Duplicate connections to some onion peers #1408
Labels
No Label
bug
build
dependencies
developers
documentation
duplicate
enhancement
formatting
invalid
legal
mobile
obsolete
packaging
performance
protocol
question
refactoring
regression
security
test
translation
usability
wontfix
No Milestone
No project
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Bitmessage/PyBitmessage-2025-01-14#1408
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The description is based on messages from
[chan] bitmessage
but I've seen it myself a couple of weeks ago (I thought it's related to my #1394 - wrongly).Changes proposed today:
Are you saying this node was not an attack on bitmessage to sandbox users ?
Envoyé de mon iPhone
I don't know
My own screenshot with the same peer:
And with other peer from 11.28:
Have you implemented a mecanism to select the best noted peers to connect preferably to them first ?
Because it is the case, I think this could be a sandboxing attack.
Envoyé de mon iPhone
@stman The rating adjust dynamically and influences the likelihood the peer will be retried in the future. The client isn't supposed to connect to the same peer multiple times, it's a bug. It also could be a UI bug, erroneously forgetting to remove an entry from the list upon disconnect. Looking at @g1itch 's patch, I think it's probably the UI. I haven't had time to investigate it yet but I also saw something similar happening on my local client.
Yep.
I think it must be seriously investigated, and this mecanism to preferably connect to the best peers, even randomly, is at the root, according to me, to a way for the trick exploited to sandbox me and several users, to sabotage silently bitmessage’ peer ring.
Envoyé de mon iPhone
Peter, I suggest a small conf call on mumble to explain to all those interested how, according to me, the sandboxing could be operating.
Envoyé de mon iPhone
Personally I doubt that proposed patch solves the issue. To test it I added logging in
network.connectionpool
:Today I noticed strange log message:
But when the duplicate connections appear there is no such message in log.
I insist, we need to talk through mumble. In less than 30 minutes we will collectively solve this issue definitely. And we must solve this issue.
I confirm that it can be reproduced by adding
trustedpeer = <thatpeer.onion>:8444
to keys.dat.Ok then, I'm taking a few minutes to write down my sandboxing scenario.
Of course, all these are just assumptions, and some close variants must
also be considered.
It is a multistage attack scenario.
The attacker wishing to sandbox create a bunch of BM nodes in VM,
preferably with onion addresses, it allow duplication in a much more
easy way than with real IP addresses, and he ensure a very good
connectivity to the netork, modifying the source code to accept much
more than 8 connections, and avoiding his own peers, ti ensure that he
is always has the most synchronized peers on the network, therefor
gaining the best notations from all other peers.
He makes his system running for a sufficient period of time to ensure
most of the peers connecting to the BM network will know the addresses
of his peers, with the highest rating possible.
Let’s summerize this first attack step :
current real number of bitmessage distinct users), using preferably
onion adresses (easier, fully scalable), and ensuring they all get the
best rating by giving those fake peers a good internet bandwidth, and
letting them running 24h/24.
The second stage of the attack is the following :
The attacker takes advantage of the fact that Pybitmessage is the
mostly used node.
The tattacker takes advantage that this client is rating peers, and is
now connecting in priority to the highest rated peers.
The attacker takes advantage that the latest versions of Pybitmessage
has limited the number of outgoing connections to 8, and that most users
don’t let their configuration run 24h/24, so indeed mostly use outgoing
connections to connect to the network.
The probability in such conditions that a target user like me,
connecting cuasually to the network, gets connected first to the
attacker peers is therefore getting very high.
Modifying the source code of its fake peers, the attack can easily
implement a detection mecanism when a targeted users is exclusively
connected onto his fake peers : This is possible thanks to the peer
authentification mecanism, and the only thing the attacker wishing to
sandbox a user had to do is to modify pybitmessage source code, and add
a special communication functionnality between his fake nodes, to know
when 8 connections from the targeted peer have connected to his attacker
peer ring. He just have to build a kind of hypervisor of all his running
peers.
Doing so, he can know when some targeted peers are under his control,
because exclusively connected to his peers, and none of the targeted
users connected between them, they all goi through his peer ring to
communicate.
Doing so, it is fucking easy for him to start making his fake peer ring
filtering messages on demand, and start slowly filtering most messages
comming from the real bitmessage network.
And he’s done. He can isolate selected peers on demand.
This is why a motherfucking guy told me once I should preferably connect
exclusively through Tor, I remember that. I told him : But what is
entrapped in a fake peer ring, and never answered me (In my head, this
is rising an alarm you know).
FUCK JEFF BEZOS, THE CIA, THE NSA and their fucking transnational
corruption ring.
Le 15/12/2018 à 17:55, Dmitri Bogomolov a écrit :
Hmm, I confirm that patch from
[chan] bitmessage
solves the issue (at least when I reproduce it withtrustedpeer
in config). Debug: