is banned from connecting for a couple of hours. If it is not disconnected, then nothing happens unless the peer misbehaves again; if it does, then its chances of being disconnected go up, and the length of time it will be banned increases.

    Misbehavior/ban information is stored only in memory, and information about misbehaving peers is never broadcast. Also, peers that are disconnected/banned are just dropped, there is no warning or reason sent.

    I think this will eliminate a lot of potential denial-of-service attacks, and could be a good framework for responding to other potential attacks. “We” should still look through the code and limit the potential size of any data structures that an attacker might target (transaction pool, orphan block pool); the DoSprevention changes are meant to make it harder for an attacker to stay connected long enough to pull off an attack.

    The danger is that I got something wrong; what if an attacker can leverage the DoSprevention code to split or shatter the network? Here’s my thinking on that, please help check my work:

    • I’m relying on TCP to prevent IP address spoofing (otherwise an attacker could force you to disconnect from your peers by pretending to be them and sending you a bad block).
    • Peers are only penalized for sending messages that won’t, and shouldn’t, get relayed. So an attacker shouldn’t be able to poison the network with a bad message that is propogated and then causes everybody to disconnect from everybody else.
    • I specifically do not punish peers for relaying what look like double-spend transactions. If I did, then an attacker could try to segment the network into two pieces by broadcasting a series of double-spends from two halves of the network, and waiting until the nodes “in the middle” disconnected/banned across the ‘seam’.

    So: please let me know if or how I’m being an idiot.

    I’m still thinking about the best way of testing this; at the very least, running a node for several days with this patch applied should result in a minimal number of “disconnected %s for misbheavior” messages in debug.log.

  2. JoelKatz commented at 9:11 pm on September 15, 2011: contributor

    The only other thing to worry about is that someone working on client development might inadvertently run a buggy version of the client and wind up locked out of parts of the network for a few hours. I would add one other change to help prevent this. When you ‘punish’ an IP, check to see if you made the connection to them or they connected to you. If they connected to you, punish them for a few hours. If you connected to them, just don’t connect to them for a few hours, still let them connect to you.

    That way, unless you’re actually malicious or make large numbers of outbound connections accidentally, you’ll only get locked out for hours of a small number of peers. Someone trying to launch a DoS attack by waiting for people to connect to them will find it slow going.

  3. ByteCoin commented at 3:43 am on September 21, 2011: none
    Also see my post DoS countermeasures may facilitate network fragmentation attacks Summary: Pay attention to new block headers with valid hashes of sufficient difficulty even from banned peers.
  4. SetMockTime() for cleaner unit testing 54d02f158d
  5. Framework for banning mis-behaving peers 15f3ad4dbd
  6. Transaction/Block denial-of-service detection/response 3e52aaf212
  7. More denial-of-service misbehavior detection: version/addr/inv/getdata messages 806704c237
  8. gavinandresen commented at 5:12 pm on September 21, 2011: contributor
    Rebased into fewer commits, and removed banning due to getting too many free transactions and getting blocks with bad timestamps, because they might have opened up a possible split-the-network attack.
  9. gavinandresen referenced this in commit 17e2c24645 on Sep 26, 2011
  10. gavinandresen merged this on Sep 26, 2011
  11. gavinandresen closed this on Sep 26, 2011
  12. coblee referenced this in commit 769d46aab7 on Jul 17, 2012
  13. ptschip referenced this in commit 5b59927c4c on May 8, 2017
  14. kallewoof referenced this in commit 928c756171 on Oct 4, 2019
  15. rajarshimaitra referenced this in commit 0c578aa441 on Aug 5, 2021
  16. rajarshimaitra referenced this in commit 8abe6290e0 on Aug 5, 2021
  17. DrahtBot locked this on Sep 8, 2021


gavinandresen JoelKatz ByteCoin

Labels
Refactoring

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-08-31 12:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me