summaryrefslogtreecommitdiff
path: root/docs/Hardening.txt
blob: 50ccfd53e0e51f77a94b3c6b7c3de04d4356312d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Currently an attacker with sufficient resources could launch a large scale 
denial of service type attack by flooding the Tox network with a bunch of nodes 
that do not act like real nodes to prevent people from finding each other. 

Due to the design of Tox, this is the worst thing an attacker can do to disrupt 
the network.

This solution's goal is to make these denial of service attack very very hard 
to accomplish.

For the network to work every Tox node must:
1. Respond to ping requests.
2. Respond to get node requests with the ids of nodes closest to a queried id 
(It is assumed each nodes know at least the 32 nodes closest to them.)
3. Properly send crypto request packets to their intended destination.

Currently the only thing a node needs to do to be part of the network is 
respond correctly to ping requests. 

The only people we really trust on the network are the nodes in our friends 
list.


The behavior of each Tox node is easily predictable. This means that it possible 
for Tox nodes to test the nodes that they are connected to to see if they 
behave like normal Tox nodes and only send nodes that are confirmed to behave 
like real Tox nodes as part of send node replies when other nodes query them.

If correctly done, this means that to poison the network an attacker can only 
infiltrate the network if his "fake" nodes behave exactly like real nodes 
completely defeating the purpose of the attack. Of course nodes must be 
rechecked regularly to defeat an attack where someone floods the network with 
many good nodes then suddenly turns them all bad.

This also prevents someone from accidentally killing the tox network with a bad 
implementation of the protocol.

Implementation ideas (In Progress):

1. Use our friends to check if the nodes in our close list are good.

EX: If our friend queries a node close to us and it correctly returns our 
ip/port and then sends a crypto request packet to it and it routes it correctly 
to us then it is good.

Problems with this: People don't always have at least one online friend.

2. Pick random nodes (add ourselves some random (fake) friends to increase the 
pool of available nodes) and make then send requests to other nodes, the 
response is then relayed back to us and compared to how the node should have 
behaved. If the node is found to be behaving correctly, it is set as trusted. 
Only trusted nodes are sent in send node packets, that is unless the exact node 
being queried for in the getnode packet is present, it will be sent in the 
sendnode packet even if it is not trusted.

The hypothesis is that if to be part of the network nodes have to behave 
correctly it should prevent disruption from nodes that behave incorrectly.

(This idea is currently being implemented in the harden branch.)
...