diff options
-rw-r--r-- | docs/Hardening.txt | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/docs/Hardening.txt b/docs/Hardening.txt new file mode 100644 index 00000000..838b3566 --- /dev/null +++ b/docs/Hardening.txt | |||
@@ -0,0 +1,48 @@ | |||
1 | Currently an attacker with sufficient resources could launch a large scale | ||
2 | denial of service type attack by flooding the Tox network with a bunch of nodes | ||
3 | that do not act like real nodes to prevent people from finding each other. | ||
4 | |||
5 | Due to the design of Tox, this is the worst thing an attacker can do to disrupt | ||
6 | the network. | ||
7 | |||
8 | This solution's goal is to make these denial of service attack very very hard | ||
9 | to accomplish. | ||
10 | |||
11 | For the network to work every Tox node must: | ||
12 | 1. Respond to ping requests. | ||
13 | 2. Respond to get node requests with the ids of nodes closest to a queried id | ||
14 | (It is assumed each nodes know at least the 32 nodes closest to them.) | ||
15 | 3. Properly send crypto request packets to their intended destination. | ||
16 | |||
17 | Currently the only thing a node needs to do to be part of the network is | ||
18 | respond correctly to ping requests. | ||
19 | |||
20 | The only people we really trust on the network are the nodes in our friends | ||
21 | list. | ||
22 | |||
23 | |||
24 | The behavior of each Tox node is easily predictable this means that it possible | ||
25 | for Tox nodes to test the nodes that they are connected to to see if they | ||
26 | behave like normal Tox nodes and only send nodes that are confirmed to behave | ||
27 | like real Tox nodes as part of send node replies when other nodes query them. | ||
28 | |||
29 | If correctly done, this means that to poison the network an attacker can only | ||
30 | infiltrate the network if his "fake" nodes behave exactly like real nodes | ||
31 | completely defeating the purpose of the attack. Of course nodes must be | ||
32 | rechecked regularly to defeat an attack where someone floods the network with | ||
33 | many good nodes then suddenly turns them all bad. | ||
34 | |||
35 | This also prevents someone from accidentally killing the tox network with a bad | ||
36 | implementation of the protocol. | ||
37 | |||
38 | Implementation ideas (In Progress): | ||
39 | |||
40 | 1. Use our friends to check if the nodes in our close list are good. | ||
41 | |||
42 | EX: If our friend queries a node close to us and it correctly returns our | ||
43 | ip/port and then sends a crypto request packet to it and it routes it correctly | ||
44 | to us then it is good. | ||
45 | |||
46 | Problems with this: People don't always have at least one online friend. | ||
47 | |||
48 | 2. ... | ||