Grin: Peer banning should be temporary

Created on 6 Dec 2017  路  3Comments  路  Source: mimblewimble/grin

The role of banning a misbehaving peer is preventing repeated offenses, whether it's DoS or feeding us false information that can take some time to recover from. It mitigates the damaging effect of someone trying to be nefarious or just running buggy code. However we may not want to ban forever.

First, someone who's nefarious at first may not always be. Second, if you're running experimental code, being banned forever for a bug sucks. Third, at this point our code isn't bug-free either. So letting a banned peer connection again after a few hour may be the best approach.

enhancement good first issue help wanted

Most helpful comment

Proposal -

  • add a last_banned timestamp to PeerData
  • store now_utc() in last_banned when banning
  • periodic process to "un-ban" banned peers after 3 hours (or so)

All 3 comments

Proposal -

  • add a last_banned timestamp to PeerData
  • store now_utc() in last_banned when banning
  • periodic process to "un-ban" banned peers after 3 hours (or so)

I have a question. I thought about a case that server A banned a peer B, and server C connects to server A and receives peer information. Then server A and server C ban B. How is the server C going to process banned B when receiving B info from server A almost 3 hours later? I also thought about the real case like hacking wallets and DoS attack as well. 3 hours will be enough to take measures? What if there is no mechanism to ban the attacker permanently?

If the time interval is set to 3 hours, the ban information is thought to be propagated to many peers. If a peer banned because of hardware issues and needs recovery sooner after many peers already received banned status of the peer, what will be proper measures?

I just scratched my head to see unexpected situations with 3 hours refresh in order to keep the perspectives of sound grin network in production.

@heunglee bans are local to the node; not propagated. TCP conns are cheap. The p2p gossip network can be slowed down by IP stealing attacks on ARP or BGP, or targeted DoS attacks, but nothing to worry about for a long time yet.

mw/grin doesn't need to care which node a transaction (tx) originates from. With cryptocurrencies, a tx is valid, or not. Spreading lies (bug or evil)? Ban you for a while, but let you upgrade and try again in some hour or so.

Ask me more on gitter to learn more on how blockchain's are built :) and attack/defence scenarios, since I think that's a chat-friendly topic that many in the Lobby can benefit from discussing.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

alden-alvins picture alden-alvins  路  5Comments

lehnberg picture lehnberg  路  4Comments

garyyu picture garyyu  路  7Comments

RiyaKarthi picture RiyaKarthi  路  3Comments

garyyu picture garyyu  路  6Comments