-
Inge-
there might be a relevant body of research on sybil attacks in p2p networks, like
link.springer.com/chapter/10.1007/978-3-319-23829-6_14
-
needmoney90
Proof of work on asshole peers, I'm shooting in the dark here
-
needmoney90
But what if every time you detect an asshole peer, you perform X proof of work (determined by you), and broadcast the best hash to the network attached to their IP.
-
needmoney90
In aggregate, the most asshole-y peers will end up having high asshole ratings, due to random chance working out for the crowd
-
needmoney90
There's some room for people to perform work to attempt to bump nodes off the network of course, but it may be the start of an idea
-
kenshamir[m]
<needmoney90 "But what if every time you detec"> Is it possible for me to create a huge amount of IPs, then simulate the behaviour of a bad peer for each IP and have you performing proof of work for those IPs?
-
moneromooo
That sounds like what Chris Grayling would do.
-
moneromooo
I think the point is to make the presumed asshole do it, rather than the one detecting it.
-
kenshamir[m]
<moneromooo "That sounds like what Chris Gray"> Embarrassingly had to google who this was, I’m so out of touch with politics
-
kenshamir[m]
<moneromooo "I think the point is to make the"> Oh I see, I thought the honest peer was meant to do the proof of work and send the IP of the bad peer with the proof of work
-
moneromooo
I think you are right actually, re-reading.
-
needmoney90
kenshamir: Of course. Arguably thats whats happening right now, and what we are trying to remedy
-
needmoney90
Though if you have a client-set default where you want to get X good peers, I think its not an issue
-
needmoney90
its a probabalistic thing
-
needmoney90
I considered having nodes send PoW in order to be peers, but that has issues
-
needmoney90
because highly connected nodes and stuff would be adversely affected
-
needmoney90
In my case, the work is only performed if/when a bad peer is detected, and the lowest hash broadcast if below a threshold
-
kenshamir[m]
<needmoney90 "kenshamir: Of course. Arguably t"> Oh I was not aware of the current state. Okay makes sense now, you are suggesting a reputation system that is better than the _current_ one
-
needmoney90
Yes, users need some way of knowing which peers are known bad network wide
-
needmoney90
My insight here is just that if we have everyone perform some small PoW when they have a bad peer, eventually high difficulty hashes will materialize
-
needmoney90
Obviously it's gameable in some ways, but it might be the start of an idea
-
needmoney90
Perhaps timestamps and expirations would alleviate some of that
-
kenshamir[m]
<needmoney90 "My insight here is just that if "> Oh interesting, can you explain why high difficulty hashes would materialise eventually?
-
needmoney90
That is how proof of work works
-
kenshamir[m]
Who is setting the difficulty?
-
kenshamir[m]
If I see a bad peer, how would I know how much proof of work I should do, for example?
-
needmoney90
Any user can perform a user determined amount of hashes, and then broadcast the lowest hash (highest difficulty) to the network. You don't need to set a difficulty at all, but you can set a threshold below) above which you don't connect to peers
-
needmoney90
We can give a number in orders of magnitude for diff
-
needmoney90
'my client won't connect to people whose diff exceeds 7'
-
kenshamir[m]
Okay I think I got it, so if I see a bad peer, I can perform as much proof of work I want
-
needmoney90
Yes
-
kenshamir[m]
Okay makes sense, I’m still not sure that high difficulty hashes will eventually appear though, because as a node I would want to do the least amount of proof of work for the reputation system right?
-
kenshamir[m]
<needmoney90 "We can give a number in orders o"> I think this would solve it though. If you mandate that everyone has to provide a hash of X difficulty for bad peers.
-
needmoney90
We can't exactly mandate it
-
needmoney90
and the 'gaming' issues I was thinking about are bad actors providing false proofs against real nodes
-
kenshamir[m]
Maybe not mandate, but as a node, I just won’t accept your “vote” if it’s below a certain difficulty
-
kenshamir[m]
<needmoney90 "and the 'gaming' issues I was th"> Oh I see, yeah that’s a realistic adversarial model.
-
needmoney90
yeah ken, that was the 'order of magnitude' thing
-
needmoney90
people can decide on their level of tolerance for bad nodes
-
kenshamir[m]
<needmoney90 "people can decide on their level"> Oh I see, sorry I’m a bit slow
-
kenshamir[m]
Yeah makes sense
-
kenshamir[m]
I have not done any research into reputation systems, was just curious about your idea
-
needmoney90
sure, I'm spitballing here
-
needmoney90
we actually have a working CPU-based PoW system
-
needmoney90
It would be a shame not to use it if its applicable
-
needmoney90
this sort of scheme wouldn't work at all under any system other than randomX, because FPGAs etc
-
kenshamir[m]
<needmoney90 "we actually have a working CPU-b"> Oh how difficult would it be to integrate?
-
kenshamir[m]
I’m assuming you mean a working reputation system and not a working POW consensus system
-
needmoney90
I mean the PoW system.
-
needmoney90
Having a network of users able to do small amounts of provable work in aggregate is very useful
-
needmoney90
If at the very least because it increases the resources required to attack it
-
kenshamir[m]
Yeah true, I think a reputation system based on PoW is natural since you already use PoW
-
needmoney90
PoW has a number of fun implications, like if you find the highest diff block ever discovered in btc, you can roughly estimate the total work expended by the network in aggregate
-
needmoney90
Which is the same principle I'm using here
-
kenshamir[m]
What if a miner decides he doesn’t like X and does a ridiculously high difficulty hash for X?
-
needmoney90
What do you mean?
-
needmoney90
For a miner to 'choose' a block with a ridiculous difficulty without posting intermediate blocks, they would probabalistically need to discard every non-conforming block (and burn the work)
-
kenshamir[m]
I guess that’s how I would attack the network.
-
kenshamir[m]
instead of competing for blocks like a shmuck, i make ridiculously high difficulty hashes for the competition, so they get blackballed
-
kenshamir[m]
Would that work?
-
kenshamir[m]
Or I guess alternatively, I could blackball an exchange and initiate an eclipse attack on them?
-
kenshamir[m]
<needmoney90 "For a miner to 'choose' a block "> Oh I didn’t get my point across, rephrasing
-
needmoney90
Ah, yes, that's my adversarial example. My suggested way of resolving that was limiting the blacklist to a fixed period of time, so after X time (if you haven't received a subsequent proof of bad behavior) it rolls off your list
-
kenshamir[m]
So as a miner, I would stop mining for blocks temporarily
-
needmoney90
Which would force the adversary to constantly produce those hashes
-
needmoney90
Heck, if we drop the limit low to something like a couple hours, it might actually be viable
-
kenshamir[m]
I would focus on the reputation system and blackball the competition, by making them look like bad actors to the rest of the network, since I have the hash power for it, then I’d win a lot of blocks since no one is talking to the competition
-
needmoney90
This is for nodes
-
kenshamir[m]
<needmoney90 "Ah, yes, that's my adversarial e"> Ahh I see
-
needmoney90
Not mining
-
kenshamir[m]
Yep for nodes
-
needmoney90
It's possible I guess, but I'm sure people would run nodes without the rule
-
kenshamir[m]
I was illustrating that the end goal would be to subvert the mining system through the reputation system, so there is a motive
-
needmoney90
If it's an issue I can't imagine miners wouldn't set up a relayed service
-
needmoney90
Relayer
-
kenshamir[m]
During the period of time, I guess that malicious miner who blackballed the competition would win a lot of blocks?
-
needmoney90
Doubtful
-
needmoney90
Existing connections are a thing
-
needmoney90
And again, not everyone would run this
-
needmoney90
Or have the threshold low
-
kenshamir[m]
<needmoney90 "If it's an issue I can't imagine"> Oh right, I see
-
kenshamir[m]
<needmoney90 "Existing connections are a thing"> Yeah I guess if you made it so that nodes first checked if that node was being bad, if they are on their list, then it would be solved?
-
kenshamir[m]
So the blackballing would be applicable only for newer connections
-
needmoney90
Yeah, the intent is not to kick off established connections
-
needmoney90
The asshole peers aren't established connections
-
kenshamir[m]
<needmoney90 "And again, not everyone would ru"> I think every full node would need to run it no?
-
needmoney90
Hm. Actually. These peers are just non-relaying
-
needmoney90
My mental model was broken there
-
needmoney90
It's actually an issue, because it's not just disconnecting nodes, it's non-relaying nodes too
-
needmoney90
Every fullnode would not need to run this, it's an optional thing
-
needmoney90
It creates a subnetwork of nodes who have a shared blacklist, and are likely highly self connected
-
kenshamir[m]
<needmoney90 "Every fullnode would not need to"> Oh I would think it would be in their interest to run a reputation system so that they can always be connected to “live” and honest peers
-
kenshamir[m]
<needmoney90 "It creates a subnetwork of nodes"> Oh right, that’s a good depiction. A network on top of a network
-
kenshamir[m]
* > <@freenode_needmoney90:matrix.org> It creates a subnetwork of nodes who have a shared blacklist, and are likely highly self connected
-
kenshamir[m]
Oh right, that’s a good depiction. A network inside of a network
-
needmoney90
Sure, but it's a potentially adversarial environment - if no one runs a node that peers with all, then we risk malicious actors abusing that to knock peers off
-
needmoney90
It's more a 'public service' thing
-
needmoney90
Those nodes would prolly have higher max connection counts to combat it though
-
kayront
are we talking about the evil peers™ that have been found not relaying txs?
-
john_r365
kayront - yes, also affectionately known as asshole nodes
-
kayront
so what's the theory ? annoyance? tx logging?
-
kayront
dos?
-
selsta
most likely tx <-> ip logging
-
selsta
also general annoyance maybe
-
john_r365
Seems like a lot of effort just for annoyance. From the list moneromoo shared -
gui.xmr.pm/files/block.txt - it seemed like IPs largely came from RIPE Network Coordination Centre or OVH Hosting. tx <-> ip seems most likely. presumably D++ makes it more obvious and problematic when nodes drop tx
-
kayront
yes, it certainly does
-
selsta
monero-project/monero #6936 seems quite effective at catching and dropping them
-
nioc
neednoether90
-
yanmaani
idea: if a node misbehaves and there's a lot of misbehaving nodes in that ASN, send it say 1GB of traffic as punishment
-
yanmaani
This would be fine for ordinary users on home connections, who wouldn't notice much downtime
-
yanmaani
but if they're using commercial hosting providers, they will often disconnect problematic custoemrs, or charge them extra for network scrubbing