Some Support, on 07 January 2011 - 11:47 AM, said:
Again i also already wrote that this attack is kinda easy to detect with some improvements, because the IDs are too close together and every client can figure that out. Of course the question remains what to do after knowing that those are fake nodes. I think one of the research papers had just this as topic, didn't get arround to read it completly yet, but will do by time.
An easy way out and an effective one too, I believe, would be to make the checks and when the checks turns out sucessful a statement about it is put in the verbose log, so that it can be read by e.g. developers, people managing ipfilters and others.
The advantage with this is that with almost no effort from our side quite a lot of damage can be done to the attackers. I doubt they would be thrilling happy when dragged from darkness out into the light.
It would also give us an oppurtunity to see how far they are willing to go, how much more resources they are willing to spend.
Some Support, on 17 January 2011 - 10:59 PM, said:
Also, if indeed china itself (or someone bound to china) is doing serious attacks, the solution is fairly simple: We could just block all NodeIDs from chinese IPs. Chinese users could still use Kad, they would be jsut not used for routing tasks anymore. Of course this only works if the Kad network doesn't consists of too many Chinese (more than 30% would be bad, unfortunatly i really dont have any stats on this right now) users or the load for the rest of the network would become too big.
Of course that would really only be the last defence if everything else fails and they really do disrupt the network considerably.
As a start we could set restrictions on how many NodeIDs from Chinese IPs should be allowed in routing tables. For example if we limit the number of Chinese IPs in every routing bin to for instance 3 nodes (maybe with some exceptions for those bins with IDs close to own ID) then we would have at least an upper limit on how many Chinese nodes the routing table would host.
This wouldn't help against the node insertion attack they are performing. But it would rule out the possibility for them, with chinese IPs, to take over almost a hole routing table as the picture in post #1 is suggesting.
Also, there could be restrictions on how many NodeIDs from China we are trying to add to the routing table at one and the same time. For instance when receiving a Kademlia2_Response we could set the limit so that at most one randomly chosen is tested against the routing table. This would certainly hurt the attackers a bit as they prefer to inject 2 or 4 nodes, depending on the request, as much as they can. You only need to say the magic keywords and you are as most vulnerable when the client just started and the routing table is filling up.
Now if they are still obedient and not learning their lesson then we could strengthen the restrictions to 2 nodes/bin and after that we all have got used to it and the step towards zero doesn't look that huge any more...
Now even if this wouldn't suit the vanilla client, it might be suitable for mods. For a client with ip to country already implemented the changes are not much of an effort.
This post has been edited by Nissenice: 10 December 2011 - 09:10 PM