Tendermint: p2p/addrbook: punish source for peers that fail handshake

Created on 23 Jul 2018 · 3Comments · Source: tendermint/tendermint

Tendermint nodes gossip the peers between each other. They exchange a tuble of [peer id, peer ip].
Between honest peers this exchange is easy, since the tuble will always be [true peer id, true peer ip].

However if one node is malicious it can send [false peer id, true peer ip] to it's peers.

From here and here it seems that the connection to [false peer id, true peer ip] will result in no connection.

This means that the sending node controls which peers the receiving node can connect to. It is possible that this presents a massive potential attack vector, since it could allow an attacker to disrupt the p2p layer significantly. This could be amplified if an attacker can force a reset of a connection or if connections periodically drop and have to get reestablished. Also, this potentially prevents new nodes joining the network from ever connecting to a peer besides the malicious node.

Another question is whether the address_book gets updates the peer ids after receiving the same peer from a second node.

p2p bug security

Source

adrianbrink

All 3 comments

Since the main concern pointed in the title hasn't been confirmed, lets change the title to be prefixed question: so as not to unnecessarily cause panic. (It may be awhile before this gets looked at)

ValarDragon on 23 Jul 2018

👍1

peers are indexed in the addrbook by their ID. If we get an address that has the wrong ID, then yes, when we dial that peer, we will fail to connect because it has the wrong ID. if this happens, we will remove that ID/IP pair from the address book. Note the same ID can be entered in the addrbook multiple times probabilistically (less likely the more times its there), so each one can have a different IP.

We also track the source peer but I don't think we currently do anything with that information besides using it for where to place the peer in the addrbook's hashmap. We could track additional data about the source peers and if we're getting lots of bad peers from them, then we disconnect from them and mark them as bad too. That's not a bad idea.

Maybe we could also just add a rule so that a source peer can only tell us about a given ID once. That would put this whole issue to rest, but I think would require we also index peers in the addrbook then by the source peer.

There's a reasonable description of how things work in https://github.com/tendermint/tendermint/blob/master/docs/spec/reactors/pex/pex.md but it could probably be expanded with more detail.