Automatically Detecting Spy Peers

0xB10C / peer-observer

Tool to monitor for P2P anomalies and attacks using Bitcoin Core honeynodes

https://public.peer.observer

MIT License

7 stars 1 forks source link

Automatically Detecting Spy Peers #43

Open i-am-yuvi opened 2 weeks ago

i-am-yuvi commented 2 weeks ago

Currently, there is no feature to detect spy peers/nodes, which has been discussed here.

Some important anomalies to consider are:

When INV is sent to the peer, but the peer doesn't send GETDATA to our node
Spy nodes never send us INV for transactions we sent

We only handle INV, GETDATA, and TX p2p messages. We need to maintain a shared state – one entry (IP address + Port) for each connection with the number of INV, GETDATA, and TX sent and received. Additionally, spy peers will close the connection, so we also need to account for handling closed connections. Once all this is implemented, we can have some stats on normal/spy peers/nodes.

One approach could be to find the ratio of INV/GETDATA for each peer, but there might be other heuristics to detect peer identity.

A reference implementation has been done at the following URL: https://github.com/i-am-yuvi/peer-observer/tree/spy-detection.

i-am-yuvi commented 2 weeks ago

As discussed with @0xB10C, we can have peer_id as the identifier for any peer instead of ipaddress+port for privacy reasons. If the peer is identified as spy, we can display the details of the peer!

i-am-yuvi commented 2 weeks ago

Another question arises, how do we display the stats for each peer? Maybe we could have something that would display the stats after a certain time(5 mins or 10 mins) of all the peers. @0xB10C

i-am-yuvi commented 2 weeks ago

Here in this PR #45, I have used Mutex for the shared state, I think we can use atomics instead of Mutex as it is more efficient. Also, we don't have to rely on lock and unlock operation!!

0xB10C commented 1 week ago

Another question arises, how do we display the stats for each peer? Maybe we could have something that would display the stats after a certain time(5 mins or 10 mins) of all the peers. @0xB10C

I think that's fine for a start until we figured out a good threshold. Maybe you can sort them based on how many getdata's they have send.

i-am-yuvi commented 1 week ago

Another question arises, how do we display the stats for each peer? Maybe we could have something that would display the stats after a certain time(5 mins or 10 mins) of all the peers. @0xB10C

I think that's fine for a start until we figured out a good threshold. Maybe you can sort them based on how many getdata's they have send.

Yeah, that would be good for now!

i-am-yuvi commented 1 week ago

@0xB10C I have observed some p2p messages received by Bitcoin node using logger in peer-observer i.e. NotFound([WitnessTx(225ac634fa62c...), is this because there is no protobuf definition for this msg type?

0xB10C commented 1 week ago

No, notfound is a message in the bitcoin p2p protocol.

See https://en.bitcoin.it/wiki/Protocol_documentation#notfound

If your node receives a getdata but it does not have the data, it may respond with a notfound message.