[bitcoin-dev] Preferential Treatment in AttemptToEvictConnection()

Mike Brooks m at ib.tc
Sat Oct 3 23:06:19 UTC 2020


Hey Everyone,

A lot of pressure rides on AttemptToEvictConnection() because it is used to
limit the impact of eclipsing attacks. With continued centralization, fair
connection formation becomes a bigger concern. I am curious how other
members of the community feel about the preferential treatment and odd
comments found in AttemptToEvictConnection().  In short, the concern is
that an adversary which intends on providing the useful service of
data-arbitrage will have preferential treatment in the formation of the
network.

https://github.com/bitcoin/bitcoin/blame/df2129a2349b1877049f250551f49a4592e73765/src/net.cpp#L946-L981

Line 948:
// An attacker cannot predict which netgroups will be protected
->
Perhaps not, but the attacker can have more netgroups than node slots, this
can be optimized for. Simply being in different places does not mean the
nodes are honest or safe. This is probably a good check to have, but it
should not say an "attacker cannot", as this is misleading.

Line 952:
// An attacker cannot manipulate this metric without physically moving
nodes closer to the target.
 ->
Yes, that is exactly what the attacker will do. An attacker can run
tcp-traceroute on the network to find where miners clump up, and run a
malicious message-relay in a nearby datacenter. With a financial motive it
is cheaper to run a low-cost message relay than a mining node.


Line 955:
// Protect 4 nodes that most recently sent us novel transactions accepted
into our mempool. Add recently accepted blocks and txn to
AttemptToEvictConnection.
// An attacker cannot manipulate this metric without performing useful work
.->
If an honest node sees an novel transaction from a new incoming connection,
it will be less likely to remove it. A dishonest centralized-service can
preemptively send novel-transactions as part of the handshake for new
hosts, this will improve the odds of the connection staying open and
cutting contact with an honest node.


line 962:
// Protect 4 nodes that most recently sent us novel blocks.
// An attacker cannot manipulate this metric without performing useful work.
->
This code has the assumption that an adversary will play by the rules. An
attacker will manipluate this metric with the data-arbitrage of novel
blocks. An attacker can move newly created blocks from the source (large
mining pools) to all parts of the network which can be used to garner value
within the connection pool of new hosts.


All of the above checks, except for the one starting on 948 is subject to a
race condition.

All the best,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20201003/c719d565/attachment.html>


More information about the bitcoin-dev mailing list