Open dominictarr opened 4 years ago
dominictarr
commented
4 years ago Oh, it should go without saying that these sybils are avoiding attacking in a coordinated way, so they do not compete with each other, and also avoid colocation https://github.com/LeastAuthority/go-libp2p-pubsub/issues/5
dominictarr
commented
4 years ago love bombers may need to be aware of opportunistic grafting.
Periodically, the router checks the median score of peers in the mesh against the opportunisticGrafThreshold. If the median score is below the threshold, the the router opportunistically grafts (at least) two peers with score above the median in the mesh.
if the mesh score is too low, it kicks out two okay peers, hoping that it will get much better ones. hmm. I'm skeptical that the score function can really be used like this.
vyzo
commented
4 years ago That's not completely accurate about how oppgraft works; basically it doesn't directly kick out peers, it adds two new peers with score over the median (if any and when the median score is too low).
You may kick out peers if you get oversubscribed because of that (if you exceed D_hi), but it doesn't always or immediately happen. If you are at D=8, then oppgraft would take 3 cycles to go over the D_hi=12 limit, with each cycle taking 1 minute by default. At this point, you would be oversubscribed at 14 peers and need to kick out 6; of the 8 peers you chose to keep, 6 would be based on scoring and 2 would be at random.
So when oppgraft does kick out peers, it kicks out bad peers and replaces them with better peers.
But yeah, the premise is valid: even if love bombers succeed in taking over the mesh and subsequently start an attack, oppgraft would kick in to recover the mesh.
dominictarr
commented
4 years ago This attack depends on the attacker's ability to create incoming connections. one simple way to prevent things like this, would be to handle incoming connections differently.
If all the high scoring connections are incoming, that's a potential attack. if a high scoring connection is outgoing, we can trust that because we chose to connect to that peer. (assuming for now that it would somewhat harder for attackers to ensure that we only connect to their peers)
maybe you could have different thresholds for outgoing connections - make it okay for an incoming connection to have a lower score, but switch out new outgoing connections if they arn't very useful.
once the smart sybils have done some network mapping, they can perform an more efficient attack that I'm gonna call "love bombing". Love Bombing is a cult practice, where basically, the cult showers new comers in affection and attention, so that they join the cult. (because they never felt so accepted, etc...)
So, we have a network of honest peers, AND using the technique I described in #6, we've identified which peers are connected directly to the publishers. Then, connected to the publishers, and the p1 peers (who are also connected directly to at least a particular publisher) we then game the score function. The easiest way to artificially increase our score is to go for the first-message-delivered prize. Obviously, since they are already directly connected to one publisher, we are not gonna be able to deliver messages from that publisher any faster, but we can probably deliver messages very quickly from all the other publishers!
Given a randomish network, there will be many more publishers that a given honest p1 peer isn't connected to. So, our sybils we get many more first-message-deliveries than thier direct-publisher. So our sybils will get a higher score even than them. If we do this with enough sybils, they'll hit the configured limit and prune the mesh, disconnecting p2 peers (that arn't useful to them), and maybe even disconnecting their publisher.
If the victim peer does either or both of these then we have successfully delayed the network.
One interesting thing about this attack is the sybils can measure how well it's going, and also, since they make a targeted attack on just some peers, the cost of the attack should be relatively low.
TODO: I've used a simplified model of gossipsub to come up with this attack, so next is to make this more accurate. (taking into account gossip, and flood publish, etc)