PurpleI2P / i2pd

🛡 I2P: End-to-End encrypted and anonymous Internet
https://i2pd.website
BSD 3-Clause "New" or "Revised" License
3.26k stars 423 forks source link

Can we restrict I2P peer connections from 'strict countries'? #2112

Open kosakuraiori opened 6 days ago

kosakuraiori commented 6 days ago

I2P peers in the strict country list will force-enable hidden mode, and I2P peers in this mode should not participate in tunnel creation.

Can we implement similar restrictions on I2P peers from regions in the strict country list? That is, when we detect that the IP address of these peers comes from a strict country and they are participating in tunnel creation, we directly block them? (Because it is likely to be a malicious peer).

My native language is not English, and these texts are translated using artificial intelligence technology. Please forgive me if there are any errors in the text.

Strict Countries

Vort commented 6 days ago

I think users should decide by themselves whether they need extra "protection" or not. As for malicious routers, there should be better way of detecting them than checking their country.

By the way, do you have any information regarding https://github.com/PurpleI2P/i2pd/issues/2109 ? For example, what goal malicious users may have.

kosakuraiori commented 6 days ago

I think users should decide by themselves whether they need extra "protection" or not. As for malicious routers, there should be better way of detecting them than checking their country.

By the way, do you have any information regarding https://github.com/PurpleI2P/i2pd/issues/2109 ? For example, what goal malicious users may have.

Their goal is to disconnect I2P users located in China from the I2P network. These malicious peers cause I2P users in China to be unable to connect to any I2P services (if the peers do not enable hidden mode).

After I2P updated the NTCP2 and SSU2 communication protocols, China's national firewall was unable to intercept I2P communications, so they began to deploy a large number of these malicious peers to try to disrupt the network.

I discovered this yesterday while debugging my own I2P software. If I block those abnormal China peers (located in the strict country list but not enabling hidden mode), I can quickly and stably access the I2P network.

This is why I think it's necessary to restrict connections from these countries.

orignal commented 5 days ago

i2pd is not going to restrict connectivity by country or nationality.

kosakuraiori commented 5 days ago

i2pd is not going to restrict connectivity by country or nationality.i2pd 不会限制根据国家或国籍进行连接。

You're right. This would lead to a de facto country block.

But what I'm trying to express is not about blocking connections from specific countries, but rather that: the appearance of non-hidden mode I2P routers in these countries is an abnormal signal in itself.

It's a bit like a group of 'prohibited people or things' suddenly appearing publicly in a place where they are forbidden by law.

Vort commented 5 days ago

It's a bit like a group of 'prohibited people or things' suddenly appearing publicly in a place where they are forbidden by law.

Instantaneous addition of almost thousand routers is abnormal signal no matter what country they are from.

These malicious peers cause I2P users in China to be unable to connect to any I2P services

Thank you for the information.

It looks strange to me that abnormal load comes in pulses: image

Could it be that these pulses are made not by chinese routers, but by some different actor?

Vort commented 5 days ago

I wonder why situation from linked screenshot happens at all.

I2P network have about 40 thousand routers. Adding 1 thousand routers from China should not change distribution that much.

And in cases when there are really many routers from the same country it makes sense to lower their chance of appearing in the tunnel.

截圖 2024-06-05 上午9 36 34
Vort commented 5 days ago

kosakuraiori If I block those abnormal China peers (located in the strict country list but not enabling hidden mode), I can quickly and stably access the I2P network. This is why I think it's necessary to restrict connections from these countries.

orignal i2pd is not going to restrict connectivity by country or nationality.

I think it should be possible to make option allowing user to exclude some nodes from tunnel selection, similarly to how it is made in Tor (ExcludeExitNodes). This option should be managed exclusively by user of course and have empty default value.

kosakuraiori commented 5 days ago

I think it should be possible to make option allowing user to exclude some nodes from tunnel selection, similarly to how it is made in Tor (ExcludeExitNodes).

This option should be managed exclusively by user of course and have empty default value.

Yes, I think similar additional optional protection is feasible.

Could it be that these pulses are made not by chinese routers, but by some different actor?

These abnormal peers come from different organizations, but are basically led by the Chinese academic community (such as the Chinese Academy of Sciences) in censorship research, with the intention of degrading or destroying the I2P network.

By searching for keywords like "I2P 流量分析" in Chinese on search engines, you can find a large number of papers written by different universities and research institutions in China.

I2P匿名系统中网桥技术研究与实现

I2P匿名通信网络流量识别与分类

在数据采集阶段,通过研究I2P匿名网络中节点发布与更新机制,设计I2P网络内部资源节点采集方案,提出通过网络数据库NetDB实时监控功能模块和补种网站定期爬取功能模块实现I2P节点的发现与采集的方法.基于节点RouterInfo结构的解析,构建节点信息数据库,为后续流量识别与分类实验研究提供数据标定基础. In the data collection phase, by studying the node publishing and updating mechanisms in the I2P anonymous network, we design a scheme for collecting resource nodes within the I2P network. We propose a method to discover and collect I2P nodes through the real-time monitoring function module of the network database NetDB and the periodic crawling function module of the reseeding website. Based on the parsing of the RouterInfo structure of the nodes, we construct a node information database, which provides a data labeling foundation for subsequent traffic identification and classification experimental research.

I wonder why situation from linked screenshot happens at all.

I2P network have about 40 thousand routers.

And in cases when there are really many routers from the same country it makes sense to lower their chance of appearing in the tunnel.

His I2P peer is running on a version (2.5.0) that doesn't have 'strict country protection' deployed, so it won't automatically enter hidden mode. But I also don't know why his I2P peer has so many Chinese peers, to the point where it's causing I2P to not work properly.

s-b-repo commented 4 days ago

i2pd is not going to restrict connectivity by country or nationality.

agreed