Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security/p2p: prevent peers who errored being added to the peer_set #75

Merged
merged 2 commits into from
Apr 5, 2023
Merged

security/p2p: prevent peers who errored being added to the peer_set #75

merged 2 commits into from
Apr 5, 2023

Conversation

Olshansk
Copy link
Member

@Olshansk Olshansk commented Apr 5, 2023
edited
Loading

tl;dr DOS mitigation migrated from tendermint/tendermint/pull/9500

Validated use LocalNet instructions at doc/guides/localnet.md

Original PR description:

This work is a fix for a bug in the P2P layer.

A node can be attacked via the p2p layer by saturating its incoming connection slots and not allowing the node to accept new conditions. This happens when an attacker continuously submits requests to connect with an erroneous message causing the incoming request to error before it has been accepted. The attacked node, tries to remove the peer from its peer set which silently fails (due to the peer not yet being in the peer set). The routine adding a peer into the peer set happens in parallel in the background and will add the peer after the error has been reported.

This fix resolves the issue in the following way:

We add a field removalAttemptFailed to the Peer datastructure.
If removal of this peer fails, we set it to true.
When adding a peer into the peer set, the Add function will return an ErrPeerRemoval error if this field was true and not add the peer.
Note. This attack does not work if the config flag allow_duplicate_ips is set to false.

@Olshansk Olshansk added the enhancement New feature or request label Apr 5, 2023
@Olshansk Olshansk added this to the guard-rails milestone Apr 5, 2023
@Olshansk Olshansk self-assigned this Apr 5, 2023
@Olshansk Olshansk merged commit 96c095f into main Apr 5, 2023
@Olshansk Olshansk deleted the tendermint_9500 branch April 5, 2023 22:06
@Olshansk Olshansk mentioned this pull request Apr 5, 2023
Merged
Olshansk added a commit to pokt-network/pocket-core that referenced this pull request May 25, 2023
@Olshansk
Update tendermint version (#1541)
9893696 
Update the tendermint fork version.

## Testing

Validated use LocalNet instructions at [doc/guides/localnet.md](https://github.com/pokt-network/pocket-core/blob/staging/doc/guides/localnet.md)

## Changes

- Update Tendermint to Go 1.18 + minor fixes: [tendermint/pull/74](pokt-network/tendermint#74)
- Prevent peers who errored being added to the peer_set: [tendermint/pull/75](pokt-network/tendermint#75)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Olshansk Olshansk

Labels
enhancement New feature or request
Projects
V0 Dashboard
Status: Done
Milestone
guard-rails
Development

Successfully merging this pull request may close these issues.
1 participant
@Olshansk