Open ignopeverell opened 6 years ago
Thinking some more about this and validating my current understanding by going through the code, we're a lot less vulnerable than I thought to a "fake difficulty" attack. The reasons are quite simple:
sync_head
get directly impacted by a sync reset. As long as the total proof of work on the sync_head
is less than what's the on the header_head
, there is no impact on the more authoritative chain records: header_head
and body_head
.With that in mind, the following would happen if a fake high difficulty peer showed up:
sync_head
and be ready to follow new block headers being sent to them.sync_head
. This is a fairly cheap operation, especially given that those headers still have to have a valid PoW against current difficulty.It seems the first thing that'll happen overall is that all peers connected to the cheating peer will start polling it, with little effort from honest peers and that's about it. Note that the each locator request isn't very large.
The main impact here is that this could prevent honest peers from triggering what could be a real sync because of the masking of the cheating peer. But then the faking would have to be going on for a while with unclear benefits. It may still be worth detecting very long non-resolving header syncs and banning the peer that initiated it.
Maybe @garyyu @antiochp already have covered this recently? What is still to be done for this issue to be closeable?
@garyyu Please correct me if I'm wrong but my understanding of the impact here is -
1) new nodes try and sync against the "fraud peer" and fail to sync successfully against any alternative honest peers (we sync headers from the "most work" peer). 2) all mining nodes stop broadcasting new blocks due to a mistaken belief that they are out of sync and their new block is "stale"
(1) is bad because new nodes do not sync successfully (2) is potentially catastrophic network wide
@antiochp
The two impacts above listed are correct.
And all nodes will show head syncing x%...
on TUI.
During header sync, we trust the total difficulty given by peers during the handshake to select who to get headers from. This is easy to lie about. We need to identify when a node fails to send us headers to match that total difficulty and ban them.