Changes between Version 39 and Version 40 of thesis


Ignore:
Timestamp:
Apr 26, 2011 3:19:52 PM (9 years ago)
Author:
zzz
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • thesis

    v39 v40  
    3939< Both, monitor and attack peers run with 64 KB/s. Monitor peers just participate in the network and behave as any other node. (No special behavior to the victim)[[BR]][[BR]]
    4040
    41 **> Hmm that's discouraging. Obviously the attack is more powerful if the attack peers don't need to be high-bandwidth. I think what we are seeing is the potential of attacks where the attackers are only "nice" to potential victims, as a way of appearing fast to that victim and getting into their tunnels quicker (even if that's not exactly what you did). In any case, I'm surprised that it didn't take more bandwidth and will have to look into it further. As you know the primary defense against DDos is to increase resource requirements and we have to figure out how to do that.
     41**> Hmm that's discouraging. Obviously the attack is more powerful if the monitor peers don't need to be high-bandwidth. I think what we are seeing is the potential of attacks where the monitors are only "nice" to potential victims, as a way of appearing fast to that victim and getting into their tunnels quicker (even if that's not exactly what you did). In any case, I'm surprised that it didn't take more bandwidth and will have to look into it further. As you know the primary defense against DDos is to increase resource requirements and we have to figure out how to do that.
    4242
    4343Table 5.2: The network size is estimated to be about 2500 uniques per day, and about 6000 - 7000 uniques per month (source http://stats.i2p.to/cgi-bin/total_routers_3month.cgi )
     
    7272< QUESTION: How would an I2P router with 64 KB/s even obtain a speed value measurement > 64k for any other peer?
    7373< Also, even Class "O" peers would be DoSed by our attacker and the victim would (eventually) choose our non-class-O monitor nodes.[[BR]][[BR]]
     74
     75**> That's a great question. You would think that, to a router of bandwidth B, all peers with bandwidth >= B would appear equally "fast" to that router. Yet, by simple observation of the profiles page in my (long-running, low-bandwidth) router console, the vast majority of fast and high-capacity tier routers are class "O". Why is that?
     76
     77**> First, the speed calculation is a measurement of the peak 1 minute speed for a single tunnel. Second, since peers route tunnels for multiple other peers, it's really a measurement of *marginal* speed available, and faster routers have more marginal bandwidth available. Third, a router must be in the high-cap tier to be fast, and the higher-bandwidth routers have more tunnel capacity. Fourth, routers are somewhat biased to have the floodfills in their fast and high-cap tiers, since they talk to them frequently, and floodfill routers are always class "O".
     78
     79**> So maybe what this all means is that in the normal operating case, most of the fast tier peers are actually fast, but in an attack scenario, relatively low-bandwidth peers could still still get into the tier relatively quickly, especially if they are "nice to the potential victim" (see above in discussion of monitor peer bandwidth).
    7480
    7581  So isn't this really about an adversary taking over a large proportion of the entire network, or at least of the network's fast routers? Is I2P any more vulnerable at X % hostile peers compared to other networks? Once you have a large number of hostile fast peers in the network, is the traffic analysis of your attack any quicker or more reliable than other attacks, e.g. first and last node in a tunnel (ref: "one ping enough" paper or blog post about Tor)