Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Score and drop misbehaving peer connections #9111

Open
Tracked by #7822
arya2 opened this issue Jan 10, 2025 · 0 comments
Open
Tracked by #7822

Score and drop misbehaving peer connections #9111

arya2 opened this issue Jan 10, 2025 · 0 comments
Assignees
Labels
A-network Area: Network protocol updates or fixes C-bug Category: This is a bug C-enhancement Category: This is an improvement C-feature Category: New features C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage I-invalid-data Zebra relies on invalid or untrusted data, or sends invalid data P-Medium ⚡

Comments

@arya2
Copy link
Contributor

arya2 commented Jan 10, 2025

Motivation

It's currently trivial to modify or configure Zebra or zcashd so that the node doesn't follow the consensus rules on Mainnet or the default Testnet.

This is mitigated while there are many zcashd nodes in the network because zcashd tracks a "bad score" which is incremented when a peer misbehaves (e.g. gossiping semantically invalid mempool transactions or blocks).

Zebra will need a similar mechanism before it becomes the only node implementation on the network.

Design

Overview

Advertisement of semantically invalid blocks or mempool transactions by peer connections should be considered misbehaviour and should be scored.

Excessive misbehaviour should result in a peer connection being dropped and its IP being banned from re-connecting to the Zebra node.

Bans should eventually expire, and there should be a limit on how many IPs are banned from connecting to a Zebra node at any given time.

Update Address Book

  • Add a misbehavior_score field to MetaAddr
  • Add a variant to MetaAddrChange for incrementing the misbehaviour score,
  • Update the AddressBook::update() method to apply that change,
  • Avoid responding to GetAddr requests with addresses of misbehaving peers,
  • Avoid inbound or outbound connections to misbehaving peers, and
  • Avoid caching addresses of misbehaving peers or include their misbehaviour score in the address cache

Update zebra-network Types

  • Add an advertisers field of type Vec<SocketAddr> to the Transactions and Blocks variants of zebra_network::Response,
  • Add the address book updater and a HashMap<SocketAddr, MisbehaviorScore> as fields on PeerSet
  • Add a network Request variant to be used by ChainSync and the mempool's Downloads stream to report advertisers of semantically invalid blocks or mempool transactions, and
  • Handle the new request variant by sending an update to the address book and updating the PeerSet's misbehaviour score map
    • If the updated misbehaviour score is excessive, drop the peer connection

Call PeerSet With Misbehaving Peer Addresses

  • When blocks fail semantic validation, call the peer set with a list of peers that advertised the semantically invalid block from the handle_block_response() and wherever else blocks are sent to the block verifier, and
  • When mempool transactions fail semantic validation, call the peer set with a list of peers that advertised the semantically invalid mempool transactions from the mempool's Downloads stream.
@github-project-automation github-project-automation bot moved this to New in Zebra Jan 10, 2025
@arya2 arya2 self-assigned this Jan 10, 2025
@arya2 arya2 added C-bug Category: This is a bug C-enhancement Category: This is an improvement C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage I-invalid-data Zebra relies on invalid or untrusted data, or sends invalid data A-network Area: Network protocol updates or fixes C-feature Category: New features P-Medium ⚡ labels Jan 10, 2025
@arya2 arya2 changed the title Drop misbehaving peer connections first when peer set is full or past a threshold misbehaviour score Score and drop misbehaving peer connections Jan 11, 2025
@mpguerra mpguerra moved this from New to Sprint Backlog in Zebra Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-network Area: Network protocol updates or fixes C-bug Category: This is a bug C-enhancement Category: This is an improvement C-feature Category: New features C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage I-invalid-data Zebra relies on invalid or untrusted data, or sends invalid data P-Medium ⚡
Projects
Status: Sprint Backlog
Development

No branches or pull requests

2 participants