Skip to content

security/p2p: prevent peers who errored being added to the peer_set#75

Merged
Olshansk merged 2 commits intomainfrom
tendermint_9500
Apr 5, 2023
Merged

security/p2p: prevent peers who errored being added to the peer_set#75
Olshansk merged 2 commits intomainfrom
tendermint_9500

Conversation

@Olshansk
Copy link
Collaborator

@Olshansk Olshansk commented Apr 5, 2023
edited
Loading

tl;dr DOS mitigation migrated from tendermint/tendermint/pull/9500

Validated use LocalNet instructions at doc/guides/localnet.md

Original PR description:

This work is a fix for a bug in the P2P layer.

A node can be attacked via the p2p layer by saturating its incoming connection slots and not allowing the node to accept new conditions. This happens when an attacker continuously submits requests to connect with an erroneous message causing the incoming request to error before it has been accepted. The attacked node, tries to remove the peer from its peer set which silently fails (due to the peer not yet being in the peer set). The routine adding a peer into the peer set happens in parallel in the background and will add the peer after the error has been reported.

This fix resolves the issue in the following way:

We add a field removalAttemptFailed to the Peer datastructure.
If removal of this peer fails, we set it to true.
When adding a peer into the peer set, the Add function will return an ErrPeerRemoval error if this field was true and not add the peer.
Note. This attack does not work if the config flag allow_duplicate_ips is set to false.

@Olshansk Olshansk added the enhancement New feature or request label Apr 5, 2023
@Olshansk Olshansk added this to the guard-rails milestone Apr 5, 2023
@Olshansk Olshansk self-assigned this Apr 5, 2023
@Olshansk Olshansk merged commit 96c095f into main Apr 5, 2023
@Olshansk Olshansk deleted the tendermint_9500 branch April 5, 2023 22:06
@Olshansk Olshansk mentioned this pull request Apr 5, 2023
Merged
Olshansk added a commit to pokt-network/pocket-core that referenced this pull request May 25, 2023
@Olshansk
Update tendermint version (#1541)
9893696 
Update the tendermint fork version.

## Testing

Validated use LocalNet instructions at [doc/guides/localnet.md](https://github.com/pokt-network/pocket-core/blob/staging/doc/guides/localnet.md)

## Changes

- Update Tendermint to Go 1.18 + minor fixes: [tendermint/pull/74](pokt-network/tendermint#74)
- Prevent peers who errored being added to the peer_set: [tendermint/pull/75](pokt-network/tendermint#75)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Olshansk Olshansk

Labels

enhancement New feature or request

Projects

V0 Dashboard
Status: Done

Milestone

guard-rails

Development

Successfully merging this pull request may close these issues.

1 participant

@Olshansk