I'm looking for review of this pull request: https://github.com/bitcoin/bitcoin/pull/517
The big idea: if a peer is sending you obviously wrong information, punish it by maybe dropping your connection to it, and ban it's IP address so it cannot immediately re-connect. The probability of dropping the connection, and the length of the ban, depend on how how potentially wasteful/damaging the peer is behaving. So sending an extra 'version' message is a minor transgression that is usually tolerated, sending a more-than MAX_BLOCK_SIZE block is a major transgression that gets the peer disconnected immediately. Detailed how-it-works, using "I got a version message I wasn't expecting" as the specific example: Getting an unexpected version message from a peer increases that peer's 'misbehaving' score by 10, and (assuming that is the peer's first bad behavior) gives it a 10% chance of being disconnected. If it is disconnected, then that peer's IP address is banned from connecting for a couple of hours. If it is not disconnected, then nothing happens unless the peer misbehaves again; if it does, then its chances of being disconnected go up, and the length of time it will be banned increases. Misbehavior/ban information is stored only in memory, and information about misbehaving peers is never broadcast. Also, peers that are disconnected/banned are just dropped, there is no warning or reason sent. I think this will eliminate a lot of potential denial-of-service attacks, and could be a good framework for responding to other potential attacks. "We" should still look through the code and limit the potential size of any data structures that an attacker might target (transaction pool, orphan block pool); the DoSprevention changes are meant to make it harder for an attacker to stay connected long enough to pull off an attack. The danger is that I got something wrong; what if an attacker can leverage the DoSprevention code to split or shatter the network? Here's my thinking on that, please help check my work: + I'm relying on TCP to prevent IP address spoofing (otherwise an attacker could force you to disconnect from your peers by pretending to be them and sending you a bad block). + Peers are only penalized for sending messages that won't, and shouldn't, get relayed. So an attacker shouldn't be able to poison the network with a bad message that is propogated and then causes everybody to disconnect from everybody else. + I specifically do not punish peers for relaying what look like double-spend transactions. If I did, then an attacker could try to segment the network into two pieces by broadcasting a series of double-spends from two halves of the network, and waiting until the nodes "in the middle" disconnected/banned across the 'seam'. So: please let me know if or how I'm being an idiot. -- -- Gavin Andresen ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
