forked from somatic-labs/meteorite
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathP2P storms.eml
147 lines (116 loc) · 7.06 KB
/
P2P storms.eml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
MIME-Version: 1.0
Date: Sat, 23 Sep 2023 11:09:11 +0800
Message-ID: <CAK5+0FTnKtgdZdFOND+GYvAcL7wKjxvSn=Z8YRVbXXOhsxKRQA@mail.gmail.com>
Subject: P2P storms
From: Jacob Gadikian <[email protected]>
To: Khanh Nguyen <[email protected]>
Content-Type: multipart/alternative; boundary="0000000000009dcf290605fe0c80"
--0000000000009dcf290605fe0c80
Content-Type: text/plain; charset="UTF-8"
NOTE: THIS DETAILS AN ONGOING MATTER.
I'd like to politely urge that Amulet re-join the slack channel that Amulet
left so that Amulet can get sufficient context.
Greetings,
Here is a document on what I am calling "p2p storms". They are a threat to
liveness on 100% of cosmos-sdk chains to my knowledge.
The document is under heavy revision because I believe that there are at
least two ways to cause a p2p storm:
- Banana King
- Spamming Client Updates
https://docs.google.com/document/d/1oCjsVYMaV77etxOEbDxh58vkAQaXf7RAkhXvF_8GYis/edit?usp=sharing
For a relatively low cost, or in some cases at no cost, it is possible to
DOS entire chains in ways that reduce liveness significantly.
Reproducing this issue may not be viable on test networks, as the core of
the issue is the increased p2p traffic that large blocks cause, and a
resulting inability of the chain to process its mempool.
*P2P storms have been observed in the wild*
- On Stride
- On Sentinel
There's anecdotal evidence of p2p storms on Luna Classic *during* the
combined economic and infrastructure attack that took the chain down, and
you can find my documentation of this here:
https://github.com/notional-labs/notional/blob/master/incidents/WTF%20HAPPENED%20TO%20TERRA.pdf
Thus far, we've been coordinating in Slack channels, which I'm happy to
re-invite you to, since you left because that doesn't fit within your
protocol for dealing with security issues.
I've been coordinating with Jehan and I'm about to put a Banana King on hub
mainnet. A few blocks of banana king is enough to trigger a p2p storm, as
is a few blocks of client update spam. In fact on further consideration, I
think that the LUNC incident is no longer incidental.
I think that LUNC suffered a p2p storm during the attack, and that the p2p
storm was able to enable arbitrage, which is the entire threat model for
this attack.
*Recommendations*
1) drop sentry node architecture -> to reduce the number of hops and nodes
2) validators connect to one another over vpn -> same goal as number one
3) reduce maximum block sizes <- I suggest 5mb
I need to update the document to add information about banana king. Both
client spamming and banana king can trigger p2p storms, and p2p storms can
be arbed, and have been.
--
*Jacob Gadikian*
CEO
*Notional Labs*
*Github <https://github.com/faddat> - Twitter
<https://twitter.com/gadikian>*
*Web: Notional.Ventures <https://notional.ventures/>*
--0000000000009dcf290605fe0c80
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>NOTE: THIS DETAILS AN ONGOING MATTER.</div><div><br><=
/div><div>I'd like to politely urge that Amulet re-join the slack=C2=A0=
channel that Amulet left so that Amulet can get sufficient=C2=A0context.=C2=
=A0</div><div><br></div><div><br></div>Greetings,<div><br></div><div>Here i=
s a document on what I am calling "p2p storms".=C2=A0 They are a =
threat to liveness on 100% of cosmos-sdk chains to my knowledge.=C2=A0=C2=
=A0</div><div><br></div><div>The document is under heavy revision because I=
believe that there are at least two ways to cause a p2p storm:</div><div><=
br></div><div><ul><li>Banana King</li><li>Spamming Client Updates</li></ul>=
</div><div><br></div><div><a href=3D"https://docs.google.com/document/d/1oC=
jsVYMaV77etxOEbDxh58vkAQaXf7RAkhXvF_8GYis/edit?usp=3Dsharing">https://docs.=
google.com/document/d/1oCjsVYMaV77etxOEbDxh58vkAQaXf7RAkhXvF_8GYis/edit?usp=
=3Dsharing</a></div><div><br></div><div>For a relatively low cost, or in so=
me cases at no cost, it is possible to DOS entire chains in ways that reduc=
e liveness significantly.=C2=A0</div><div><br></div><div>Reproducing this i=
ssue may not be viable on test networks, as the core of the issue is the in=
creased p2p traffic that large blocks cause, and a resulting inability of t=
he chain to process its mempool.=C2=A0=C2=A0</div><div><br></div><div><b>P2=
P storms have been observed in the wild</b></div><div><ul><li>On Stride</li=
><li>On Sentinel</li></ul><div>There's anecdotal evidence of p2p storms=
on Luna Classic <b>during</b>=C2=A0the combined economic=C2=A0and infrastr=
ucture=C2=A0attack that took the chain down, and you can find my documentat=
ion of this here:</div></div><div><br></div><div><a href=3D"https://github.=
com/notional-labs/notional/blob/master/incidents/WTF%20HAPPENED%20TO%20TERR=
A.pdf">https://github.com/notional-labs/notional/blob/master/incidents/WTF%=
20HAPPENED%20TO%20TERRA.pdf</a><br></div><div><br></div><div>Thus far, we&#=
39;ve been coordinating in Slack channels, which I'm happy to re-invite=
you to, since you left because that doesn't fit within your protocol f=
or dealing with security issues.=C2=A0=C2=A0</div><div><br></div><div>I'=
;ve been coordinating with Jehan and I'm about to put a Banana King on =
hub mainnet.=C2=A0 A few blocks of banana king is enough to trigger a p2p s=
torm, as is a few blocks of client update spam.=C2=A0 In fact on further co=
nsideration, I think that the LUNC=C2=A0incident is no longer incidental.=
=C2=A0=C2=A0</div><div><br></div><div>I think that LUNC=C2=A0suffered a p2p=
storm during the attack, and that the p2p storm was able to enable arbitra=
ge, which is the entire threat model for this attack.=C2=A0</div><div><br><=
/div><div><b>Recommendations</b></div><div><br></div><div>1) drop sentry no=
de architecture=C2=A0 -> to reduce the number of hops and nodes <br><br>=
2) validators connect to one another over vpn -> same goal as number one=
<br><br>3) reduce maximum block sizes <- I suggest 5mb=C2=A0<br></div><d=
iv><br></div><div>I need to update the document to add information about ba=
nana king.=C2=A0 Both client spamming and banana king can trigger p2p storm=
s, and p2p storms can be arbed, and have been.=C2=A0</div><div><div><br></d=
iv><span class=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" cl=
ass=3D"gmail_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr"=
><b>Jacob Gadikian</b><div>CEO</div><div><b>Notional Labs</b></div><div><b>=
<br></b></div><div><b><img width=3D"200" height=3D"45" src=3D"https://ci3.g=
oogleusercontent.com/mail-sig/AIorK4wD9P5t4zjYRMBeM-6EevwBrTlygoGMP7t4XFQdD=
-pdpfcJHseOCfENf_YepQEMpsyIXNESHHs"><br></b></div><div><b><a href=3D"https:=
//github.com/faddat" target=3D"_blank">Github</a> - <a href=3D"https://twit=
ter.com/gadikian" target=3D"_blank">Twitter</a></b></div><div><b>Web: <a hr=
ef=3D"https://notional.ventures/" target=3D"_blank">Notional.Ventures</a></=
b></div></div></div></div></div>
--0000000000009dcf290605fe0c80--